Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Configuring user authentication using authselect

You can use the authselect utility to configure system identity and authentication sources.

2.1. What is authselect used for
Copy link

Authselect provides ready-made profiles that define the configuration for Pluggable Authentication Modules (PAM) and Name Service Switch (NSS). When you select a profile, authselect generates the appropriate nsswitch.conf and PAM stack to use the identity and authentication sources specified by that profile.

You can use the default profile set or create a custom profile. Note that you must manually update custom profiles to keep them up to date with your system.

Authselect profiles

local
Configures authentication to handle local users without SSSD by using traditional system files such as /etc/passwd and /etc/shadow. This is the default profile.
sssd
Enables SSSD for systems that use LDAP authentication. Use this profile to integrate remote identity providers and support features such as smart cards, GSSAPI, and session recording.
winbind
Enables the Winbind utility for systems directly integrated with Microsoft Active Directory.

After selecting an authselect profile for a given host, the profile applies to all users logging into the host.

Red Hat recommends using authselect to manage authentication settings in semi-centralized identity management environments, for example if your organization utilizes LDAP or Winbind databases to authenticate users to use services in your domain.

If the provided profile set is not sufficient, you can create a custom profile.

Warning

You do not need to use authselect if:

  • Your host is part of Red Hat Enterprise Linux Identity Management (IdM). Joining your host to an IdM domain with the ipa-client-install command automatically configures SSSD authentication on your host.
  • Your host is part of Active Directory via SSSD. Calling the realm join command to join your host to an Active Directory domain automatically configures SSSD authentication on your host.

Red Hat recommends against changing the authselect profiles configured by ipa-client-install or realm join. If you need to modify them, display the current settings before making any modifications, so you can revert back to them if necessary: 

$ authselect current
Profile ID: sssd
Enabled features:
- with-sudo
- with-mkhomedir
- with-smartcard
Copy to Clipboard Toggle word wrap

authselect modifies only a limited set of configuration files, making it easier to manage and troubleshoot authentication settings.

Expand

/etc/nsswitch.conf

The GNU C Library and other applications use this Name Service Switch (NSS) configuration file to determine the sources from which to obtain name-service information in a range of categories, and in what order. Each category of information is identified by a database name.

/etc/pam.d/* files

Linux-PAM (Pluggable Authentication Modules) is a system of modules that handle the authentication tasks of applications (services) on the system. The nature of the authentication is dynamically configurable: the system administrator can choose how individual service-providing applications will authenticate users.

The configuration files in the /etc/pam.d/ directory list the PAMs that will perform authentication tasks required by a service, and the appropriate behavior of the PAM-API in the event that individual PAMs fail.

Among other things, these files contain information about:

  • User password lockout rules
  • The ability to authenticate with a smart card
  • The ability to authenticate with a fingerprint reader

/etc/dconf/db/distro.d/* files

This directory holds configuration profiles for the dconf utility, which you can use to manage settings for the GNOME Desktop Graphical User Interface (GUI).

2.2. Choosing an authselect profile
Copy link

As a system administrator, you can select a profile for the authselect utility for a specific host. The profile will be applied to every user logging into the host.

Prerequisites

  • You need root credentials to run authselect commands
Note

Make sure that the configuration files that are relevant for your profile are configured properly before finishing the authselect select procedure. For example, if the sssd daemon is not configured correctly and active, running authselect select results in only local users being able to authenticate, using pam_unix.

Procedure

  • Select the authselect profile that is appropriate for your authentication provider. Replace <profile> with the profile name that you want to use: 

    # authselect select <profile>
    Copy to Clipboard Toggle word wrap

  • Optional: You can modify the default profile settings by enabling or disabling features that the selected profile provides. 

    # authselect select <profile> <feature>
    Copy to Clipboard Toggle word wrap

    For example to select the sssd profile and enable smart card authentication in addition to password authentication: 

    # authselect select sssd with-smartcard
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify sss entries for SSSD are present in /etc/nsswitch.conf: 

    passwd:     sss files
group:      sss files
netgroup:   sss files
automount:  sss files
services:   sss files
...
    Copy to Clipboard Toggle word wrap

  2. Review the contents of the /etc/pam.d/system-auth file for pam_sss.so entries: 

    # Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
# See authselect(8) for more details.

auth        required        pam_env.so
auth        required        pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]    pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]    pam_localuser.so
auth        sufficient      pam_unix.so nullok try_first_pass
auth        requisite       pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient      pam_sss.so forward_pass
auth        required        pam_deny.so

account     required        pam_unix.so
account     sufficient      pam_localuser.so
...
    Copy to Clipboard Toggle word wrap

As a system administrator, you can create and deploy a custom profile by making a customized copy of one of the default profiles.

When you deploy a custom profile, the profile is applied to every user logging into the given host.

Procedure

  1. To create your custom profile, run the authselect create-profile command. Replace <custom_profile> with the desired profile name. For example, to create a profile based on the ready-made sssd profile with the option to configure the items in the /etc/nsswitch.conf file yourself, use the following command: 

    # authselect create-profile <custom_profile> -b sssd --symlink-meta --symlink-pam
New profile was created at /etc/authselect/custom/<custom_profile>
    Copy to Clipboard Toggle word wrap
    Warning

    If you are planning to modify /etc/authselect/custom/<custom_profile>/{password-auth,system-auth,fingerprint-auth,smartcard-auth,postlogin}, then enter the command above without the --symlink-pam option. This is to ensure that the modification persists during the upgrade of authselect-libs.

    Including the --symlink-pam option in the command means that PAM templates are symbolic links to the origin profile files instead of their copy; including the --symlink-meta option means that meta files, such as README and REQUIREMENTS are symbolic links to the origin profile files instead of their copy. This ensures that all future updates to the PAM templates and meta files in the original profile are reflected in your custom profile, too.

    The command creates a copy of the /etc/nsswitch.conf file in the /etc/authselect/custom/<custom_profile>/ directory.

  2. Configure the /etc/authselect/custom/<custom_profile>/nsswitch.conf file.

  3. Select the custom profile by running the authselect select command with custom/<custom_profile> as a parameter: 

    # authselect select custom/<custom_profile>
    Copy to Clipboard Toggle word wrap

    Selecting the <custom_profile> profile for your machine means that if the sssd profile is subsequently updated by Red Hat, you benefit from all the updates with the exception of updates made to the /etc/nsswitch.conf file.

    Example creating a custom profile based on the sssd profile:

    You can create a profile based on the sssd profile which only consults the local static table lookup for hostnames in the /etc/hosts file, not in the dns or myhostname databases.

    1. Edit the /etc/nsswitch.conf file by editing the following line: 

      hosts:      files
      Copy to Clipboard Toggle word wrap

    2. Create a custom profile based on sssd that excludes changes to /etc/nsswitch.conf: 

      # authselect create-profile custom-sssd-profile -b sssd --symlink-meta --symlink-pam
      Copy to Clipboard Toggle word wrap

    3. Select the profile: 

      # authselect select custom/custom-sssd-profile
      Copy to Clipboard Toggle word wrap

    4. Optional: Check that selecting the custom profile has

      • created the /etc/pam.d/system-auth file according to the chosen sssd profile

      • left the configuration in the /etc/nsswitch.conf unchanged: 

        hosts:      files
        Copy to Clipboard Toggle word wrap
        Note

        Running authselect select sssd would, in contrast, result in hosts: files dns myhostname

2.4. Opting out of using authselect
Copy link

You cannot uninstall authselect from a RHEL system. However, if you want authselect to stop managing your configuration, you can opt-out. When you opt-out, the system removes all authselect configuration. This restores the nsswitch and PAM configuration to their default system locations, and authselect no longer manages them.

Important

Authselect ensures consistent and supported management of system authentication and identity configuration. Opting out might lead to unsupported or inconsistent configurations, which can cause authentication issues. If you require a special configuration, consider creating a custom profile within the authselect framework.

Procedure

  • To stop authselect from managing your system’s configuration: 

    # authselect opt-out
    Copy to Clipboard Toggle word wrap

    To start using authselect again, run authselect select <profile_name>.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat