Chapter 2. Configuring user authentication using authselect
authselect
is a utility that allows you to configure system identity and authentication sources by selecting a specific profile. Profile is a set of files that describes how the resulting Pluggable Authentication Modules (PAM) and Network Security Services (NSS) configuration will look like. You can choose the default profile set or create a custom profile.
2.1. What is authselect used for
You can use the authselect
utility to configure user authentication on a Red Hat Enterprise Linux 8 host.
You can configure identity information and authentication sources and providers by selecting one of the ready-made profiles:
-
The default
sssd
profile enables the System Security Services Daemon (SSSD) for systems that use LDAP authentication. -
The
winbind
profile enables the Winbind utility for systems directly integrated with Microsoft Active Directory. -
The
nis
profile ensures compatibility with legacy Network Information Service (NIS) systems. -
The
minimal
profile serves only local users and groups directly from system files, which allows administrators to remove network authentication services that are no longer needed.
After selecting an authselect
profile for a given host, the profile is applied to every user logging into the host.
Red Hat recommends using authselect
in semi-centralized identity management environments, for example if your organization utilizes LDAP, Winbind, or NIS databases to authenticate users to use services in your domain.
You do not need to use authselect
if:
-
Your host is part of Red Hat Enterprise Linux Identity Management (IdM). Joining your host to an IdM domain with the
ipa-client-install
command automatically configures SSSD authentication on your host. -
Your host is part of Active Directory via SSSD. Calling the
realm join
command to join your host to an Active Directory domain automatically configures SSSD authentication on your host.
Red Hat recommends against changing the authselect
profiles configured by ipa-client-install
or realm join
. If you need to modify them, display the current settings before making any modifications, so you can revert back to them if necessary:
$ authselect current
Profile ID: sssd
Enabled features:
- with-sudo
- with-mkhomedir
- with-smartcard
2.1.1. Files and directories authselect modifies
The authconfig
utility, used in previous Red Hat Enterprise Linux versions, created and modified many different configuration files, making troubleshooting more difficult. Authselect
simplifies testing and troubleshooting because it only modifies the following files and directories:
| The GNU C Library and other applications use this Name Service Switch (NSS) configuration file to determine the sources from which to obtain name-service information in a range of categories, and in what order. Each category of information is identified by a database name. |
| Linux-PAM (Pluggable Authentication Modules) is a system of modules that handle the authentication tasks of applications (services) on the system. The nature of the authentication is dynamically configurable: the system administrator can choose how individual service-providing applications will authenticate users.
The configuration files in the Among other things, these files contain information about:
|
|
This directory holds configuration profiles for the |
2.1.2. Data providers in /etc/nsswitch.conf
The default sssd
profile establishes SSSD as a source of information by creating sss
entries in /etc/nsswitch.conf
:
passwd: sss files group: sss files netgroup: sss files automount: sss files services: sss files ...
This means that the system first looks to SSSD if information concerning one of those items is requested:
-
passwd
for user information -
group
for user group information -
netgroup
for NISnetgroup
information -
automount
for NFS automount information -
services
for information regarding services
Only if the requested information is not found in the sssd
cache and on the server providing authentication, or if sssd
is not running, the system looks at the local files, that is /etc/*
.
For example, if information is requested about a user ID, the user ID is first searched in the sssd
cache. If it is not found there, the /etc/passwd
file is consulted. Analogically, if a user’s group affiliation is requested, it is first searched in the sssd
cache and only if not found there, the /etc/group
file is consulted.
In practice, the local files
database is not normally consulted. The most important exception is the case of the root
user, which is never handled by sssd
but by files
.
2.2. Choosing an authselect profile
As a system administrator, you can select a profile for the authselect
utility for a specific host. The profile will be applied to every user logging into the host.
Prerequisites
-
You need
root
credentials to runauthselect
commands
Procedure
Select the
authselect
profile that is appropriate for your authentication provider. For example, for logging into the network of a company that uses LDAP, choosesssd
.# authselect select
sssd
Optional: You can modify the default profile settings by adding the following options to the
authselect select sssd
orauthselect select winbind
command, for example:-
with-faillock
-
with-smartcard
-
with-fingerprint
-
To see the full list of available options, see Converting your scripts from authconfig to authselect or the
authselect-migration(7)
man page.
Make sure that the configuration files that are relevant for your profile are configured properly before finishing the authselect select
procedure. For example, if the sssd
daemon is not configured correctly and active, running authselect select
results in only local users being able to authenticate, using pam_unix
.
Verification
Verify
sss
entries for SSSD are present in/etc/nsswitch.conf
:passwd: sss files group: sss files netgroup: sss files automount: sss files services: sss files ...
Review the contents of the
/etc/pam.d/system-auth
file forpam_sss.so
entries:# Generated by authselect on Tue Sep 11 22:59:06 2018 # Do not modify this file manually. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so ...
2.3. Modifying a ready-made authselect profile
As a system administrator, you can modify one of the default profiles to suit your needs.
You can modify any of the items in the /etc/authselect/user-nsswitch.conf
file with the exception of:
-
passwd
-
group
-
netgroup
-
automount
-
services
Running authselect select
profile_name
afterwards will result in transferring permissible changes from /etc/authselect/user-nsswitch.conf
to the /etc/nsswitch.conf
file. Unacceptable changes are overwritten by the default profile configuration.
Do not modify the /etc/nsswitch.conf
file directly.
Procedure
Select an
authselect
profile, for example:#
authselect select
sssd
-
Edit the
/etc/authselect/user-nsswitch.conf
file with your desired changes. Apply the changes from the
/etc/authselect/user-nsswitch.conf
file:#
authselect apply-changes
Verification
-
Review the
/etc/nsswitch.conf
file to verify that the changes from/etc/authselect/user-nsswitch.conf
have been propagated there.
Additional Resources
2.4. Creating and deploying your own authselect profile
As a system administrator, you can create and deploy a custom profile by making a customized copy of one of the default profiles.
This is particularly useful if Modifying a ready-made authselect profile is not enough for your needs. When you deploy a custom profile, the profile is applied to every user logging into the given host.
Procedure
Create your custom profile by using the
authselect create-profile
command. For example, to create a custom profile calleduser-profile
based on the ready-madesssd
profile but one in which you can configure the items in the/etc/nsswitch.conf
file yourself:#
authselect create-profile
user-profile
-bsssd
--symlink-meta
--symlink-pam
New profile was created at /etc/authselect/custom/user-profileWarningIf you are planning to modify
/etc/authselect/custom/user-profile/{password-auth,system-auth,fingerprint-auth,smartcard-auth,postlogin}
, then enter the command above without the--symlink-pam
option. This is to ensure that the modification persists during the upgrade ofauthselect-libs
.Including the
--symlink-pam
option in the command means that PAM templates will be symbolic links to the origin profile files instead of their copy; including the--symlink-meta
option means that meta files, such as README and REQUIREMENTS will be symbolic links to the origin profile files instead of their copy. This ensures that all future updates to the PAM templates and meta files in the original profile will be reflected in your custom profile, too.The command creates a copy of the
/etc/nsswitch.conf
file in the/etc/authselect/custom/user-profile/
directory.-
Configure the
/etc/authselect/custom/user-profile/nsswitch.conf
file. Select the custom profile by running the
authselect select
command, and addingcustom/name_of_the_profile
as a parameter. For example, to select theuser-profile
profile:#
authselect select
custom/user-profile
Selecting the
user-profile
profile for your machine means that if thesssd
profile is subsequently updated by Red Hat, you will benefit from all the updates with the exception of updates made to the/etc/nsswitch.conf
file.Example 2.1. Creating a profile
The following procedure shows how to create a profile based on the
sssd
profile which only consults the local static table lookup for hostnames in the/etc/hosts
file, not in thedns
ormyhostname
databases.Edit the
/etc/nsswitch.conf
file by editing the following line:hosts: files
Create a custom profile based on
sssd
that excludes changes to/etc/nsswitch.conf
:#
authselect create-profile
user-profile
-bsssd
--symlink-meta --symlink-pamSelect the profile:
#
authselect select
custom/user-profile
Optional: Check that selecting the custom profile has
-
created the
/etc/pam.d/system-auth
file according to the chosensssd
profile left the configuration in the
/etc/nsswitch.conf
unchanged:hosts: files
NoteRunning
authselect select
sssd
would, in contrast, result inhosts: files dns myhostname
-
created the
Additional Resources
2.5. Converting your scripts from authconfig
to authselect
If you use ipa-client-install
or realm join
to join a domain, you can safely remove any authconfig
call in your scripts. If this is not possible, replace each authconfig
call with its equivalent authselect
call. In doing that, select the correct profile and the appropriate options. In addition, edit the necessary configuration files:
-
/etc/krb5.conf
-
/etc/sssd/sssd.conf
(for thesssd
profile) or/etc/samba/smb.conf
(for thewinbind
profile)
Relation of authconfig options to authselect profiles and Authselect profile option equivalents of authconfig options show the authselect
equivalents of authconfig
options.
Authconfig options | Authselect profile |
---|---|
|
|
|
|
|
|
|
|
|
|
Authconfig option | Authselect profile feature |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Examples of authselect command equivalents to authconfig commands shows example transformations of Kickstart calls to authconfig
into Kickstart calls to authselect
.
authconfig command | authselect equivalent |
---|---|
|
|
|
|
|
|
|
|