Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 2. Configuring user authentication using authselect

authselect is a utility that allows you to configure system identity and authentication sources by selecting a specific profile. Profile is a set of files that describes the configuration for Pluggable Authentication Modules (PAM) and Network Security Services (NSS). You can use the default profile set or create a custom profile.

2.1. What is authselect used for

You can use the authselect utility to configure user authentication on a Red Hat Enterprise Linux 9 host.

You can configure identity information and authentication sources and providers by selecting one of the ready-made profiles:

  • The default sssd profile enables the System Security Services Daemon (SSSD) for systems that use LDAP authentication.
  • The winbind profile enables the Winbind utility for systems directly integrated with Microsoft Active Directory.
  • The minimal profile serves only local users and groups directly from system files, which allows administrators to remove network authentication services that are no longer needed.

After selecting an authselect profile for a given host, the profile is applied to every user logging into the host.

Red Hat recommends using authselect in semi-centralized identity management environments, for example if your organization utilizes LDAP or Winbind databases to authenticate users to use services in your domain.

Warning

You do not need to use authselect if:

  • Your host is part of Red Hat Enterprise Linux Identity Management (IdM). Joining your host to an IdM domain with the ipa-client-install command automatically configures SSSD authentication on your host.
  • Your host is part of Active Directory via SSSD. Calling the realm join command to join your host to an Active Directory domain automatically configures SSSD authentication on your host.

Red Hat recommends against changing the authselect profiles configured by ipa-client-install or realm join. If you need to modify them, display the current settings before making any modifications, so you can revert back to them if necessary: 

$ authselect current
Profile ID: sssd
Enabled features:
- with-sudo
- with-mkhomedir
- with-smartcard

2.1.1. Files and directories modified by authselect

authselect modifies only a limited set of configuration files, making it easier to manage and troubleshoot authentication settings.

/etc/nsswitch.conf

The GNU C Library and other applications use this Name Service Switch (NSS) configuration file to determine the sources from which to obtain name-service information in a range of categories, and in what order. Each category of information is identified by a database name.

/etc/pam.d/* files

Linux-PAM (Pluggable Authentication Modules) is a system of modules that handle the authentication tasks of applications (services) on the system. The nature of the authentication is dynamically configurable: the system administrator can choose how individual service-providing applications will authenticate users.

The configuration files in the /etc/pam.d/ directory list the PAMs that will perform authentication tasks required by a service, and the appropriate behavior of the PAM-API in the event that individual PAMs fail.

Among other things, these files contain information about:

  • User password lockout conditions
  • The ability to authenticate with a smart card
  • The ability to authenticate with a fingerprint reader

/etc/dconf/db/distro.d/* files

This directory holds configuration profiles for the dconf utility, which you can use to manage settings for the GNOME Desktop Graphical User Interface (GUI).

2.1.2. Data providers in /etc/nsswitch.conf

The default sssd profile establishes SSSD as a source of information by creating sss entries in /etc/nsswitch.conf: 

passwd:     sss files
group:      sss files
netgroup:   sss files
automount:  sss files
services:   sss files
...

This means that the system first looks to SSSD if information concerning one of those items is requested:

  • passwd for user information
  • group for user group information
  • netgroup for NIS netgroup information
  • automount for NFS automount information
  • services for information regarding services

Only if the requested information is not found in the sssd cache and on the server providing authentication, or if sssd is not running, the system looks at the local files, that is /etc/*.

For example, if information is requested about a user ID, the user ID is first searched in the sssd cache. If it is not found there, the /etc/passwd file is consulted. Analogically, if a user’s group affiliation is requested, it is first searched in the sssd cache and only if not found there, the /etc/group file is consulted.

In practice, the local files database is not normally consulted. The most important exception is the case of the root user, which is never handled by sssd but by files.

2.2. Choosing an authselect profile

As a system administrator, you can select a profile for the authselect utility for a specific host. The profile will be applied to every user logging into the host.

Prerequisites

  • You need root credentials to run authselect commands

Procedure

  • Select the authselect profile that is appropriate for your authentication provider. For example, for logging into the network of a company that uses LDAP, choose sssd. 

    # authselect select sssd

    • Optional: You can modify the default profile settings by adding the following options to the authselect select sssd or authselect select winbind command, for example:

      • with-faillock
      • with-smartcard
      • with-fingerprint

    To see the full list of available options, see Converting your scripts from authconfig to authselect or the authselect-migration(7) man page on your system.

Note

Make sure that the configuration files that are relevant for your profile are configured properly before finishing the authselect select procedure. For example, if the sssd daemon is not configured correctly and active, running authselect select results in only local users being able to authenticate, using pam_unix.

Verification

  1. Verify sss entries for SSSD are present in /etc/nsswitch.conf: 

    passwd:     sss files
group:      sss files
netgroup:   sss files
automount:  sss files
services:   sss files
...

  2. Review the contents of the /etc/pam.d/system-auth file for pam_sss.so entries: 

    # Generated by authselect on Tue Sep 11 22:59:06 2018
# Do not modify this file manually.

auth        required        pam_env.so
auth        required        pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]    pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]    pam_localuser.so
auth        sufficient      pam_unix.so nullok try_first_pass
auth        requisite       pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient      pam_sss.so forward_pass
auth        required        pam_deny.so

account     required        pam_unix.so
account     sufficient      pam_localuser.so
...

Additional Resources

2.3. Modifying a ready-made authselect profile

As a system administrator, you can modify one of the default profiles to suit your needs.

You can modify any of the items in the /etc/authselect/user-nsswitch.conf file with the exception of:

  • passwd
  • group
  • netgroup
  • automount
  • services

Running authselect select profile_name afterwards will result in transferring permissible changes from /etc/authselect/user-nsswitch.conf to the /etc/nsswitch.conf file. Unacceptable changes are overwritten by the default profile configuration.

Important

Do not modify the /etc/nsswitch.conf file directly.

Procedure

  1. Select an authselect profile, for example: 

    # authselect select sssd
  2. Edit the /etc/authselect/user-nsswitch.conf file with your desired changes.

  3. Apply the changes from the /etc/authselect/user-nsswitch.conf file: 

    # authselect apply-changes

Verification

  • Review the /etc/nsswitch.conf file to verify that the changes from /etc/authselect/user-nsswitch.conf have been propagated there.

Additional Resources

2.4. Creating and deploying your own authselect profile

As a system administrator, you can create and deploy a custom profile by making a customized copy of one of the default profiles.

This is particularly useful if Modifying a ready-made authselect profile is not enough for your needs. When you deploy a custom profile, the profile is applied to every user logging into the given host.

Procedure

  1. To create your custom profile, run the authselect create-profile command. Replace <custom_profile> with the desired profile name. For example, to create a profile based on the ready-made sssd profile with the option to configure the items in the /etc/nsswitch.conf file yourself, use the following command: 

    # authselect create-profile <custom_profile> -b sssd --symlink-meta --symlink-pam
New profile was created at /etc/authselect/custom/<custom_profile>
    Warning

    If you are planning to modify /etc/authselect/custom/<custom_profile>/{password-auth,system-auth,fingerprint-auth,smartcard-auth,postlogin}, then enter the command above without the --symlink-pam option. This is to ensure that the modification persists during the upgrade of authselect-libs.

    Including the --symlink-pam option in the command means that PAM templates will be symbolic links to the origin profile files instead of their copy; including the --symlink-meta option means that meta files, such as README and REQUIREMENTS will be symbolic links to the origin profile files instead of their copy. This ensures that all future updates to the PAM templates and meta files in the original profile will be reflected in your custom profile, too.

    The command creates a copy of the /etc/nsswitch.conf file in the /etc/authselect/custom/<custom_profile>/ directory.

  2. Configure the /etc/authselect/custom/<custom_profile>/nsswitch.conf file.

  3. Select the custom profile by running the authselect select command with custom/<custom_profile> as a parameter: 

    # authselect select custom/<custom_profile>

    Selecting the <custom_profile> profile for your machine means that if the sssd profile is subsequently updated by Red Hat, you will benefit from all the updates with the exception of updates made to the /etc/nsswitch.conf file.

    Example 2.1. Creating a custom profile based on the sssd profile

    You can create a profile based on the sssd profile which only consults the local static table lookup for hostnames in the /etc/hosts file, not in the dns or myhostname databases.

    1. Edit the /etc/nsswitch.conf file by editing the following line: 

      hosts:      files

    2. Create a custom profile based on sssd that excludes changes to /etc/nsswitch.conf: 

      # authselect create-profile custom-sssd-profile -b sssd --symlink-meta --symlink-pam

    3. Select the profile: 

      # authselect select custom/custom-sssd-profile

    4. Optional: Check that selecting the custom profile has

      • created the /etc/pam.d/system-auth file according to the chosen sssd profile

      • left the configuration in the /etc/nsswitch.conf unchanged: 

        hosts:      files
        Note

        Running authselect select sssd would, in contrast, result in hosts: files dns myhostname

Additional Resources

2.5. Converting your scripts from authconfig to authselect

If you use ipa-client-install or realm join to join a domain, you can safely remove any authconfig call in your scripts. If this is not possible, replace each authconfig call with its equivalent authselect call. In doing that, select the correct profile and the appropriate options. In addition, edit the necessary configuration files:

  • /etc/krb5.conf
  • /etc/sssd/sssd.conf (for the sssd profile) or /etc/samba/smb.conf (for the winbind profile)

Relation of authconfig options to authselect profiles and Authselect profile option equivalents of authconfig options show the authselect equivalents of authconfig options.

Table 2.1. Relation of authconfig options to authselect profiles
Authconfig optionsAuthselect profile

--enableldap --enableldapauth

sssd

--enablesssd --enablesssdauth

sssd

--enablekrb5

sssd

--enablewinbind --enablewinbindauth

winbind

Table 2.2. Authselect profile option equivalents of authconfig options
Authconfig optionAuthselect profile feature

--enablesmartcard

with-smartcard

--enablefingerprint

with-fingerprint

--enableecryptfs

with-ecryptfs

--enablemkhomedir

with-mkhomedir

--enablefaillock

with-faillock

--enablepamaccess

with-pamaccess

--enablewinbindkrb5

with-krb5

Examples of authselect command equivalents to authconfig commands shows example transformations of Kickstart calls to authconfig into Kickstart calls to authselect.

Table 2.3. Examples of authselect command equivalents to authconfig commands
authconfig commandauthselect equivalent

authconfig --enableldap --enableldapauth --enablefaillock --updateall

authselect select sssd with-faillock

authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall

authselect select sssd with-smartcard

authconfig --enableecryptfs --enablepamaccess --updateall

authselect select sssd with-ecryptfs with-pamaccess

authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall

realm join -U Administrator --client-software=winbind WINBINDDOMAIN

2.6. Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

© 2024 Red Hat, Inc.