1AUTHSELECT-PROFILES(5) AUTHSELECT-PROFILES(5)
2
6 authselect-profiles - how to extend authselect profiles.
7
9 This manual page explains how are authselect profiles organized and how
10 to create new profiles.
11
13 Profiles can be found in one of three directories.
14 /usr/share/authselect/default
16 Read-only directory containing profiles shipped together with
17 authselect.
18 /usr/share/authselect/vendor
20 Read-only directory for vendor-specific profiles that can override
21 the ones in default directory.
22 /etc/authselect/custom
24 Place for administrator-defined profiles.
25
27 Each profile consists of one or more of these files which provide a
28 mandatory profile description and describe the changes that are done to
29 the system.
30 README
32 Description of the profile. The first line must be a name of the
33 profile.
34 system-auth
36 PAM stack that is included from nearly all individual service
37 configuration files.
38 password-auth, smartcard-auth, fingerprint-auth
40 These PAM stacks are for applications which handle authentication
41 from different types of devices via simultaneously running
42 individual conversations instead of one aggregate conversation.
43 postlogin
45 The purpose of this PAM stack is to provide a common place for all
46 PAM modules which should be called after the stack configured in
47 system-auth or the other common PAM configuration files. It is
48 included from all individual service configuration files that
49 provide login service with shell or file access. NOTE: the modules
50 in the postlogin configuration file are executed regardless of the
51 success or failure of the modules in the system-auth configuration
52 file.
53 nsswitch.conf
55 Name Service Switch configuration file. Only maps relevant to the
56 profile must be set. Maps that are not specified by the profile are
57 included from /etc/authselect/user-nsswitch.conf.
58 dconf-db
60 Changes to dconf database. The main uses case of this file is to
61 set changes for gnome login screen in order to enable or disable
62 smartcard and fingerprint authentication.
63 dconf-locks
65 This file define locks on values set in dconf database.
66 CONDITIONAL LINES
68 Each of these files serves as a template. A template is a plain text
69 file with optional usage of several operators that can be used to
70 provide some optional profile features.
71 {continue if "feature"}
73 Immediately stop processing of the file unless "feature" is defined
74 (the rest of the file content will be removed). If "feature" is
75 defined, the whole line with this operator will be removed and the
76 rest of the template will be processed.
77 {stop if "feature"}
79 Opposite of "continue if". Immediately stop processing of the file
80 if "feature" is defined (the rest of the file content will be
81 removed). If "feature" is not defined, the whole line with this
82 operator will be removed and the rest of the template will be
83 processed.
84 {include if "feature"}
86 Include the line where this operator is placed only if "feature" is
87 defined.
88 {exclude if "feature"}
90 Opposite to "include-if". Include the line where this operator is
91 placed only if "feature" is not defined.
92 {if "feature":true|false}
94 If "feature" is defined, replace this operator with string "true",
95 otherwise with string "false".
96 {if "feature":true}
98 If "feature" is defined, replace this operator with string "true",
99 otherwise with an empty string.
100 {if not "feature":true|false}
102 If "feature" is not defined, replace this operator with string
103 "true", otherwise with string "false".
104 {if not "feature":true}
106 If "feature" is not defined, replace this operator with string
107 "true", otherwise with an empty string.
108 EXAMPLE
110 Here is an example of using "if" operator. If "with-sudo" feature is
111 enabled, it will add "sss" to sudoers line.
112 passwd: sss files
114 group: sss files
115 netgroup: sss files
116 automount: sss files
117 services: sss files
118 sudoers: files {if "with-sudo":sss}
119 Here is an example of "continue-if" and "include-if" operators. The
121 resulting file will be empty unless "with-smartcard" feature is
122 enabled. If it is enabled and also "with-faillock" feature is enabled,
123 it will also enable support for pam_faillock.
124 {continue if "with-smartcard"}
126 auth required pam_env.so
127 auth required pam_faildelay.so delay=2000000
128 auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
129 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
130 auth [default=1 ignore=ignore success=ok] pam_localuser.so
131 auth sufficient pam_unix.so nullok try_first_pass
132 auth requisite pam_succeed_if.so uid >= 1000 quiet_success
133 auth sufficient pam_sss.so forward_pass
134 auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
135 auth required pam_deny.so
136 ...
137
139 To register a new profile within authselect, create a directory in one
140 of the authselect profile locations with the files listed above. Not
141 all of the files must be present, only README is mandatory. Other files
142 can be created on per-need basis.
143
145 authselect(8), nsswitch.conf(5), PAM(8)
146 2018-02-17 AUTHSELECT-PROFILES(5)