1AUTHSELECT-PROFILES(5) AUTHSELECT-PROFILES(5)
2
6 authselect-profiles - how to extend authselect profiles.
7
9 This manual page explains how are authselect profiles organized and how
10 to create new profiles.
11
13 Profiles can be found in one of three directories.
14 "/usr/share/authselect/default"
16 Read-only directory containing profiles shipped together with
17 authselect.
18 "/usr/share/authselect/vendor"
20 Read-only directory for vendor-specific profiles that can override
21 the ones in default directory.
22 "/etc/authselect/custom"
24 Place for administrator-defined profiles.
25
27 Each profile consists of one or more of these files which provide a
28 mandatory profile description and describe the changes that are done to
29 the system.
30 README
32 Description of the profile. The first line must be a name of the
33 profile.
34 system-auth
36 PAM stack that is included from nearly all individual service
37 configuration files.
38 password-auth, smartcard-auth, fingerprint-auth
40 These PAM stacks are for applications which handle authentication
41 from different types of devices via simultaneously running
42 individual conversations instead of one aggregate conversation.
43 postlogin
45 The purpose of this PAM stack is to provide a common place for all
46 PAM modules which should be called after the stack configured in
47 system-auth or the other common PAM configuration files. It is
48 included from all individual service configuration files that
49 provide login service with shell or file access. NOTE: the modules
50 in the postlogin configuration file are executed regardless of the
51 success or failure of the modules in the system-auth configuration
52 file.
53 nsswitch.conf, dconf-db
55 Changes to dconf database. The main uses case of this file is to
56 set changes for gnome login screen in order to enable or disable
57 smartcard and fingerprint authentication.
58 dconf-locks
60 This file define locks on values set in dconf database.
61 CONDITIONAL LINES
63 Each of these files serves as a template. A template is a plain text
64 file with optional usage of several operators that can be used to
65 provide some optional profile features.
66 {continue if "feature"}
68 Immediately stop processing of the file unless "feature" is defined
69 (the rest of the file content will be removed). If "feature" is
70 defined, the whole line with this operator will be removed and the
71 rest of the template will be processed.
72 {stop if "feature"}
74 Opposite of "continue if". Immediately stop processing of the file
75 if "feature" is defined (the rest of the file content will be
76 removed). If "feature" is not defined, the whole line with this
77 operator will be removed and the rest of the template will be
78 processed.
79 {include if "feature"}
81 Include the line where this operator is placed only if "feature" is
82 defined.
83 {exclude if "feature"}
85 Opposite to "include-if". Include the line where this operator is
86 placed only if "feature" is not defined.
87 {imply "implied-feature" if "feature"}
89 Enable feature "implied-feature" if feature "feature" is enabled.
90 The whole line with this operator is removed, thus it is not
91 possible to add anything else around this operator at the same
92 line.
93 {if "feature":true|false}
95 If "feature" is defined, replace this operator with string "true",
96 otherwise with string "false".
97 {if "feature":true}
99 If "feature" is defined, replace this operator with string "true",
100 otherwise with an empty string.
101 It is also possible to use logical expression in conditional line
103 instead of specifying single feature name. In this case the expression
104 will evaluate to true or false and the conditional operator will act
105 upon the result.
106 The expression syntax consists of feature names (e.g. "feature") which
108 returns true if the feature is defined or false if it is not defined
109 and from the following logical operators: and, or and not. The
110 expression may also be enclosed in parentheses and contain multiple
111 subexpressions.
112 For example:
114 {if "feature1" or "feature2":true}
116 If "feature1" or "feature2" is defined, replace this operator with
117 string "true", otherwise with an empty string.
118 {if not "feature":true|false}
120 If "feature" is not defined, replace this operator with string
121 "true", otherwise with string "false".
122 {if not "feature":true}
124 If "feature" is not defined, replace this operator with string
125 "true", otherwise with an empty string.
126 {if "feature1" and ("feature2" or "feature3"):true}
128 If "feature1" is defined, and one of "feature2" and "feature3" is
129 defined replace this operator with string "true", otherwise with an
130 empty string.
131 EXAMPLE
133 Here is an example of using "if" operator. If "with-sudo" feature is
134 enabled, it will add "sss" to sudoers line.
135 passwd: sss files
137 group: sss files
138 netgroup: sss files
139 automount: sss files
140 services: sss files
141 sudoers: files {if "with-sudo":sss}
142 Here is an example of "continue-if" and "include-if" operators. The
144 resulting file will be empty unless "with-smartcard" feature is
145 enabled. If it is enabled and also "with-faillock" feature is enabled,
146 it will also enable support for pam_faillock.
147 {continue if "with-smartcard"}
149 auth required pam_env.so
150 auth required pam_faildelay.so delay=2000000
151 auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
152 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
153 auth [default=1 ignore=ignore success=ok] pam_localuser.so
154 auth sufficient pam_unix.so nullok
155 auth requisite pam_succeed_if.so uid >= 1000 quiet_success
156 auth sufficient pam_sss.so forward_pass
157 auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
158 auth required pam_deny.so
159 ...
160 Here is an example of "continue-if" using logical expression. The file
162 will be empty unless "with-smartcard" or "with-smartcard-required" is
163 set. This will simplify the call of authselect select command which
164 does not have to include both features but only
165 "with-smartcard-required" is necessary.
166 {continue if "with-smartcard" or "with-smartcard-required"}
168 auth required pam_env.so
169 auth required pam_faildelay.so delay=2000000
170 auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
171 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
172 auth [default=1 ignore=ignore success=ok] pam_localuser.so
173 auth sufficient pam_unix.so nullok
174 auth requisite pam_succeed_if.so uid >= 1000 quiet_success
175 auth sufficient pam_sss.so forward_pass
176 auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
177 auth required pam_deny.so
178 ...
179 Here is an example of "imply-if" operator. Enabling feature
181 "with-smartcard-required" will also enable "with-smartcard" to make
182 sure that all relevant PAM modules are used. This will achieve the same
183 behavior as the previous example.
184 {imply "with-smartcard" if "with-smartcard-required"}
186 auth required pam_env.so
187 auth required pam_faildelay.so delay=2000000
188 auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
189 auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
190 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
191 auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
192 auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
193 auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
194 auth sufficient pam_unix.so {if not "without-nullok":nullok}
195 auth requisite pam_succeed_if.so uid >= 1000 quiet_success
196 auth sufficient pam_sss.so forward_pass
197 auth required pam_deny.so
198 ...
199
201 To register a new profile within authselect, create a directory in one
202 of the authselect profile locations with the files listed above. Not
203 all of the files must be present, only README is mandatory. Other files
204 can be created on per-need basis.
205 You may find authselect create-profile command helpful when creating
207 new profile. See authselect(8) manual page or authselect create-profile
208 --help for more information.
209
211 authselect(8), nsswitch.conf(5), PAM(8)
212 2018-02-17 AUTHSELECT-PROFILES(5)