1AUTHSELECT-PROFILES(5)                                  AUTHSELECT-PROFILES(5)
2
3
4

NAME

6       authselect-profiles - how to extend authselect profiles.
7

DESCRIPTION

9       This manual page explains how are authselect profiles organized and how
10       to create new profiles.
11

PROFILE DIRECTORIES

13       Profiles can be found in one of three directories.
14
15       "/usr/share/authselect/default"
16           Read-only directory containing profiles shipped together with
17           authselect.
18
19       "/usr/share/authselect/vendor"
20           Read-only directory for vendor-specific profiles that can override
21           the ones in default directory.
22
23       "/etc/authselect/custom"
24           Place for administrator-defined profiles.
25

PROFILE FILES

27       Each profile consists of one or more of these files which provide a
28       mandatory profile description and describe the changes that are done to
29       the system.
30
31       README
32           Description of the profile. The first line must be a name of the
33           profile.
34
35       system-auth
36           PAM stack that is included from nearly all individual service
37           configuration files.
38
39       password-auth, smartcard-auth, fingerprint-auth
40           These PAM stacks are for applications which handle authentication
41           from different types of devices via simultaneously running
42           individual conversations instead of one aggregate conversation.
43
44       postlogin
45           The purpose of this PAM stack is to provide a common place for all
46           PAM modules which should be called after the stack configured in
47           system-auth or the other common PAM configuration files. It is
48           included from all individual service configuration files that
49           provide login service with shell or file access.  NOTE: the modules
50           in the postlogin configuration file are executed regardless of the
51           success or failure of the modules in the system-auth configuration
52           file.
53
54       nsswitch.conf, dconf-db
55           Changes to dconf database. The main uses case of this file is to
56           set changes for gnome login screen in order to enable or disable
57           smartcard and fingerprint authentication.
58
59       dconf-locks
60           This file define locks on values set in dconf database.
61
62   CONDITIONAL LINES
63       Each of these files serves as a template. A template is a plain text
64       file with optional usage of several operators that can be used to
65       provide some optional profile features.
66
67       {continue if "feature"}
68           Immediately stop processing of the file unless "feature" is defined
69           (the rest of the file content will be removed). If "feature" is
70           defined, the whole line with this operator will be removed and the
71           rest of the template will be processed.
72
73       {stop if "feature"}
74           Opposite of "continue if". Immediately stop processing of the file
75           if "feature" is defined (the rest of the file content will be
76           removed). If "feature" is not defined, the whole line with this
77           operator will be removed and the rest of the template will be
78           processed.
79
80       {include if "feature"}
81           Include the line where this operator is placed only if "feature" is
82           defined.
83
84       {exclude if "feature"}
85           Opposite to "include-if". Include the line where this operator is
86           placed only if "feature" is not defined.
87
88       {imply "implied-feature" if "feature"}
89           Enable feature "implied-feature" if feature "feature" is enabled.
90           The whole line with this operator is removed, thus it is not
91           possible to add anything else around this operator at the same
92           line.
93
94       {if "feature":true|false}
95           If "feature" is defined, replace this operator with string "true",
96           otherwise with string "false".
97
98       {if "feature":true}
99           If "feature" is defined, replace this operator with string "true",
100           otherwise with an empty string.
101
102       It is also possible to use logical expression in conditional line
103       instead of specifying single feature name. In this case the expression
104       will evaluate to true or false and the conditional operator will act
105       upon the result.
106
107       The expression syntax consists of feature names (e.g. "feature") which
108       returns true if the feature is defined or false if it is not defined
109       and from the following logical operators: and, or and not. The
110       expression may also be enclosed in parentheses and contain multiple
111       subexpressions.
112
113       For example:
114
115       {if "feature1" or "feature2":true}
116           If "feature1" or "feature2" is defined, replace this operator with
117           string "true", otherwise with an empty string.
118
119       {if not "feature":true|false}
120           If "feature" is not defined, replace this operator with string
121           "true", otherwise with string "false".
122
123       {if not "feature":true}
124           If "feature" is not defined, replace this operator with string
125           "true", otherwise with an empty string.
126
127       {if "feature1" and ("feature2" or "feature3"):true}
128           If "feature1" is defined, and one of "feature2" and "feature3" is
129           defined replace this operator with string "true", otherwise with an
130           empty string.
131
132   EXAMPLE
133       Here is an example of using "if" operator. If "with-sudo" feature is
134       enabled, it will add "sss" to sudoers line.
135
136           passwd:     sss files
137           group:      sss files
138           netgroup:   sss files
139           automount:  sss files
140           services:   sss files
141           sudoers:    files {if "with-sudo":sss}
142
143       Here is an example of "continue-if" and "include-if" operators. The
144       resulting file will be empty unless "with-smartcard" feature is
145       enabled. If it is enabled and also "with-faillock" feature is enabled,
146       it will also enable support for pam_faillock.
147
148           {continue if "with-smartcard"}
149           auth        required                                     pam_env.so
150           auth        required                                     pam_faildelay.so delay=2000000
151           auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
152           auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
153           auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
154           auth        sufficient                                   pam_unix.so nullok
155           auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
156           auth        sufficient                                   pam_sss.so forward_pass
157           auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200       {include if "with-faillock"}
158           auth        required                                     pam_deny.so
159           ...
160
161       Here is an example of "continue-if" using logical expression. The file
162       will be empty unless "with-smartcard" or "with-smartcard-required" is
163       set. This will simplify the call of authselect select command which
164       does not have to include both features but only
165       "with-smartcard-required" is necessary.
166
167           {continue if "with-smartcard" or "with-smartcard-required"}
168           auth        required                                     pam_env.so
169           auth        required                                     pam_faildelay.so delay=2000000
170           auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
171           auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
172           auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
173           auth        sufficient                                   pam_unix.so nullok
174           auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
175           auth        sufficient                                   pam_sss.so forward_pass
176           auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200       {include if "with-faillock"}
177           auth        required                                     pam_deny.so
178           ...
179
180       Here is an example of "imply-if" operator. Enabling feature
181       "with-smartcard-required" will also enable "with-smartcard" to make
182       sure that all relevant PAM modules are used. This will achieve the same
183       behavior as the previous example.
184
185           {imply "with-smartcard" if "with-smartcard-required"}
186           auth        required                                     pam_env.so
187           auth        required                                     pam_faildelay.so delay=2000000
188           auth        [success=1 default=ignore]                   pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
189           auth        [success=done ignore=ignore default=die]     pam_sss.so require_cert_auth ignore_authinfo_unavail             {include if "with-smartcard-required"}
190           auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
191           auth        [default=1 ignore=ignore success=ok]         pam_localuser.so                                                 {exclude if "with-smartcard"}
192           auth        [default=2 ignore=ignore success=ok]         pam_localuser.so                                                 {include if "with-smartcard"}
193           auth        [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
194           auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
195           auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
196           auth        sufficient                                   pam_sss.so forward_pass
197           auth        required                                     pam_deny.so
198           ...
199

CREATING A NEW PROFILE

201       To register a new profile within authselect, create a directory in one
202       of the authselect profile locations with the files listed above. Not
203       all of the files must be present, only README is mandatory. Other files
204       can be created on per-need basis.
205
206       You may find authselect create-profile command helpful when creating
207       new profile. See authselect(8) manual page or authselect create-profile
208       --help for more information.
209

SEE ALSO

211       authselect(8), nsswitch.conf(5), PAM(8)
212
213
214
215                                  2018-02-17            AUTHSELECT-PROFILES(5)
Impressum