1AUTHSELECT(8) AUTHSELECT(8)
2
6 authselect - select system identity and authentication sources.
7
9 authselect [--debug] [--trace] [--warn] command [command options]
10
12 Authselect is a tool to configure system identity and authentication
13 sources and providers by selecting a specific profile. Profile is a set
14 of files that describes how the resulting system configuration will
15 look like. When a profile is selected, authselect will create
16 nsswitch.conf(5) and PAM(8) stack to use identity and authentication
17 sources defined by the profile.
18 If the provided profile set is not sufficient, the administrator may
20 create a custom profile by putting it in a special profile directory
21 (/etc/authselect/custom). By doing so, the profile is immediately
22 usable by authselect. See authselect-profiles(5) for more information
23 on extending existing profiles.
24
26 To list all available commands run authselect without any parameters.
27 To print help for the selected command run authselect COMMAND --help.
28 select profile_id [features] [-f, --force] [-q, --quiet]
30 Activate desired profile. See profile description with show
31 command, to list profile specific optional features.
32 --force, -f
34 Write changes even if the previous configuration was not
35 created by authselect but by other tool or by manual changes.
36 This option will automatically backup system files before
37 writing any change unless --nobackup option is set.
38 --backup=NAME
40 Backup system files before activating the selected profile. The
41 backup will be stored at @AUTHSELECT_BACKUP_DIR@/NAME. Current
42 time is used as a name if no value is provided.
43 --nobackup
45 Do not backup system configuration even if --force is set.
46 --quiet, -q
48 The command will not print any informational message such as
49 additional profile requirements or backup location. Errors are
50 still being print.
51 apply-changes
53 Re-apply currently selected profile. If the profile templates were
54 updated this command can be used to regenerate current system
55 configuration in order to apply these changes on the system. This
56 command will only re-apply the changes if the existing
57 configuration is a valid authselect configuration, otherwise an
58 error is returned.
59 list
61 List available profiles.
62 show profile_id
64 Print information about the profile.
65 requirements profile_id [features]
67 Print information about profile requirements.
68 current [-r, --raw]
70 Print information about currently selected profiles. If --raw
71 option is specified, the command will print raw parameters as they
72 were passed to select command instead of formatted output.
73 check
75 Check if the current configuration is valid (it was either created
76 by authselect or there are no leftovers from previous authselect
77 configuration).
78 test profile_id [features]
80 Print content of files generated by authselect without actually
81 writing anything to system configuration.
82 enable-feature feature
84 Enable feature in the currently selected profile.
85 disable-feature feature
87 Disable feature in the currently selected profile.
88 create-profile NAME [--custom,-c|--vendor,-v] [options]
90 Create a new custom profile named NAME. The profile can be based on
91 an existing profile in which case the new profile templates are
92 either copied from the base profile or symbolic links to these
93 files are created if such option is selected.
94 --vendor,-v
96 The new profile is a vendor profile instead of a custom
97 profile. See authselect-profiles(5) for more information on
98 profile types.
99 --base-on=BASE-ID, -b=BASE-ID
101 The new profile will be based on a profile named BASE-ID. The
102 base profile location is determined with these steps:
103 1. If BASE-ID starts with prefix custom/ it is a custom
105 profile.
106 2. Try if BASE-ID is found in vendor profiles.
108 3. Try if BASE-ID is found in default profiles.
110 4. Return an error.
112 --base-on-default
114 The base profile is a default profile even if it is found also
115 within vendor profiles.
116 --symlink-meta
118 Meta files, such as README and REQUIREMENTS will be symbolic
119 links to the origin profile files instead of their copy.
120 --symlink-nsswitch
122 nsswitch.conf template will be symbolic link to the origin
123 profile file instead of its copy.
124 --symlink-pam
126 PAM templates will be symbolic links to the origin profile
127 files instead of their copy.
128 --symlink-dconf
130 dconf templates will be symbolic links to the origin profile
131 files instead of their copy.
132 --symlink=FILE,-s=FILE
134 Create a symbolic link for a template file FILE instead of
135 creating its copy. This option can be passed multiple times.
136
138 These options are available with all commands.
139 --debug
141 Print debugging information and error messages.
142 --trace
144 Print information about what the tool is doing.
145 --warn
147 Print information about unexpected situations that do not affect
148 the program execution but may indicate some undesired situations
149 (e.g. unexpected file in a profile directory).
150
152 Authselect generates /etc/nsswitch.conf and does not allow any user
153 changes to this file. Such changes are detected and authselect will
154 refuse to write any system configuration unless a --force option is
155 provided to the select command. This mechanism prevents authselect from
156 overwriting anything that does not match any available profile.
157 Any user changes to nsswitch maps must be done in file
159 /etc/authselect/user-nsswitch.conf. When authselect generates new
160 nsswitch.conf it reads this file and combines it with configuration
161 from selected profile. The profile configuration takes always
162 precedence. In other words, profiles do not have to set all nsswitch
163 maps but can set only those that are relevant to the profile. If a map
164 is set within a profile, it always overwrites the same map from
165 user-nsswitch.conf.
166 Example 1.
168 # "sssd" profile
170 $ cat /usr/share/authselect/default/sssd/nsswitch.conf
171 passwd: sss files systemd
172 group: sss files systemd
173 netgroup: sss files
174 automount: sss files
175 services: sss files
176 sudoers: files sss {include if "with-sudo"}
177 $ cat /etc/authselect/user-nsswitch.conf
179 passwd: files sss
180 group: files sss
181 hosts: files dns myhostname
182 sudoers: files
183 $ authselect select sssd
185 # passwd and group maps from user-nsswitch.conf are ignored
187 $ cat /etc/nsswitch.conf
188 passwd: sss files systemd
189 group: sss files systemd
190 netgroup: sss files
191 automount: sss files
192 services: sss files
193 hosts: files dns myhostname
194 sudoers: files
195 $ authselect select sssd with-sudo
197 # passwd, group and sudoers maps from user-nsswitch.conf are ignored
199 $ cat /etc/nsswitch.conf
200 passwd: sss files systemd
201 group: sss files systemd
202 netgroup: sss files
203 automount: sss files
204 services: sss files
205 sudoers: files sss
206 hosts: files dns myhostname
207
210 The authselect can return these exit codes:
211 · 0: Success.
213 · 1: Generic error.
215 · 2: Profile or configuration was not found.
217 · 3: Current configuration is not valid, it was edited without
219 authselect.
220 · 4: System configuration must be overwritten to activate an
222 authselect profile, --force parameter is needed.
223
225 Authselect creates and maintains the following files to configure
226 system identity and authentication providers properly.
227 /etc/nsswitch.conf
229 Name Service Switch configuration file.
230 /etc/pam.d/system-auth
232 PAM stack that is included from nearly all individual service
233 configuration files.
234 /etc/pam.d/password-auth, smartcard-auth, fingerprint-auth
236 These PAM stacks are for applications which handle authentication
237 from different types of devices via simultaneously running
238 individual conversations instead of one aggregate conversation.
239 /etc/pam.d/postlogin
241 The purpose of this PAM stack is to provide a common place for all
242 PAM modules which should be called after the stack configured in
243 system-auth or the other common PAM configuration files. It is
244 included from all individual service configuration files that
245 provide login service with shell or file access. NOTE: the modules
246 in the postlogin configuration file are executed regardless of the
247 success or failure of the modules in the system-auth configuration
248 file.
249 /etc/dconf/db/distro.d/20-authselect
251 Changes to dconf database. The main uses case of this file is to
252 set changes for gnome login screen in order to enable or disable
253 smartcard and fingerprint authentication.
254 /etc/dconf/db/distro.d/locks/20-authselect
256 This file define locks on values set in dconf database.
257
259 authselect-profiles(5), authselect-migration(7), nsswitch.conf(5),
260 PAM(8)
261 2018-03-18 AUTHSELECT(8)