1AUTHSELECT(8) AUTHSELECT(8)
2
6 authselect - select system identity and authentication sources.
7
9 authselect [--debug] [--trace] [--warn] command [command options]
10
12 Authselect is a tool to configure system identity and authentication
13 sources and providers by selecting a specific profile. Profile is a set
14 of files that describes how the resulting system configuration will
15 look like. When a profile is selected, authselect will create
16 nsswitch.conf(5) and PAM(8) stack to use identity and authentication
17 sources defined by the profile.
18 If the provided profile set is not sufficient, the administrator may
20 create a custom profile by putting it in a special profile directory
21 (/etc/authselect/custom). By doing so, the profile is immediately
22 usable by authselect. See authselect-profiles(5) for more information
23 on extending existing profiles.
24
26 To list all available commands run authselect without any parameters.
27 To print help for the selected command run authselect COMMAND --help.
28 select profile_id [features] [-f, --force] [-q, --quiet] [-b]
30 [--backup=NAME]
31 Activate desired profile. See profile description with show
32 command, to list profile specific optional features.
33 --force, -f
35 Write changes even if the previous configuration was not
36 created by authselect but by other tool or by manual changes.
37 This option will automatically backup system files before
38 writing any change unless --nobackup option is set.
39 -b
41 Backup system files before activating the selected profile. The
42 backup will be stored at /var/lib/authselect/backups/NAME.
43 Current time with unique string is used as a name of the
44 backup. This is a shortcut for --backup=.
45 --backup=NAME
47 Backup system files before activating the selected profile. The
48 backup will be stored at /var/lib/authselect/backups/NAME.
49 Current time with unique string is used as a name if no value
50 is provided.
51 --nobackup
53 Do not backup system configuration even if --force is set.
54 --quiet, -q
56 The command will not print any informational message such as
57 additional profile requirements or backup location. Errors are
58 still being print.
59 apply-changes [-b] [--backup=NAME]
61 Re-apply currently selected profile. If the profile templates were
62 updated this command can be used to regenerate current system
63 configuration in order to apply these changes on the system. This
64 command will only re-apply the changes if the existing
65 configuration is a valid authselect configuration, otherwise an
66 error is returned.
67 -b
69 Backup system files before applying changes. The backup will be
70 stored at /var/lib/authselect/backups/NAME. Current time with
71 unique string is used as a name of the backup. This is a
72 shortcut for --backup=.
73 --backup=NAME
75 Backup system files before applying changes. The backup will be
76 stored at /var/lib/authselect/backups/NAME. Current time with
77 unique string is used as a name if no value is provided.
78 list
80 List available profiles.
81 list-features profile_id
83 List all features available in given profile.
84 Note: This will only list the features without any description.
86 Please, read the profile documentation with show to see what the
87 features do.
88 show profile_id
90 Print information about the profile.
91 requirements profile_id [features]
93 Print information about profile requirements.
94 current [-r, --raw]
96 Print information about currently selected profiles. If --raw
97 option is specified, the command will print raw parameters as they
98 were passed to select command instead of formatted output.
99 check
101 Check if the current configuration is valid (it was either created
102 by authselect or there are no leftovers from previous authselect
103 configuration).
104 test profile_id [options] [features]
106 Print content of files generated by authselect without actually
107 writing anything to system configuration.
108 -a, --all
110 Print content of all files.
111 -n, --nsswitch
113 Print nsswitch.conf content.
114 -s, --system-auth
116 Print system-auth content.
117 -p, --password-auth
119 Print password-auth content.
120 -c, --smartcard-auth
122 Print smartcard-auth content.
123 -f, --fingerprint-auth
125 Print fingerprint-auth content.
126 -o, --postlogin
128 Print postlogin content.
129 -d, --dconf-db
131 Print dconf database content.
132 -l, --dconf-lock
134 Print dconf lock content.
135 enable-feature feature [-b] [--backup=NAME] [-q, --quiet]
137 Enable feature in the currently selected profile.
138 -b
140 Backup system files before enabling feature. The backup will be
141 stored at /var/lib/authselect/backups/NAME. Current time with
142 unique string is used as a name of the backup. This is a
143 shortcut for --backup=.
144 --backup=NAME
146 Backup system files before enabling feature. The backup will be
147 stored at /var/lib/authselect/backups/NAME. Current time with
148 unique string is used as a name if no value is provided.
149 --quiet, -q
151 The command will not print any informational message such as
152 additional profile requirements or backup location. Errors are
153 still being print.
154 disable-feature feature [-b] [--backup=NAME]
156 Disable feature in the currently selected profile.
157 -b
159 Backup system files before disabling feature. The backup will
160 be stored at /var/lib/authselect/backups/NAME. Current time
161 with unique string is used as a name of the backup. This is a
162 shortcut for --backup=.
163 --backup=NAME
165 Backup system files before disabling feature. The backup will
166 be stored at /var/lib/authselect/backups/NAME. Current time
167 with unique string is used as a name if no value is provided.
168 create-profile NAME [--custom,-c|--vendor,-v] [options]
170 Create a new custom profile named NAME. The profile can be based on
171 an existing profile in which case the new profile templates are
172 either copied from the base profile or symbolic links to these
173 files are created if such option is selected.
174 --vendor,-v
176 The new profile is a vendor profile instead of a custom
177 profile. See authselect-profiles(5) for more information on
178 profile types.
179 --base-on=BASE-ID, -b=BASE-ID
181 The new profile will be based on a profile named BASE-ID. The
182 base profile location is determined with these steps:
183 1. If BASE-ID starts with prefix custom/ it is a custom
185 profile.
186 2. Try if BASE-ID is found in vendor profiles.
188 3. Try if BASE-ID is found in default profiles.
190 4. Return an error.
192 --base-on-default
194 The base profile is a default profile even if it is found also
195 within vendor profiles.
196 --symlink-meta
198 Meta files, such as README and REQUIREMENTS will be symbolic
199 links to the origin profile files instead of their copy.
200 --symlink-nsswitch
202 nsswitch.conf template will be symbolic link to the origin
203 profile file instead of its copy.
204 --symlink-pam
206 PAM templates will be symbolic links to the origin profile
207 files instead of their copy.
208 --symlink-dconf
210 dconf templates will be symbolic links to the origin profile
211 files instead of their copy.
212 --symlink=FILE,-s=FILE
214 Create a symbolic link for a template file FILE instead of
215 creating its copy. This option can be passed multiple times.
216
218 These commands can be used to manage backed up configurations.
219 backup-list [-r, --raw]
221 Print available backups. If --raw option is specified, the command
222 will print only backup names without any formatting and additional
223 information.
224 backup-remove BACKUP
226 Permanently delete backup named BACKUP.
227 backup-restore BACKUP
229 Restore configuration from backup named BACKUP. Note: this will
230 overwrite current configuration.
231
233 These options are available with all commands.
234 --debug
236 Print debugging information and error messages.
237 --trace
239 Print information about what the tool is doing.
240 --warn
242 Print information about unexpected situations that do not affect
243 the program execution but may indicate some undesired situations
244 (e.g. unexpected file in a profile directory).
245
247 Authselect generates /etc/nsswitch.conf and does not allow any user
248 changes to this file. Such changes are detected and authselect will
249 refuse to write any system configuration unless a --force option is
250 provided to the select command. This mechanism prevents authselect from
251 overwriting anything that does not match any available profile.
252 Any user changes to nsswitch maps must be done in file
254 /etc/authselect/user-nsswitch.conf. When authselect generates new
255 nsswitch.conf it reads this file and combines it with configuration
256 from selected profile. The profile configuration takes always
257 precedence. In other words, profiles do not have to set all nsswitch
258 maps but can set only those that are relevant to the profile. If a map
259 is set within a profile, it always overwrites the same map from
260 user-nsswitch.conf.
261 Example 1.
263 # "sssd" profile
265 $ cat /usr/share/authselect/default/sssd/nsswitch.conf
266 passwd: sss files systemd
267 group: sss files systemd
268 netgroup: sss files
269 automount: sss files
270 services: sss files
271 sudoers: files sss {include if "with-sudo"}
272 $ cat /etc/authselect/user-nsswitch.conf
274 passwd: files sss
275 group: files sss
276 hosts: files dns myhostname
277 sudoers: files
278 $ authselect select sssd
280 # passwd and group maps from user-nsswitch.conf are ignored
282 $ cat /etc/nsswitch.conf
283 passwd: sss files systemd
284 group: sss files systemd
285 netgroup: sss files
286 automount: sss files
287 services: sss files
288 hosts: files dns myhostname
289 sudoers: files
290 $ authselect select sssd with-sudo
292 # passwd, group and sudoers maps from user-nsswitch.conf are ignored
294 $ cat /etc/nsswitch.conf
295 passwd: sss files systemd
296 group: sss files systemd
297 netgroup: sss files
298 automount: sss files
299 services: sss files
300 sudoers: files sss
301 hosts: files dns myhostname
302
305 The authselect can return these exit codes:
306 · 0: Success.
308 · 1: Generic error.
310 · 2: Profile or configuration was not found or the system was not
312 configured with authselect.
313 · 3: Current configuration is not valid, it was edited without
315 authselect.
316 · 4: System configuration must be overwritten to activate an
318 authselect profile, --force parameter is needed.
319 · 5: Executed command must be run as root.
321
323 Authselect creates and maintains the following files to configure
324 system identity and authentication providers properly.
325 /etc/nsswitch.conf
327 Name Service Switch configuration file.
328 /etc/pam.d/system-auth
330 PAM stack that is included from nearly all individual service
331 configuration files.
332 /etc/pam.d/password-auth, smartcard-auth, fingerprint-auth
334 These PAM stacks are for applications which handle authentication
335 from different types of devices via simultaneously running
336 individual conversations instead of one aggregate conversation.
337 /etc/pam.d/postlogin
339 The purpose of this PAM stack is to provide a common place for all
340 PAM modules which should be called after the stack configured in
341 system-auth or the other common PAM configuration files. It is
342 included from all individual service configuration files that
343 provide login service with shell or file access. NOTE: the modules
344 in the postlogin configuration file are executed regardless of the
345 success or failure of the modules in the system-auth configuration
346 file.
347 /etc/dconf/db/distro.d/20-authselect
349 Changes to dconf database. The main uses case of this file is to
350 set changes for gnome login screen in order to enable or disable
351 smartcard and fingerprint authentication.
352 /etc/dconf/db/distro.d/locks/20-authselect
354 This file define locks on values set in dconf database.
355
357 authselect-profiles(5), authselect-migration(7), nsswitch.conf(5),
358 PAM(8)
359 2018-03-18 AUTHSELECT(8)