1AUTHSELECT(8) AUTHSELECT(8)
2
3
4
6 authselect - select system identity and authentication sources.
7
9 authselect [--debug] [--trace] [--warn] command [command options]
10
12 Authselect is a tool to configure system identity and authentication
13 sources and providers by selecting a specific profile. Profile is a set
14 of files that describes how the resulting system configuration will
15 look like. When a profile is selected, authselect will create
16 nsswitch.conf(5) and PAM(8) stack to use identity and authentication
17 sources defined by the profile.
18
19 If the provided profile set is not sufficient, the administrator may
20 create a custom profile by putting it in a special profile directory
21 (/etc/authselect/custom). By doing so, the profile is immediately
22 usable by authselect. See authselect-profiles(5) for more information
23 on extending existing profiles.
24
26 Authselect will not touch your existing configuration unless it has
27 already been created by it. If you want to start using authselect to
28 configure your system authentication, please call authselect select
29 with --force parameter first (e.g. authselect select sssd --force). The
30 --force parameter tells authselect that it is all right to overwrite
31 existing non-authselect configuration (see description below). Using
32 the --force parameter will automatically generate a backup of your
33 current configuration so if you wish to go back you can restore it with
34 authselect backup-restore command (see description below).
35
37 To list all available commands run authselect without any parameters.
38 To print help for the selected command run authselect COMMAND --help.
39
40 select profile_id [features] [-f, --force] [-q, --quiet] [-b]
41 [--backup=NAME]
42 Activate desired profile. See profile description with show
43 command, to list profile specific optional features.
44
45 --force, -f
46 Write changes even if the previous configuration was not
47 created by authselect but by other tool or by manual changes.
48 This option will automatically backup system files before
49 writing any change unless --nobackup option is set.
50
51 -b
52 Backup system files before activating the selected profile. The
53 backup will be stored at /var/lib/authselect/backups/NAME.
54 Current time with unique string is used as a name of the
55 backup. This is a shortcut for --backup=.
56
57 --backup=NAME
58 Backup system files before activating the selected profile. The
59 backup will be stored at /var/lib/authselect/backups/NAME.
60 Current time with unique string is used as a name if no value
61 is provided.
62
63 --nobackup
64 Do not backup system configuration even if --force is set.
65
66 --quiet, -q
67 The command will not print any informational message such as
68 additional profile requirements or backup location. Errors are
69 still being print.
70
71 apply-changes [-b] [--backup=NAME]
72 Re-apply currently selected profile. If the profile templates were
73 updated this command can be used to regenerate current system
74 configuration in order to apply these changes on the system. This
75 command will only re-apply the changes if the existing
76 configuration is a valid authselect configuration, otherwise an
77 error is returned.
78
79 -b
80 Backup system files before applying changes. The backup will be
81 stored at /var/lib/authselect/backups/NAME. Current time with
82 unique string is used as a name of the backup. This is a
83 shortcut for --backup=.
84
85 --backup=NAME
86 Backup system files before applying changes. The backup will be
87 stored at /var/lib/authselect/backups/NAME. Current time with
88 unique string is used as a name if no value is provided.
89
90 list
91 List available profiles.
92
93 list-features profile_id
94 List all features available in given profile.
95
96 Note: This will only list the features without any description.
97 Please, read the profile documentation with show to see what the
98 features do.
99
100 show profile_id
101 Print information about the profile.
102
103 requirements profile_id [features]
104 Print information about profile requirements.
105
106 current [-r, --raw]
107 Print information about currently selected profiles. If --raw
108 option is specified, the command will print raw parameters as they
109 were passed to select command instead of formatted output.
110
111 check
112 Check if the current configuration is valid (it was either created
113 by authselect or there are no leftovers from previous authselect
114 configuration).
115
116 test profile_id [options] [features]
117 Print content of files generated by authselect without actually
118 writing anything to system configuration.
119
120 -a, --all
121 Print content of all files.
122
123 -n, --nsswitch
124 Print nsswitch.conf content.
125
126 -s, --system-auth
127 Print system-auth content.
128
129 -p, --password-auth
130 Print password-auth content.
131
132 -c, --smartcard-auth
133 Print smartcard-auth content.
134
135 -f, --fingerprint-auth
136 Print fingerprint-auth content.
137
138 -o, --postlogin
139 Print postlogin content.
140
141 -d, --dconf-db
142 Print dconf database content.
143
144 -l, --dconf-lock
145 Print dconf lock content.
146
147 enable-feature feature [-b] [--backup=NAME] [-q, --quiet]
148 Enable feature in the currently selected profile.
149
150 -b
151 Backup system files before enabling feature. The backup will be
152 stored at /var/lib/authselect/backups/NAME. Current time with
153 unique string is used as a name of the backup. This is a
154 shortcut for --backup=.
155
156 --backup=NAME
157 Backup system files before enabling feature. The backup will be
158 stored at /var/lib/authselect/backups/NAME. Current time with
159 unique string is used as a name if no value is provided.
160
161 --quiet, -q
162 The command will not print any informational message such as
163 additional profile requirements or backup location. Errors are
164 still being print.
165
166 disable-feature feature [-b] [--backup=NAME]
167 Disable feature in the currently selected profile.
168
169 -b
170 Backup system files before disabling feature. The backup will
171 be stored at /var/lib/authselect/backups/NAME. Current time
172 with unique string is used as a name of the backup. This is a
173 shortcut for --backup=.
174
175 --backup=NAME
176 Backup system files before disabling feature. The backup will
177 be stored at /var/lib/authselect/backups/NAME. Current time
178 with unique string is used as a name if no value is provided.
179
180 create-profile NAME [--custom,-c|--vendor,-v] [options]
181 Create a new custom profile named NAME. The profile can be based on
182 an existing profile in which case the new profile templates are
183 either copied from the base profile or symbolic links to these
184 files are created if such option is selected.
185
186 --vendor,-v
187 The new profile is a vendor profile instead of a custom
188 profile. See authselect-profiles(5) for more information on
189 profile types.
190
191 --base-on=BASE-ID, -b=BASE-ID
192 The new profile will be based on a profile named BASE-ID. The
193 base profile location is determined with these steps:
194
195 1. If BASE-ID starts with prefix custom/ it is a custom
196 profile.
197
198 2. Try if BASE-ID is found in vendor profiles.
199
200 3. Try if BASE-ID is found in default profiles.
201
202 4. Return an error.
203
204 --base-on-default
205 The base profile is a default profile even if it is found also
206 within vendor profiles.
207
208 --symlink-meta
209 Meta files, such as README and REQUIREMENTS will be symbolic
210 links to the origin profile files instead of their copy.
211
212 --symlink-nsswitch
213 nsswitch.conf template will be symbolic link to the origin
214 profile file instead of its copy.
215
216 --symlink-pam
217 PAM templates will be symbolic links to the origin profile
218 files instead of their copy.
219
220 --symlink-dconf
221 dconf templates will be symbolic links to the origin profile
222 files instead of their copy.
223
224 --symlink=FILE,-s=FILE
225 Create a symbolic link for a template file FILE instead of
226 creating its copy. This option can be passed multiple times.
227
229 These commands can be used to manage backed up configurations.
230
231 backup-list [-r, --raw]
232 Print available backups. If --raw option is specified, the command
233 will print only backup names without any formatting and additional
234 information.
235
236 backup-remove BACKUP
237 Permanently delete backup named BACKUP.
238
239 backup-restore BACKUP
240 Restore configuration from backup named BACKUP. Note: this will
241 overwrite current configuration.
242
244 These options are available with all commands.
245
246 --debug
247 Print debugging information and error messages.
248
249 --trace
250 Print information about what the tool is doing.
251
252 --warn
253 Print information about unexpected situations that do not affect
254 the program execution but may indicate some undesired situations
255 (e.g. unexpected file in a profile directory).
256
258 Authselect generates /etc/nsswitch.conf and does not allow any user
259 changes to this file. Such changes are detected and authselect will
260 refuse to write any system configuration unless a --force option is
261 provided to the select command. This mechanism prevents authselect from
262 overwriting anything that does not match any available profile.
263
264 Any user changes to nsswitch maps must be done in file
265 /etc/authselect/user-nsswitch.conf. When authselect generates new
266 nsswitch.conf it reads this file and combines it with configuration
267 from selected profile. The profile configuration takes always
268 precedence. In other words, profiles do not have to set all nsswitch
269 maps but can set only those that are relevant to the profile. If a map
270 is set within a profile, it always overwrites the same map from
271 user-nsswitch.conf.
272
273 Example 1.
274
275 # "sssd" profile
276 $ cat /usr/share/authselect/default/sssd/nsswitch.conf
277 passwd: sss files systemd
278 group: sss files systemd
279 netgroup: sss files
280 automount: sss files
281 services: sss files
282 sudoers: files sss {include if "with-sudo"}
283
284 $ cat /etc/authselect/user-nsswitch.conf
285 passwd: files sss
286 group: files sss
287 hosts: files dns myhostname
288 sudoers: files
289
290 $ authselect select sssd
291
292 # passwd and group maps from user-nsswitch.conf are ignored
293 $ cat /etc/nsswitch.conf
294 passwd: sss files systemd
295 group: sss files systemd
296 netgroup: sss files
297 automount: sss files
298 services: sss files
299 hosts: files dns myhostname
300 sudoers: files
301
302 $ authselect select sssd with-sudo
303
304 # passwd, group and sudoers maps from user-nsswitch.conf are ignored
305 $ cat /etc/nsswitch.conf
306 passwd: sss files systemd
307 group: sss files systemd
308 netgroup: sss files
309 automount: sss files
310 services: sss files
311 sudoers: files sss
312 hosts: files dns myhostname
313
314
316 How can I tell if my system is using authselect?
317 Use authselect check. The output will tell you if you have 1)
318 configuration generated by authselect 2) non-authselect configuration
319 or 3) configuration that was generated by authselect but modified
320 manually at some point.
321
322 Is nsswitch.conf supposed to be a symbolic link now?
323 Authselect generates your system configuration from scratch and stores
324 it at /etc/authselect. System files are then created as symbolic links
325 to this directory. Symbolic links are used to make it clear that
326 authselect is now owning your configuration and should be used instead
327 of any manual modification.
328
329 Error: Unexpected changes to the configuration were detected.
330 For example:
331
332 [error] [/etc/authselect/nsswitch.conf] does not exist!
333 [error] [/etc/nsswitch.conf] is not a symbolic link!
334 [error] [/etc/nsswitch.conf] was not created by authselect!
335 [error] Unexpected changes to the configuration were detected.
336 [error] Refusing to activate profile unless those changes are removed or overwrite is requested.
337
338 This means that your configuration is unknown to authselect and as such
339 it will not be modified. To fix this, please call authselect select
340 with --force parameter to say that it is all right to overwrite it.
341
343 The authselect can return these exit codes:
344
345 · 0: Success.
346
347 · 1: Generic error.
348
349 · 2: Profile or configuration was not found or the system was not
350 configured with authselect.
351
352 · 3: Current configuration is not valid, it was edited without
353 authselect.
354
355 · 4: System configuration must be overwritten to activate an
356 authselect profile, --force parameter is needed.
357
358 · 5: Executed command must be run as root.
359
361 Authselect creates and maintains the following files to configure
362 system identity and authentication providers properly.
363
364 /etc/nsswitch.conf
365 Name Service Switch configuration file.
366
367 /etc/pam.d/system-auth
368 PAM stack that is included from nearly all individual service
369 configuration files.
370
371 /etc/pam.d/password-auth, smartcard-auth, fingerprint-auth
372 These PAM stacks are for applications which handle authentication
373 from different types of devices via simultaneously running
374 individual conversations instead of one aggregate conversation.
375
376 /etc/pam.d/postlogin
377 The purpose of this PAM stack is to provide a common place for all
378 PAM modules which should be called after the stack configured in
379 system-auth or the other common PAM configuration files. It is
380 included from all individual service configuration files that
381 provide login service with shell or file access. NOTE: the modules
382 in the postlogin configuration file are executed regardless of the
383 success or failure of the modules in the system-auth configuration
384 file.
385
386 /etc/dconf/db/distro.d/20-authselect
387 Changes to dconf database. The main uses case of this file is to
388 set changes for gnome login screen in order to enable or disable
389 smartcard and fingerprint authentication.
390
391 /etc/dconf/db/distro.d/locks/20-authselect
392 This file define locks on values set in dconf database.
393
395 authselect-profiles(5), authselect-migration(7), nsswitch.conf(5),
396 PAM(8)
397
398
399
400 2018-03-18 AUTHSELECT(8)