1AUTHSELECT(8) AUTHSELECT(8)
2
6 authselect - select system identity and authentication sources.
7
9 authselect [--debug] [--trace] [--warn] command [command options]
10
12 Authselect is a tool to configure system identity and authentication
13 sources and providers by selecting a specific profile. Profile is a set
14 of files that describes how the resulting system configuration will
15 look like. When a profile is selected, authselect will create
16 nsswitch.conf(5) and PAM(8) stack to use identity and authentication
17 sources defined by the profile.
18 If the provided profile set is not sufficient, the administrator may
20 create a custom profile by putting it in a special profile directory
21 (/etc/authselect/custom). By doing so, the profile is immediately
22 usable by authselect. See authselect-profiles(5) for more information
23 on extending existing profiles.
24
26 Authselect will not touch your existing configuration unless it has
27 already been created by it. If you want to start using authselect to
28 configure your system authentication, please call authselect select
29 with --force parameter first (e.g. authselect select sssd --force). The
30 --force parameter tells authselect that it is all right to overwrite
31 existing non-authselect configuration (see description below). Using
32 the --force parameter will automatically generate a backup of your
33 current configuration so if you wish to go back you can restore it with
34 authselect backup-restore command (see description below).
35
37 To list all available commands run authselect without any parameters.
38 To print help for the selected command run authselect COMMAND --help.
39 select profile_id [features] [-f, --force] [-q, --quiet] [-b]
41 [--backup=NAME]
42 Activate desired profile. See profile description with show
43 command, to list profile specific optional features.
44 --force, -f
46 Write changes even if the previous configuration was not
47 created by authselect but by other tool or by manual changes.
48 This option will automatically backup system files before
49 writing any change unless --nobackup option is set.
50 -b
52 Backup system files before activating the selected profile. The
53 backup will be stored at /var/lib/authselect/backups/NAME.
54 Current time with unique string is used as a name of the
55 backup. This is a shortcut for --backup=.
56 --backup=NAME
58 Backup system files before activating the selected profile. The
59 backup will be stored at /var/lib/authselect/backups/NAME.
60 Current time with unique string is used as a name if no value
61 is provided.
62 --nobackup
64 Do not backup system configuration even if --force is set.
65 --quiet, -q
67 The command will not print any informational message such as
68 additional profile requirements or backup location. Errors are
69 still being print.
70 apply-changes [-b] [--backup=NAME]
72 Re-apply currently selected profile. If the profile templates were
73 updated this command can be used to regenerate current system
74 configuration in order to apply these changes on the system. This
75 command will only re-apply the changes if the existing
76 configuration is a valid authselect configuration, otherwise an
77 error is returned.
78 -b
80 Backup system files before applying changes. The backup will be
81 stored at /var/lib/authselect/backups/NAME. Current time with
82 unique string is used as a name of the backup. This is a
83 shortcut for --backup=.
84 --backup=NAME
86 Backup system files before applying changes. The backup will be
87 stored at /var/lib/authselect/backups/NAME. Current time with
88 unique string is used as a name if no value is provided.
89 list
91 List available profiles.
92 list-features profile_id
94 List all features available in given profile.
95 Note: This will only list the features without any description.
97 Please, read the profile documentation with show to see what the
98 features do.
99 show profile_id
101 Print information about the profile.
102 requirements profile_id [features]
104 Print information about profile requirements.
105 current [-r, --raw]
107 Print information about currently selected profiles. If --raw
108 option is specified, the command will print raw parameters as they
109 were passed to select command instead of formatted output.
110 check
112 Check if the current configuration is valid (it was either created
113 by authselect or there are no leftovers from previous authselect
114 configuration).
115 test profile_id [options] [features]
117 Print content of files generated by authselect without actually
118 writing anything to system configuration.
119 -a, --all
121 Print content of all files.
122 -n, --nsswitch
124 Print nsswitch.conf content.
125 -s, --system-auth
127 Print system-auth content.
128 -p, --password-auth
130 Print password-auth content.
131 -c, --smartcard-auth
133 Print smartcard-auth content.
134 -f, --fingerprint-auth
136 Print fingerprint-auth content.
137 -o, --postlogin
139 Print postlogin content.
140 -d, --dconf-db
142 Print dconf database content.
143 -l, --dconf-lock
145 Print dconf lock content.
146 enable-feature feature [-b] [--backup=NAME] [-q, --quiet]
148 Enable feature in the currently selected profile.
149 -b
151 Backup system files before enabling feature. The backup will be
152 stored at /var/lib/authselect/backups/NAME. Current time with
153 unique string is used as a name of the backup. This is a
154 shortcut for --backup=.
155 --backup=NAME
157 Backup system files before enabling feature. The backup will be
158 stored at /var/lib/authselect/backups/NAME. Current time with
159 unique string is used as a name if no value is provided.
160 --quiet, -q
162 The command will not print any informational message such as
163 additional profile requirements or backup location. Errors are
164 still being print.
165 disable-feature feature [-b] [--backup=NAME]
167 Disable feature in the currently selected profile.
168 -b
170 Backup system files before disabling feature. The backup will
171 be stored at /var/lib/authselect/backups/NAME. Current time
172 with unique string is used as a name of the backup. This is a
173 shortcut for --backup=.
174 --backup=NAME
176 Backup system files before disabling feature. The backup will
177 be stored at /var/lib/authselect/backups/NAME. Current time
178 with unique string is used as a name if no value is provided.
179 create-profile NAME [--custom,-c|--vendor,-v] [options]
181 Create a new custom profile named NAME. The profile can be based on
182 an existing profile in which case the new profile templates are
183 either copied from the base profile or symbolic links to these
184 files are created if such option is selected.
185 --vendor,-v
187 The new profile is a vendor profile instead of a custom
188 profile. See authselect-profiles(5) for more information on
189 profile types.
190 --base-on=BASE-ID, -b=BASE-ID
192 The new profile will be based on a profile named BASE-ID. The
193 base profile location is determined with these steps:
194 1. If BASE-ID starts with prefix custom/ it is a custom
196 profile.
197 2. Try if BASE-ID is found in vendor profiles.
199 3. Try if BASE-ID is found in default profiles.
201 4. Return an error.
203 --base-on-default
205 The base profile is a default profile even if it is found also
206 within vendor profiles.
207 --symlink-meta
209 Meta files, such as README and REQUIREMENTS will be symbolic
210 links to the origin profile files instead of their copy.
211 --symlink-nsswitch
213 nsswitch.conf template will be symbolic link to the origin
214 profile file instead of its copy.
215 --symlink-pam
217 PAM templates will be symbolic links to the origin profile
218 files instead of their copy.
219 --symlink-dconf
221 dconf templates will be symbolic links to the origin profile
222 files instead of their copy.
223 --symlink=FILE,-s=FILE
225 Create a symbolic link for a template file FILE instead of
226 creating its copy. This option can be passed multiple times.
227
229 These commands can be used to manage backed up configurations.
230 backup-list [-r, --raw]
232 Print available backups. If --raw option is specified, the command
233 will print only backup names without any formatting and additional
234 information.
235 backup-remove BACKUP
237 Permanently delete backup named BACKUP.
238 backup-restore BACKUP
240 Restore configuration from backup named BACKUP. Note: this will
241 overwrite current configuration.
242
244 These options are available with all commands.
245 --debug
247 Print debugging information and error messages.
248 --trace
250 Print information about what the tool is doing.
251 --warn
253 Print information about unexpected situations that do not affect
254 the program execution but may indicate some undesired situations
255 (e.g. unexpected file in a profile directory).
256
258 Authselect generates /etc/nsswitch.conf and does not allow any user
259 changes to this file. Such changes are detected and authselect will
260 refuse to write any system configuration unless a --force option is
261 provided to the select command. This mechanism prevents authselect from
262 overwriting anything that does not match any available profile.
263 Any user changes to nsswitch maps must be done in file
265 /etc/authselect/user-nsswitch.conf. When authselect generates new
266 nsswitch.conf it reads this file and combines it with configuration
267 from selected profile. The profile configuration takes always
268 precedence. In other words, profiles do not have to set all nsswitch
269 maps but can set only those that are relevant to the profile. If a map
270 is set within a profile, it always overwrites the same map from
271 user-nsswitch.conf.
272 Example 1.
274 # "sssd" profile
276 $ cat /usr/share/authselect/default/sssd/nsswitch.conf
277 passwd: sss files systemd
278 group: sss files systemd
279 netgroup: sss files
280 automount: sss files
281 services: sss files
282 sudoers: files sss {include if "with-sudo"}
283 $ cat /etc/authselect/user-nsswitch.conf
285 passwd: files sss
286 group: files sss
287 hosts: files dns myhostname
288 sudoers: files
289 $ authselect select sssd
291 # passwd and group maps from user-nsswitch.conf are ignored
293 $ cat /etc/nsswitch.conf
294 passwd: sss files systemd
295 group: sss files systemd
296 netgroup: sss files
297 automount: sss files
298 services: sss files
299 hosts: files dns myhostname
300 sudoers: files
301 $ authselect select sssd with-sudo
303 # passwd, group and sudoers maps from user-nsswitch.conf are ignored
305 $ cat /etc/nsswitch.conf
306 passwd: sss files systemd
307 group: sss files systemd
308 netgroup: sss files
309 automount: sss files
310 services: sss files
311 sudoers: files sss
312 hosts: files dns myhostname
313
316 How can I tell if my system is using authselect?
317 Use authselect check. The output will tell you if you have 1)
318 configuration generated by authselect 2) non-authselect configuration
319 or 3) configuration that was generated by authselect but modified
320 manually at some point.
321 Is nsswitch.conf supposed to be a symbolic link now?
323 Authselect generates your system configuration from scratch and stores
324 it at /etc/authselect. System files are then created as symbolic links
325 to this directory. Symbolic links are used to make it clear that
326 authselect is now owning your configuration and should be used instead
327 of any manual modification.
328 Error: Unexpected changes to the configuration were detected.
330 For example:
331 [error] [/etc/authselect/nsswitch.conf] does not exist!
333 [error] [/etc/nsswitch.conf] is not a symbolic link!
334 [error] [/etc/nsswitch.conf] was not created by authselect!
335 [error] Unexpected changes to the configuration were detected.
336 [error] Refusing to activate profile unless those changes are removed or overwrite is requested.
337 This means that your configuration is unknown to authselect and as such
339 it will not be modified. To fix this, please call authselect select
340 with --force parameter to say that it is all right to overwrite it.
341
343 The authselect can return these exit codes:
344 · 0: Success.
346 · 1: Generic error.
348 · 2: Profile or configuration was not found or the system was not
350 configured with authselect.
351 · 3: Current configuration is not valid, it was edited without
353 authselect.
354 · 4: System configuration must be overwritten to activate an
356 authselect profile, --force parameter is needed.
357 · 5: Executed command must be run as root.
359
361 Authselect creates and maintains the following files to configure
362 system identity and authentication providers properly.
363 /etc/nsswitch.conf
365 Name Service Switch configuration file.
366 /etc/pam.d/system-auth
368 PAM stack that is included from nearly all individual service
369 configuration files.
370 /etc/pam.d/password-auth, smartcard-auth, fingerprint-auth
372 These PAM stacks are for applications which handle authentication
373 from different types of devices via simultaneously running
374 individual conversations instead of one aggregate conversation.
375 /etc/pam.d/postlogin
377 The purpose of this PAM stack is to provide a common place for all
378 PAM modules which should be called after the stack configured in
379 system-auth or the other common PAM configuration files. It is
380 included from all individual service configuration files that
381 provide login service with shell or file access. NOTE: the modules
382 in the postlogin configuration file are executed regardless of the
383 success or failure of the modules in the system-auth configuration
384 file.
385 /etc/dconf/db/distro.d/20-authselect
387 Changes to dconf database. The main uses case of this file is to
388 set changes for gnome login screen in order to enable or disable
389 smartcard and fingerprint authentication.
390 /etc/dconf/db/distro.d/locks/20-authselect
392 This file define locks on values set in dconf database.
393
395 authselect-profiles(5), authselect-migration(7), nsswitch.conf(5),
396 PAM(8)
397 2018-03-18 AUTHSELECT(8)