1AUTHSELECT-PROFILES(5)                                  AUTHSELECT-PROFILES(5)
2
3
4

NAME

6       authselect-profiles - how to extend authselect profiles.
7

DESCRIPTION

9       This manual page explains how are authselect profiles organized and how
10       to create new profiles.
11

PROFILE DIRECTORIES

13       Profiles can be found in one of three directories.
14
15       /usr/share/authselect/default
16           Read-only directory containing profiles shipped together with
17           authselect.
18
19       /usr/share/authselect/vendor
20           Read-only directory for vendor-specific profiles that can override
21           the ones in default directory.
22
23       /etc/authselect/custom
24           Place for administrator-defined profiles.
25

PROFILE FILES

27       Each profile consists of one or more of these files which provide a
28       mandatory profile description and describe the changes that are done to
29       the system.
30
31       README
32           Description of the profile. The first line must be a name of the
33           profile.
34
35       system-auth
36           PAM stack that is included from nearly all individual service
37           configuration files.
38
39       password-auth, smartcard-auth, fingerprint-auth
40           These PAM stacks are for applications which handle authentication
41           from different types of devices via simultaneously running
42           individual conversations instead of one aggregate conversation.
43
44       postlogin
45           The purpose of this PAM stack is to provide a common place for all
46           PAM modules which should be called after the stack configured in
47           system-auth or the other common PAM configuration files. It is
48           included from all individual service configuration files that
49           provide login service with shell or file access.  NOTE: the modules
50           in the postlogin configuration file are executed regardless of the
51           success or failure of the modules in the system-auth configuration
52           file.
53
54       nsswitch.conf
55           Name Service Switch configuration file. Only maps relevant to the
56           profile must be set. Maps that are not specified by the profile are
57           included from /etc/authselect/user-nsswitch.conf.
58
59       dconf-db
60           Changes to dconf database. The main uses case of this file is to
61           set changes for gnome login screen in order to enable or disable
62           smartcard and fingerprint authentication.
63
64       dconf-locks
65           This file define locks on values set in dconf database.
66
67   CONDITIONAL LINES
68       Each of these files serves as a template. A template is a plain text
69       file with optional usage of several operators that can be used to
70       provide some optional profile features.
71
72       {continue if "feature"}
73           Immediately stop processing of the file unless "feature" is defined
74           (the rest of the file content will be removed). If "feature" is
75           defined, the whole line with this operator will be removed and the
76           rest of the template will be processed.
77
78       {stop if "feature"}
79           Opposite of "continue if". Immediately stop processing of the file
80           if "feature" is defined (the rest of the file content will be
81           removed). If "feature" is not defined, the whole line with this
82           operator will be removed and the rest of the template will be
83           processed.
84
85       {include if "feature"}
86           Include the line where this operator is placed only if "feature" is
87           defined.
88
89       {exclude if "feature"}
90           Opposite to "include-if". Include the line where this operator is
91           placed only if "feature" is not defined.
92
93       {imply "implied-feature" if "feature"}
94           Enable feature "implied-feature" if feature "feature" is enabled.
95           The whole line with this operator is removed, thus it is not
96           possible to add anything else around this operator at the same
97           line.
98
99       {if "feature":true|false}
100           If "feature" is defined, replace this operator with string "true",
101           otherwise with string "false".
102
103       {if "feature":true}
104           If "feature" is defined, replace this operator with string "true",
105           otherwise with an empty string.
106
107       It is also possible to use logical expression in conditional line
108       instead of specifying single feature name. In this case the expression
109       will evaluate to true or false and the conditional operator will act
110       upon the result.
111
112       The expression syntax consists of feature names (e.g. "feature") which
113       returns true if the feature is defined or false if it is not defined
114       and from the following logical operators: and, or and not. The
115       expression may also be enclosed in parentheses and contain multiple
116       subexpressions.
117
118       For example:
119
120       {if "feature1" or "feature2":true}
121           If "feature1" or "feature2" is defined, replace this operator with
122           string "true", otherwise with an empty string.
123
124       {if not "feature":true|false}
125           If "feature" is not defined, replace this operator with string
126           "true", otherwise with string "false".
127
128       {if not "feature":true}
129           If "feature" is not defined, replace this operator with string
130           "true", otherwise with an empty string.
131
132       {if "feature1" and ("feature2" or "feature3"):true}
133           If "feature1" is defined, and one of "feature2" and "feature3" is
134           defined replace this operator with string "true", otherwise with an
135           empty string.
136
137   EXAMPLE
138       Here is an example of using "if" operator. If "with-sudo" feature is
139       enabled, it will add "sss" to sudoers line.
140
141           passwd:     sss files
142           group:      sss files
143           netgroup:   sss files
144           automount:  sss files
145           services:   sss files
146           sudoers:    files {if "with-sudo":sss}
147
148       Here is an example of "continue-if" and "include-if" operators. The
149       resulting file will be empty unless "with-smartcard" feature is
150       enabled. If it is enabled and also "with-faillock" feature is enabled,
151       it will also enable support for pam_faillock.
152
153           {continue if "with-smartcard"}
154           auth        required                                     pam_env.so
155           auth        required                                     pam_faildelay.so delay=2000000
156           auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
157           auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
158           auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
159           auth        sufficient                                   pam_unix.so nullok try_first_pass
160           auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
161           auth        sufficient                                   pam_sss.so forward_pass
162           auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200       {include if "with-faillock"}
163           auth        required                                     pam_deny.so
164           ...
165
166       Here is an example of "continue-if" using logical expression. The file
167       will be empty unless "with-smartcard" or "with-smartcard-required" is
168       set. This will simplify the call of authselect select command which
169       does not have to include both features but only
170       "with-smartcard-required" is necessary.
171
172           {continue if "with-smartcard" or "with-smartcard-required"}
173           auth        required                                     pam_env.so
174           auth        required                                     pam_faildelay.so delay=2000000
175           auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
176           auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
177           auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
178           auth        sufficient                                   pam_unix.so nullok try_first_pass
179           auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
180           auth        sufficient                                   pam_sss.so forward_pass
181           auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200       {include if "with-faillock"}
182           auth        required                                     pam_deny.so
183           ...
184
185       Here is an example of "imply-if" operator. Enabling feature
186       "with-smartcard-required" will also enable "with-smartcard" to make
187       sure that all relevant PAM modules are used. This will achieve the same
188       behavior as the previous example.
189
190           {imply "with-smartcard" if "with-smartcard-required"}
191           auth        required                                     pam_env.so
192           auth        required                                     pam_faildelay.so delay=2000000
193           auth        [success=1 default=ignore]                   pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
194           auth        [success=done ignore=ignore default=die]     pam_sss.so require_cert_auth ignore_authinfo_unavail   {include if "with-smartcard-required"}
195           auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
196           auth        [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {exclude if "with-smartcard"}
197           auth        [default=2 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-smartcard"}
198           auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth           {include if "with-smartcard"}
199           auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
200           auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
201           auth        sufficient                                   pam_sss.so forward_pass
202           auth        required                                     pam_deny.so
203           ...
204

CREATING A NEW PROFILE

206       To register a new profile within authselect, create a directory in one
207       of the authselect profile locations with the files listed above. Not
208       all of the files must be present, only README is mandatory. Other files
209       can be created on per-need basis.
210
211       You may find authselect create-profile command helpful when creating
212       new profile. See authselect(8) manual page or authselect create-profile
213       --help for more information.
214

SEE ALSO

216       authselect(8), nsswitch.conf(5), PAM(8)
217
218
219
220                                  2018-02-17            AUTHSELECT-PROFILES(5)
Impressum