1AUTHSELECT-PROFILES(5) AUTHSELECT-PROFILES(5)
2
3
4
6 authselect-profiles - how to extend authselect profiles.
7
9 This manual page explains how are authselect profiles organized and how
10 to create new profiles.
11
13 Profiles can be found in one of three directories.
14
15 /usr/share/authselect/default
16 Read-only directory containing profiles shipped together with
17 authselect.
18
19 /usr/share/authselect/vendor
20 Read-only directory for vendor-specific profiles that can override
21 the ones in default directory.
22
23 /etc/authselect/custom
24 Place for administrator-defined profiles.
25
27 Each profile consists of one or more of these files which provide a
28 mandatory profile description and describe the changes that are done to
29 the system.
30
31 README
32 Description of the profile. The first line must be a name of the
33 profile.
34
35 system-auth
36 PAM stack that is included from nearly all individual service
37 configuration files.
38
39 password-auth, smartcard-auth, fingerprint-auth
40 These PAM stacks are for applications which handle authentication
41 from different types of devices via simultaneously running
42 individual conversations instead of one aggregate conversation.
43
44 postlogin
45 The purpose of this PAM stack is to provide a common place for all
46 PAM modules which should be called after the stack configured in
47 system-auth or the other common PAM configuration files. It is
48 included from all individual service configuration files that
49 provide login service with shell or file access. NOTE: the modules
50 in the postlogin configuration file are executed regardless of the
51 success or failure of the modules in the system-auth configuration
52 file.
53
54 nsswitch.conf
55 Name Service Switch configuration file. Only maps relevant to the
56 profile must be set. Maps that are not specified by the profile are
57 included from /etc/authselect/user-nsswitch.conf.
58
59 dconf-db
60 Changes to dconf database. The main uses case of this file is to
61 set changes for gnome login screen in order to enable or disable
62 smartcard and fingerprint authentication.
63
64 dconf-locks
65 This file define locks on values set in dconf database.
66
67 CONDITIONAL LINES
68 Each of these files serves as a template. A template is a plain text
69 file with optional usage of several operators that can be used to
70 provide some optional profile features.
71
72 {continue if "feature"}
73 Immediately stop processing of the file unless "feature" is defined
74 (the rest of the file content will be removed). If "feature" is
75 defined, the whole line with this operator will be removed and the
76 rest of the template will be processed.
77
78 {stop if "feature"}
79 Opposite of "continue if". Immediately stop processing of the file
80 if "feature" is defined (the rest of the file content will be
81 removed). If "feature" is not defined, the whole line with this
82 operator will be removed and the rest of the template will be
83 processed.
84
85 {include if "feature"}
86 Include the line where this operator is placed only if "feature" is
87 defined.
88
89 {exclude if "feature"}
90 Opposite to "include-if". Include the line where this operator is
91 placed only if "feature" is not defined.
92
93 {imply "implied-feature" if "feature"}
94 Enable feature "implied-feature" if feature "feature" is enabled.
95 The whole line with this operator is removed, thus it is not
96 possible to add anything else around this operator at the same
97 line.
98
99 {if "feature":true|false}
100 If "feature" is defined, replace this operator with string "true",
101 otherwise with string "false".
102
103 {if "feature":true}
104 If "feature" is defined, replace this operator with string "true",
105 otherwise with an empty string.
106
107 It is also possible to use logical expression in conditional line
108 instead of specifying single feature name. In this case the expression
109 will evaluate to true or false and the conditional operator will act
110 upon the result.
111
112 The expression syntax consists of feature names (e.g. "feature") which
113 returns true if the feature is defined or false if it is not defined
114 and from the following logical operators: and, or and not. The
115 expression may also be enclosed in parentheses and contain multiple
116 subexpressions.
117
118 For example:
119
120 {if "feature1" or "feature2":true}
121 If "feature1" or "feature2" is defined, replace this operator with
122 string "true", otherwise with an empty string.
123
124 {if not "feature":true|false}
125 If "feature" is not defined, replace this operator with string
126 "true", otherwise with string "false".
127
128 {if not "feature":true}
129 If "feature" is not defined, replace this operator with string
130 "true", otherwise with an empty string.
131
132 {if "feature1" and ("feature2" or "feature3"):true}
133 If "feature1" is defined, and one of "feature2" and "feature3" is
134 defined replace this operator with string "true", otherwise with an
135 empty string.
136
137 EXAMPLE
138 Here is an example of using "if" operator. If "with-sudo" feature is
139 enabled, it will add "sss" to sudoers line.
140
141 passwd: sss files
142 group: sss files
143 netgroup: sss files
144 automount: sss files
145 services: sss files
146 sudoers: files {if "with-sudo":sss}
147
148 Here is an example of "continue-if" and "include-if" operators. The
149 resulting file will be empty unless "with-smartcard" feature is
150 enabled. If it is enabled and also "with-faillock" feature is enabled,
151 it will also enable support for pam_faillock.
152
153 {continue if "with-smartcard"}
154 auth required pam_env.so
155 auth required pam_faildelay.so delay=2000000
156 auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
157 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
158 auth [default=1 ignore=ignore success=ok] pam_localuser.so
159 auth sufficient pam_unix.so nullok
160 auth requisite pam_succeed_if.so uid >= 1000 quiet_success
161 auth sufficient pam_sss.so forward_pass
162 auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
163 auth required pam_deny.so
164 ...
165
166 Here is an example of "continue-if" using logical expression. The file
167 will be empty unless "with-smartcard" or "with-smartcard-required" is
168 set. This will simplify the call of authselect select command which
169 does not have to include both features but only
170 "with-smartcard-required" is necessary.
171
172 {continue if "with-smartcard" or "with-smartcard-required"}
173 auth required pam_env.so
174 auth required pam_faildelay.so delay=2000000
175 auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
176 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
177 auth [default=1 ignore=ignore success=ok] pam_localuser.so
178 auth sufficient pam_unix.so nullok
179 auth requisite pam_succeed_if.so uid >= 1000 quiet_success
180 auth sufficient pam_sss.so forward_pass
181 auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
182 auth required pam_deny.so
183 ...
184
185 Here is an example of "imply-if" operator. Enabling feature
186 "with-smartcard-required" will also enable "with-smartcard" to make
187 sure that all relevant PAM modules are used. This will achieve the same
188 behavior as the previous example.
189
190 {imply "with-smartcard" if "with-smartcard-required"}
191 auth required pam_env.so
192 auth required pam_faildelay.so delay=2000000
193 auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
194 auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
195 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
196 auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
197 auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
198 auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
199 auth sufficient pam_unix.so {if not "without-nullok":nullok}
200 auth requisite pam_succeed_if.so uid >= 1000 quiet_success
201 auth sufficient pam_sss.so forward_pass
202 auth required pam_deny.so
203 ...
204
206 To register a new profile within authselect, create a directory in one
207 of the authselect profile locations with the files listed above. Not
208 all of the files must be present, only README is mandatory. Other files
209 can be created on per-need basis.
210
211 You may find authselect create-profile command helpful when creating
212 new profile. See authselect(8) manual page or authselect create-profile
213 --help for more information.
214
216 authselect(8), nsswitch.conf(5), PAM(8)
217
218
219
220 2018-02-17 AUTHSELECT-PROFILES(5)