1AUTHSELECT(8)                                                    AUTHSELECT(8)
2
3
4

NAME

6       authselect - select system identity and authentication sources.
7

SYNOPSIS

9       authselect [--debug] [--trace] [--warn] command [command options]
10

DESCRIPTION

12       Authselect is a tool to configure system identity and authentication
13       sources and providers by selecting a specific profile. Profile is a set
14       of files that describes how the resulting system configuration will
15       look like. When a profile is selected, authselect will create
16       nsswitch.conf(5) and PAM(8) stack to use identity and authentication
17       sources defined by the profile.
18
19       If the provided profile set is not sufficient, the administrator may
20       create a custom profile by putting it in a special profile directory
21       (/etc/authselect/custom). By doing so, the profile is immediately
22       usable by authselect. See authselect-profiles(5) for more information
23       on extending existing profiles.
24

OPT-IN TO AUTHSELECT

26       Authselect will not touch your existing configuration unless it has
27       already been created by it. If you want to start using authselect to
28       configure your system authentication, please call authselect select
29       with --force parameter first (e.g. authselect select sssd --force). The
30       --force parameter tells authselect that it is all right to overwrite
31       existing non-authselect configuration (see description below). Using
32       the --force parameter will automatically generate a backup of your
33       current configuration so if you wish to go back you can restore it with
34       authselect backup-restore command (see description below).
35

AVAILABLE COMMANDS

37       To list all available commands run authselect without any parameters.
38       To print help for the selected command run authselect COMMAND --help.
39
40       select profile_id [features] [-f, --force] [-q, --quiet] [-b]
41       [--backup=NAME]
42           Activate desired profile. See profile description with show
43           command, to list profile specific optional features.
44
45           --force, -f
46               Write changes even if the previous configuration was not
47               created by authselect but by other tool or by manual changes.
48               This option will automatically backup system files before
49               writing any change unless --nobackup option is set.
50
51           -b
52               Backup system files before activating the selected profile. The
53               backup will be stored at /var/lib/authselect/backups/NAME.
54               Current time with unique string is used as a name of the
55               backup. This is a shortcut for --backup=.
56
57           --backup=NAME
58               Backup system files before activating the selected profile. The
59               backup will be stored at /var/lib/authselect/backups/NAME.
60               Current time with unique string is used as a name if no value
61               is provided.
62
63           --nobackup
64               Do not backup system configuration even if --force is set.
65
66           --quiet, -q
67               The command will not print any informational message such as
68               additional profile requirements or backup location. Errors are
69               still being print.
70
71       apply-changes [-b] [--backup=NAME]
72           Re-apply currently selected profile. If the profile templates were
73           updated this command can be used to regenerate current system
74           configuration in order to apply these changes on the system. This
75           command will only re-apply the changes if the existing
76           configuration is a valid authselect configuration, otherwise an
77           error is returned.
78
79           -b
80               Backup system files before applying changes. The backup will be
81               stored at /var/lib/authselect/backups/NAME. Current time with
82               unique string is used as a name of the backup. This is a
83               shortcut for --backup=.
84
85           --backup=NAME
86               Backup system files before applying changes. The backup will be
87               stored at /var/lib/authselect/backups/NAME. Current time with
88               unique string is used as a name if no value is provided.
89
90       list
91           List available profiles.
92
93       list-features profile_id
94           List all features available in given profile.
95
96           Note: This will only list the features without any description.
97           Please, read the profile documentation with show to see what the
98           features do.
99
100       show profile_id
101           Print information about the profile.
102
103       requirements profile_id [features]
104           Print information about profile requirements.
105
106       current [-r, --raw]
107           Print information about currently selected profiles. If --raw
108           option is specified, the command will print raw parameters as they
109           were passed to select command instead of formatted output.
110
111       check
112           Check if the current configuration is valid (it was either created
113           by authselect or there are no leftovers from previous authselect
114           configuration).
115
116       test profile_id [options] [features]
117           Print content of files generated by authselect without actually
118           writing anything to system configuration.
119
120           -a, --all
121               Print content of all files.
122
123           -n, --nsswitch
124               Print nsswitch.conf content.
125
126           -s, --system-auth
127               Print system-auth content.
128
129           -p, --password-auth
130               Print password-auth content.
131
132           -c, --smartcard-auth
133               Print smartcard-auth content.
134
135           -f, --fingerprint-auth
136               Print fingerprint-auth content.
137
138           -o, --postlogin
139               Print postlogin content.
140
141           -d, --dconf-db
142               Print dconf database content.
143
144           -l, --dconf-lock
145               Print dconf lock content.
146
147       enable-feature feature [-b] [--backup=NAME] [-q, --quiet]
148           Enable feature in the currently selected profile.
149
150           -b
151               Backup system files before enabling feature. The backup will be
152               stored at /var/lib/authselect/backups/NAME. Current time with
153               unique string is used as a name of the backup. This is a
154               shortcut for --backup=.
155
156           --backup=NAME
157               Backup system files before enabling feature. The backup will be
158               stored at /var/lib/authselect/backups/NAME. Current time with
159               unique string is used as a name if no value is provided.
160
161           --quiet, -q
162               The command will not print any informational message such as
163               additional profile requirements or backup location. Errors are
164               still being print.
165
166       disable-feature feature [-b] [--backup=NAME]
167           Disable feature in the currently selected profile.
168
169           -b
170               Backup system files before disabling feature. The backup will
171               be stored at /var/lib/authselect/backups/NAME. Current time
172               with unique string is used as a name of the backup. This is a
173               shortcut for --backup=.
174
175           --backup=NAME
176               Backup system files before disabling feature. The backup will
177               be stored at /var/lib/authselect/backups/NAME. Current time
178               with unique string is used as a name if no value is provided.
179
180       create-profile NAME [--custom,-c|--vendor,-v] [options]
181           Create a new custom profile named NAME. The profile can be based on
182           an existing profile in which case the new profile templates are
183           either copied from the base profile or symbolic links to these
184           files are created if such option is selected.
185
186           --vendor,-v
187               The new profile is a vendor profile instead of a custom
188               profile. See authselect-profiles(5) for more information on
189               profile types.
190
191           --base-on=BASE-ID, -b=BASE-ID
192               The new profile will be based on a profile named BASE-ID. The
193               base profile location is determined with these steps:
194
195                1. If BASE-ID starts with prefix custom/ it is a custom
196                   profile.
197
198                2. Try if BASE-ID is found in vendor profiles.
199
200                3. Try if BASE-ID is found in default profiles.
201
202                4. Return an error.
203
204           --base-on-default
205               The base profile is a default profile even if it is found also
206               within vendor profiles.
207
208           --symlink-meta
209               Meta files, such as README and REQUIREMENTS will be symbolic
210               links to the origin profile files instead of their copy.
211
212           --symlink-nsswitch
213               nsswitch.conf template will be symbolic link to the origin
214               profile file instead of its copy.
215
216           --symlink-pam
217               PAM templates will be symbolic links to the origin profile
218               files instead of their copy.
219
220           --symlink-dconf
221               dconf templates will be symbolic links to the origin profile
222               files instead of their copy.
223
224           --symlink=FILE,-s=FILE
225               Create a symbolic link for a template file FILE instead of
226               creating its copy. This option can be passed multiple times.
227

BACKUP COMMANDS

229       These commands can be used to manage backed up configurations.
230
231       backup-list [-r, --raw]
232           Print available backups. If --raw option is specified, the command
233           will print only backup names without any formatting and additional
234           information.
235
236       backup-remove BACKUP
237           Permanently delete backup named BACKUP.
238
239       backup-restore BACKUP
240           Restore configuration from backup named BACKUP.  Note: this will
241           overwrite current configuration.
242

COMMON OPTIONS

244       These options are available with all commands.
245
246       --debug
247           Print debugging information and error messages.
248
249       --trace
250           Print information about what the tool is doing.
251
252       --warn
253           Print information about unexpected situations that do not affect
254           the program execution but may indicate some undesired situations
255           (e.g. unexpected file in a profile directory).
256

NSSWITCH.CONF MANAGEMENT

258       Authselect generates /etc/nsswitch.conf and does not allow any user
259       changes to this file. Such changes are detected and authselect will
260       refuse to write any system configuration unless a --force option is
261       provided to the select command. This mechanism prevents authselect from
262       overwriting anything that does not match any available profile.
263
264       Any user changes to nsswitch maps must be done in file
265       /etc/authselect/user-nsswitch.conf. When authselect generates new
266       nsswitch.conf it reads this file and combines it with configuration
267       from selected profile. The profile configuration takes always
268       precedence. In other words, profiles do not have to set all nsswitch
269       maps but can set only those that are relevant to the profile. If a map
270       is set within a profile, it always overwrites the same map from
271       user-nsswitch.conf.
272
273       Example 1.
274
275           # "sssd" profile
276           $ cat /usr/share/authselect/default/sssd/nsswitch.conf
277           passwd:     sss files systemd
278           group:      sss files systemd
279           netgroup:   sss files
280           automount:  sss files
281           services:   sss files
282           sudoers:    files sss {include if "with-sudo"}
283
284           $ cat /etc/authselect/user-nsswitch.conf
285           passwd: files sss
286           group: files sss
287           hosts: files dns myhostname
288           sudoers: files
289
290           $ authselect select sssd
291
292           # passwd and group maps from user-nsswitch.conf are ignored
293           $ cat /etc/nsswitch.conf
294           passwd:     sss files systemd
295           group:      sss files systemd
296           netgroup:   sss files
297           automount:  sss files
298           services:   sss files
299           hosts:      files dns myhostname
300           sudoers:    files
301
302           $ authselect select sssd with-sudo
303
304           # passwd, group and sudoers maps from user-nsswitch.conf are ignored
305           $ cat /etc/nsswitch.conf
306           passwd:     sss files systemd
307           group:      sss files systemd
308           netgroup:   sss files
309           automount:  sss files
310           services:   sss files
311           sudoers:    files sss
312           hosts:      files dns myhostname
313
314

TROUBLESHOOTING

316   How can I tell if my system is using authselect?
317       Use authselect check. The output will tell you if you have 1)
318       configuration generated by authselect 2) non-authselect configuration
319       or 3) configuration that was generated by authselect but modified
320       manually at some point.
321
322   Is nsswitch.conf supposed to be a symbolic link now?
323       Authselect generates your system configuration from scratch and stores
324       it at /etc/authselect. System files are then created as symbolic links
325       to this directory. Symbolic links are used to make it clear that
326       authselect is now owning your configuration and should be used instead
327       of any manual modification.
328
329   Error: Unexpected changes to the configuration were detected.
330       For example:
331
332           [error] [/etc/authselect/nsswitch.conf] does not exist!
333           [error] [/etc/nsswitch.conf] is not a symbolic link!
334           [error] [/etc/nsswitch.conf] was not created by authselect!
335           [error] Unexpected changes to the configuration were detected.
336           [error] Refusing to activate profile unless those changes are removed or overwrite is requested.
337
338       This means that your configuration is unknown to authselect and as such
339       it will not be modified. To fix this, please call authselect select
340       with --force parameter to say that it is all right to overwrite it.
341

RETURN CODES

343       The authselect can return these exit codes:
344
345       ·   0: Success.
346
347       ·   1: Generic error.
348
349       ·   2: Profile or configuration was not found or the system was not
350           configured with authselect.
351
352       ·   3: Current configuration is not valid, it was edited without
353           authselect.
354
355       ·   4: System configuration must be overwritten to activate an
356           authselect profile, --force parameter is needed.
357
358       ·   5: Executed command must be run as root.
359

GENERATED FILES

361       Authselect creates and maintains the following files to configure
362       system identity and authentication providers properly.
363
364       /etc/nsswitch.conf
365           Name Service Switch configuration file.
366
367       /etc/pam.d/system-auth
368           PAM stack that is included from nearly all individual service
369           configuration files.
370
371       /etc/pam.d/password-auth, smartcard-auth, fingerprint-auth
372           These PAM stacks are for applications which handle authentication
373           from different types of devices via simultaneously running
374           individual conversations instead of one aggregate conversation.
375
376       /etc/pam.d/postlogin
377           The purpose of this PAM stack is to provide a common place for all
378           PAM modules which should be called after the stack configured in
379           system-auth or the other common PAM configuration files. It is
380           included from all individual service configuration files that
381           provide login service with shell or file access.  NOTE: the modules
382           in the postlogin configuration file are executed regardless of the
383           success or failure of the modules in the system-auth configuration
384           file.
385
386       /etc/dconf/db/distro.d/20-authselect
387           Changes to dconf database. The main uses case of this file is to
388           set changes for gnome login screen in order to enable or disable
389           smartcard and fingerprint authentication.
390
391       /etc/dconf/db/distro.d/locks/20-authselect
392           This file define locks on values set in dconf database.
393

SEE ALSO

395       authselect-profiles(5), authselect-migration(7), nsswitch.conf(5),
396       PAM(8)
397
398
399
400                                  2018-03-18                     AUTHSELECT(8)
Impressum