1AUTHSELECT-PROFILES(5)                                  AUTHSELECT-PROFILES(5)
2
3
4

NAME

6       authselect-profiles - how to extend authselect profiles.
7

DESCRIPTION

9       This manual page explains how are authselect profiles organized and how
10       to create new profiles.
11

PROFILE DIRECTORIES

13       Profiles can be found in one of three directories.
14
15       /usr/share/authselect/default
16           Read-only directory containing profiles shipped together with
17           authselect.
18
19       /usr/share/authselect/vendor
20           Read-only directory for vendor-specific profiles that can override
21           the ones in default directory.
22
23       /etc/authselect/custom
24           Place for administrator-defined profiles.
25

PROFILE FILES

27       Each profile consists of one or more of these files which provide a
28       mandatory profile description and describe the changes that are done to
29       the system.
30
31       README
32           Description of the profile. The first line must be a name of the
33           profile.
34
35       system-auth
36           PAM stack that is included from nearly all individual service
37           configuration files.
38
39       password-auth, smartcard-auth, fingerprint-auth
40           These PAM stacks are for applications which handle authentication
41           from different types of devices via simultaneously running
42           individual conversations instead of one aggregate conversation.
43
44       postlogin
45           The purpose of this PAM stack is to provide a common place for all
46           PAM modules which should be called after the stack configured in
47           system-auth or the other common PAM configuration files. It is
48           included from all individual service configuration files that
49           provide login service with shell or file access.  NOTE: the modules
50           in the postlogin configuration file are executed regardless of the
51           success or failure of the modules in the system-auth configuration
52           file.
53
54       nsswitch.conf
55           Name Service Switch configuration file.
56
57       dconf-db
58           Changes to dconf database. The main uses case of this file is to
59           set changes for gnome login screen in order to enable or disable
60           smartcard and fingerprint authentication.
61
62       dconf-locks
63           This file define locks on values set in dconf database.
64
65   CONDITIONAL LINES
66       Each of these files serves as a template. A template is a plain text
67       file with optional usage of several operators that can be used to
68       provide some optional profile features.
69
70       {continue if "feature"}
71           Immediately stop processing of the file unless "feature" is defined
72           (the rest of the file content will be removed). If "feature" is
73           defined, the whole line with this operator will be removed and the
74           rest of the template will be processed.
75
76       {stop if "feature"}
77           Opposite of "continue if". Immediately stop processing of the file
78           if "feature" is defined (the rest of the file content will be
79           removed). If "feature" is not defined, the whole line with this
80           operator will be removed and the rest of the template will be
81           processed.
82
83       {include if "feature"}
84           Include the line where this operator is placed only if "feature" is
85           defined.
86
87       {exclude if "feature"}
88           Opposite to "include-if". Include the line where this operator is
89           placed only if "feature" is not defined.
90
91       {imply "implied-feature" if "feature"}
92           Enable feature "implied-feature" if feature "feature" is enabled.
93           The whole line with this operator is removed, thus it is not
94           possible to add anything else around this operator at the same
95           line.
96
97       {if "feature":true|false}
98           If "feature" is defined, replace this operator with string "true",
99           otherwise with string "false".
100
101       {if "feature":true}
102           If "feature" is defined, replace this operator with string "true",
103           otherwise with an empty string.
104
105       It is also possible to use logical expression in conditional line
106       instead of specifying single feature name. In this case the expression
107       will evaluate to true or false and the conditional operator will act
108       upon the result.
109
110       The expression syntax consists of feature names (e.g. "feature") which
111       returns true if the feature is defined or false if it is not defined
112       and from the following logical operators: and, or and not. The
113       expression may also be enclosed in parentheses and contain multiple
114       subexpressions.
115
116       For example:
117
118       {if "feature1" or "feature2":true}
119           If "feature1" or "feature2" is defined, replace this operator with
120           string "true", otherwise with an empty string.
121
122       {if not "feature":true|false}
123           If "feature" is not defined, replace this operator with string
124           "true", otherwise with string "false".
125
126       {if not "feature":true}
127           If "feature" is not defined, replace this operator with string
128           "true", otherwise with an empty string.
129
130       {if "feature1" and ("feature2" or "feature3"):true}
131           If "feature1" is defined, and one of "feature2" and "feature3" is
132           defined replace this operator with string "true", otherwise with an
133           empty string.
134
135   EXAMPLE
136       Here is an example of using "if" operator. If "with-sudo" feature is
137       enabled, it will add "sss" to sudoers line.
138
139           passwd:     sss files
140           group:      sss files
141           netgroup:   sss files
142           automount:  sss files
143           services:   sss files
144           sudoers:    files {if "with-sudo":sss}
145
146       Here is an example of "continue-if" and "include-if" operators. The
147       resulting file will be empty unless "with-smartcard" feature is
148       enabled. If it is enabled and also "with-faillock" feature is enabled,
149       it will also enable support for pam_faillock.
150
151           {continue if "with-smartcard"}
152           auth        required                                     pam_env.so
153           auth        required                                     pam_faildelay.so delay=2000000
154           auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
155           auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
156           auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
157           auth        sufficient                                   pam_unix.so nullok
158           auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
159           auth        sufficient                                   pam_sss.so forward_pass
160           auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200       {include if "with-faillock"}
161           auth        required                                     pam_deny.so
162           ...
163
164       Here is an example of "continue-if" using logical expression. The file
165       will be empty unless "with-smartcard" or "with-smartcard-required" is
166       set. This will simplify the call of authselect select command which
167       does not have to include both features but only
168       "with-smartcard-required" is necessary.
169
170           {continue if "with-smartcard" or "with-smartcard-required"}
171           auth        required                                     pam_env.so
172           auth        required                                     pam_faildelay.so delay=2000000
173           auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
174           auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
175           auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
176           auth        sufficient                                   pam_unix.so nullok
177           auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
178           auth        sufficient                                   pam_sss.so forward_pass
179           auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200       {include if "with-faillock"}
180           auth        required                                     pam_deny.so
181           ...
182
183       Here is an example of "imply-if" operator. Enabling feature
184       "with-smartcard-required" will also enable "with-smartcard" to make
185       sure that all relevant PAM modules are used. This will achieve the same
186       behavior as the previous example.
187
188           {imply "with-smartcard" if "with-smartcard-required"}
189           auth        required                                     pam_env.so
190           auth        required                                     pam_faildelay.so delay=2000000
191           auth        [success=1 default=ignore]                   pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
192           auth        [success=done ignore=ignore default=die]     pam_sss.so require_cert_auth ignore_authinfo_unavail             {include if "with-smartcard-required"}
193           auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
194           auth        [default=1 ignore=ignore success=ok]         pam_localuser.so                                                 {exclude if "with-smartcard"}
195           auth        [default=2 ignore=ignore success=ok]         pam_localuser.so                                                 {include if "with-smartcard"}
196           auth        [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
197           auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
198           auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
199           auth        sufficient                                   pam_sss.so forward_pass
200           auth        required                                     pam_deny.so
201           ...
202

CREATING A NEW PROFILE

204       To register a new profile within authselect, create a directory in one
205       of the authselect profile locations with the files listed above. Not
206       all of the files must be present, only README is mandatory. Other files
207       can be created on per-need basis.
208
209       You may find authselect create-profile command helpful when creating
210       new profile. See authselect(8) manual page or authselect create-profile
211       --help for more information.
212

SEE ALSO

214       authselect(8), nsswitch.conf(5), PAM(8)
215
216
217
218                                  2018-02-17            AUTHSELECT-PROFILES(5)
Impressum