1AUTHSELECT(8) AUTHSELECT(8)
2
6 authselect - select system identity and authentication sources.
7
9 authselect [--debug] [--trace] [--warn] command [command options]
10
12 Authselect is a tool to configure system identity and authentication
13 sources and providers by selecting a specific profile. Profile is a set
14 of files that describes how the resulting system configuration will
15 look like. When a profile is selected, authselect will create
16 nsswitch.conf(5) and PAM(8) stack to use identity and authentication
17 sources defined by the profile.
18 If the provided profile set is not sufficient, the administrator may
20 create a custom profile by putting it in a special profile directory
21 (/etc/authselect/custom). By doing so, the profile is immediately
22 usable by authselect. See authselect-profiles(5) for more information
23 on extending existing profiles.
24
26 Authselect will not touch your existing configuration unless it has
27 already been created by it. If you want to start using authselect to
28 configure your system authentication, please call authselect select
29 with --force parameter first (e.g. authselect select sssd --force). The
30 --force parameter tells authselect that it is all right to overwrite
31 existing non-authselect configuration (see description below). Using
32 the --force parameter will automatically generate a backup of your
33 current configuration so if you wish to go back you can restore it with
34 authselect backup-restore command (see description below).
35
37 To stop authselect from managing your configuration, run authselect
38 opt-out. This will remove all authselect configuration from your system
39 and you can then modify your configuration manually.
40
42 To list all available commands run authselect without any parameters.
43 To print help for the selected command run authselect COMMAND --help.
44 select profile_id [features] [-f, --force] [-q, --quiet] [-b]
46 [--backup=NAME]
47 Activate desired profile. See profile description with show
48 command, to list profile specific optional features.
49 --force, -f
51 Write changes even if the previous configuration was not
52 created by authselect but by other tool or by manual changes.
53 This option will automatically backup system files before
54 writing any change unless --nobackup option is set.
55 -b
57 Backup system files before activating the selected profile. The
58 backup will be stored at /var/lib/authselect/backups/NAME.
59 Current time with unique string is used as a name of the
60 backup. This is a shortcut for --backup=.
61 --backup=NAME
63 Backup system files before activating the selected profile. The
64 backup will be stored at /var/lib/authselect/backups/NAME.
65 Current time with unique string is used as a name if no value
66 is provided.
67 --nobackup
69 Do not backup system configuration even if --force is set.
70 --quiet, -q
72 The command will not print any informational message such as
73 additional profile requirements or backup location. Errors are
74 still being print.
75 apply-changes [-b] [--backup=NAME]
77 Re-apply currently selected profile. If the profile templates were
78 updated this command can be used to regenerate current system
79 configuration in order to apply these changes on the system. This
80 command will only re-apply the changes if the existing
81 configuration is a valid authselect configuration, otherwise an
82 error is returned.
83 -b
85 Backup system files before applying changes. The backup will be
86 stored at /var/lib/authselect/backups/NAME. Current time with
87 unique string is used as a name of the backup. This is a
88 shortcut for --backup=.
89 --backup=NAME
91 Backup system files before applying changes. The backup will be
92 stored at /var/lib/authselect/backups/NAME. Current time with
93 unique string is used as a name if no value is provided.
94 list
96 List available profiles.
97 list-features profile_id
99 List all features available in given profile.
100 Note: This will only list the features without any description.
102 Please, read the profile documentation with show to see what the
103 features do.
104 show profile_id
106 Print information about the profile.
107 requirements profile_id [features]
109 Print information about profile requirements.
110 current [-r, --raw]
112 Print information about currently selected profiles. If --raw
113 option is specified, the command will print raw parameters as they
114 were passed to select command instead of formatted output.
115 check
117 Check if the current configuration is valid (it was either created
118 by authselect or there are no leftovers from previous authselect
119 configuration).
120 test profile_id [options] [features]
122 Print content of files generated by authselect without actually
123 writing anything to system configuration.
124 -a, --all
126 Print content of all files.
127 -n, --nsswitch
129 Print nsswitch.conf content.
130 -s, --system-auth
132 Print system-auth content.
133 -p, --password-auth
135 Print password-auth content.
136 -c, --smartcard-auth
138 Print smartcard-auth content.
139 -f, --fingerprint-auth
141 Print fingerprint-auth content.
142 -o, --postlogin
144 Print postlogin content.
145 -d, --dconf-db
147 Print dconf database content.
148 -l, --dconf-lock
150 Print dconf lock content.
151 enable-feature feature [-b] [--backup=NAME] [-q, --quiet]
153 Enable feature in the currently selected profile.
154 -b
156 Backup system files before enabling feature. The backup will be
157 stored at /var/lib/authselect/backups/NAME. Current time with
158 unique string is used as a name of the backup. This is a
159 shortcut for --backup=.
160 --backup=NAME
162 Backup system files before enabling feature. The backup will be
163 stored at /var/lib/authselect/backups/NAME. Current time with
164 unique string is used as a name if no value is provided.
165 --quiet, -q
167 The command will not print any informational message such as
168 additional profile requirements or backup location. Errors are
169 still being print.
170 disable-feature feature [-b] [--backup=NAME]
172 Disable feature in the currently selected profile.
173 -b
175 Backup system files before disabling feature. The backup will
176 be stored at /var/lib/authselect/backups/NAME. Current time
177 with unique string is used as a name of the backup. This is a
178 shortcut for --backup=.
179 --backup=NAME
181 Backup system files before disabling feature. The backup will
182 be stored at /var/lib/authselect/backups/NAME. Current time
183 with unique string is used as a name if no value is provided.
184 create-profile NAME [--vendor,-v] [options]
186 Create a new custom profile named NAME. The profile can be based on
187 an existing profile in which case the new profile templates are
188 either copied from the base profile or symbolic links to these
189 files are created if such option is selected.
190 --vendor,-v
192 The new profile is a vendor profile instead of a custom
193 profile. See authselect-profiles(5) for more information on
194 profile types.
195 --base-on=BASE-ID, -b=BASE-ID
197 The new profile will be based on a profile named BASE-ID. The
198 base profile location is determined with these steps:
199 1. If BASE-ID starts with prefix custom/ it is a custom
201 profile.
202 2. Try if BASE-ID is found in vendor profiles.
204 3. Try if BASE-ID is found in default profiles.
206 4. Return an error.
208 --base-on-default
210 The base profile is a default profile even if it is found also
211 within vendor profiles.
212 --symlink-meta
214 Meta files, such as README and REQUIREMENTS will be symbolic
215 links to the origin profile files instead of their copy.
216 --symlink-nsswitch
218 nsswitch.conf template will be symbolic link to the origin
219 profile file instead of its copy.
220 --symlink-pam
222 PAM templates will be symbolic links to the origin profile
223 files instead of their copy.
224 --symlink-dconf
226 dconf templates will be symbolic links to the origin profile
227 files instead of their copy.
228 --symlink=FILE,-s=FILE
230 Create a symbolic link for a template file FILE instead of
231 creating its copy. This option can be passed multiple times.
232
234 These commands can be used to manage backed up configurations.
235 backup-list [-r, --raw]
237 Print available backups. If --raw option is specified, the command
238 will print only backup names without any formatting and additional
239 information.
240 backup-remove BACKUP
242 Permanently delete backup named BACKUP.
243 backup-restore BACKUP
245 Restore configuration from backup named BACKUP. Note: this will
246 overwrite current configuration.
247
249 opt-out
250 Remove authselect configuration. This will restore nsswitch and PAM
251 configuration under its system location and authselect will no
252 longer manage it. Run authselect select to opt-in again.
253
255 These options are available with all commands.
256 --debug
258 Print debugging information and error messages.
259 --trace
261 Print information about what the tool is doing.
262 --warn
264 Print information about unexpected situations that do not affect
265 the program execution but may indicate some undesired situations
266 (e.g. unexpected file in a profile directory).
267
269 How can I tell if my system is using authselect?
270 Use authselect check. The output will tell you if you have 1)
271 configuration generated by authselect 2) non-authselect configuration
272 or 3) configuration that was generated by authselect but modified
273 manually at some point.
274 Is nsswitch.conf supposed to be a symbolic link now?
276 Authselect generates your system configuration from scratch and stores
277 it at /etc/authselect. System files are then created as symbolic links
278 to this directory. Symbolic links are used to make it clear that
279 authselect is now owning your configuration and should be used instead
280 of any manual modification.
281 Error: Unexpected changes to the configuration were detected.
283 For example:
284 [error] [/etc/authselect/nsswitch.conf] does not exist!
286 [error] [/etc/nsswitch.conf] is not a symbolic link!
287 [error] [/etc/nsswitch.conf] was not created by authselect!
288 [error] Unexpected changes to the configuration were detected.
289 [error] Refusing to activate profile unless those changes are removed or overwrite is requested.
290 This means that your configuration is unknown to authselect and as such
292 it will not be modified. To fix this, please call authselect select
293 with --force parameter to say that it is all right to overwrite it.
294
296 The authselect can return these exit codes:
297 • 0: Success.
299 • 1: Generic error.
301 • 2: Profile or configuration was not found or the system was not
303 configured with authselect.
304 • 3: Current configuration is not valid, it was edited without
306 authselect.
307 • 4: System configuration must be overwritten to activate an
309 authselect profile, --force parameter is needed.
310 • 5: Executed command must be run as root.
312 • 6: No configuration was detected.
314
316 Authselect creates and maintains the following files to configure
317 system identity and authentication providers properly.
318 /etc/nsswitch.conf
320 Name Service Switch configuration file.
321 /etc/pam.d/system-auth
323 PAM stack that is included from nearly all individual service
324 configuration files.
325 /etc/pam.d/password-auth, smartcard-auth, fingerprint-auth
327 These PAM stacks are for applications which handle authentication
328 from different types of devices via simultaneously running
329 individual conversations instead of one aggregate conversation.
330 /etc/pam.d/postlogin
332 The purpose of this PAM stack is to provide a common place for all
333 PAM modules which should be called after the stack configured in
334 system-auth or the other common PAM configuration files. It is
335 included from all individual service configuration files that
336 provide login service with shell or file access. NOTE: the modules
337 in the postlogin configuration file are executed regardless of the
338 success or failure of the modules in the system-auth configuration
339 file.
340 /etc/dconf/db/distro.d/20-authselect
342 Changes to dconf database. The main uses case of this file is to
343 set changes for gnome login screen in order to enable or disable
344 smartcard and fingerprint authentication.
345 /etc/dconf/db/distro.d/locks/20-authselect
347 This file define locks on values set in dconf database.
348
350 authselect-profiles(5), authselect-migration(7), nsswitch.conf(5),
351 PAM(8)
352 2018-03-18 AUTHSELECT(8)