1AUTHSELECT(8)                                                    AUTHSELECT(8)
2
3
4

NAME

6       authselect - select system identity and authentication sources.
7

SYNOPSIS

9       authselect [--debug] [--trace] [--warn] command [command options]
10

DESCRIPTION

12       Authselect is a tool to configure system identity and authentication
13       sources and providers by selecting a specific profile. Profile is a set
14       of files that describes how the resulting system configuration will
15       look like. When a profile is selected, authselect will create
16       nsswitch.conf(5) and PAM(8) stack to use identity and authentication
17       sources defined by the profile.
18
19       If the provided profile set is not sufficient, the administrator may
20       create a custom profile by putting it in a special profile directory
21       (/etc/authselect/custom). By doing so, the profile is immediately
22       usable by authselect. See authselect-profiles(5) for more information
23       on extending existing profiles.
24

OPT-IN TO AUTHSELECT

26       Authselect will not touch your existing configuration unless it has
27       already been created by it. If you want to start using authselect to
28       configure your system authentication, please call authselect select
29       with --force parameter first (e.g. authselect select sssd --force). The
30       --force parameter tells authselect that it is all right to overwrite
31       existing non-authselect configuration (see description below). Using
32       the --force parameter will automatically generate a backup of your
33       current configuration so if you wish to go back you can restore it with
34       authselect backup-restore command (see description below).
35

OPT-OUT FROM AUTHSELECT

37       To stop authselect from managing your configuration, run authselect
38       opt-out. This will remove all authselect configuration from your system
39       and you can then modify your configuration manually.
40

AVAILABLE COMMANDS

42       To list all available commands run authselect without any parameters.
43       To print help for the selected command run authselect COMMAND --help.
44
45       select profile_id [features] [-f, --force] [-q, --quiet] [-b]
46       [--backup=NAME]
47           Activate desired profile. See profile description with show
48           command, to list profile specific optional features.
49
50           --force, -f
51               Write changes even if the previous configuration was not
52               created by authselect but by other tool or by manual changes.
53               This option will automatically backup system files before
54               writing any change unless --nobackup option is set.
55
56           -b
57               Backup system files before activating the selected profile. The
58               backup will be stored at /var/lib/authselect/backups/NAME.
59               Current time with unique string is used as a name of the
60               backup. This is a shortcut for --backup=.
61
62           --backup=NAME
63               Backup system files before activating the selected profile. The
64               backup will be stored at /var/lib/authselect/backups/NAME.
65               Current time with unique string is used as a name if no value
66               is provided.
67
68           --nobackup
69               Do not backup system configuration even if --force is set.
70
71           --quiet, -q
72               The command will not print any informational message such as
73               additional profile requirements or backup location. Errors are
74               still being print.
75
76       apply-changes [-b] [--backup=NAME]
77           Re-apply currently selected profile. If the profile templates were
78           updated this command can be used to regenerate current system
79           configuration in order to apply these changes on the system. This
80           command will only re-apply the changes if the existing
81           configuration is a valid authselect configuration, otherwise an
82           error is returned.
83
84           -b
85               Backup system files before applying changes. The backup will be
86               stored at /var/lib/authselect/backups/NAME. Current time with
87               unique string is used as a name of the backup. This is a
88               shortcut for --backup=.
89
90           --backup=NAME
91               Backup system files before applying changes. The backup will be
92               stored at /var/lib/authselect/backups/NAME. Current time with
93               unique string is used as a name if no value is provided.
94
95       list
96           List available profiles.
97
98       list-features profile_id
99           List all features available in given profile.
100
101           Note: This will only list the features without any description.
102           Please, read the profile documentation with show to see what the
103           features do.
104
105       show profile_id
106           Print information about the profile.
107
108       requirements profile_id [features]
109           Print information about profile requirements.
110
111       current [-r, --raw]
112           Print information about currently selected profiles. If --raw
113           option is specified, the command will print raw parameters as they
114           were passed to select command instead of formatted output.
115
116       check
117           Check if the current configuration is valid (it was either created
118           by authselect or there are no leftovers from previous authselect
119           configuration).
120
121       test profile_id [options] [features]
122           Print content of files generated by authselect without actually
123           writing anything to system configuration.
124
125           -a, --all
126               Print content of all files.
127
128           -n, --nsswitch
129               Print nsswitch.conf content.
130
131           -s, --system-auth
132               Print system-auth content.
133
134           -p, --password-auth
135               Print password-auth content.
136
137           -c, --smartcard-auth
138               Print smartcard-auth content.
139
140           -f, --fingerprint-auth
141               Print fingerprint-auth content.
142
143           -o, --postlogin
144               Print postlogin content.
145
146           -d, --dconf-db
147               Print dconf database content.
148
149           -l, --dconf-lock
150               Print dconf lock content.
151
152       enable-feature feature [-b] [--backup=NAME] [-q, --quiet]
153           Enable feature in the currently selected profile.
154
155           -b
156               Backup system files before enabling feature. The backup will be
157               stored at /var/lib/authselect/backups/NAME. Current time with
158               unique string is used as a name of the backup. This is a
159               shortcut for --backup=.
160
161           --backup=NAME
162               Backup system files before enabling feature. The backup will be
163               stored at /var/lib/authselect/backups/NAME. Current time with
164               unique string is used as a name if no value is provided.
165
166           --quiet, -q
167               The command will not print any informational message such as
168               additional profile requirements or backup location. Errors are
169               still being print.
170
171       disable-feature feature [-b] [--backup=NAME]
172           Disable feature in the currently selected profile.
173
174           -b
175               Backup system files before disabling feature. The backup will
176               be stored at /var/lib/authselect/backups/NAME. Current time
177               with unique string is used as a name of the backup. This is a
178               shortcut for --backup=.
179
180           --backup=NAME
181               Backup system files before disabling feature. The backup will
182               be stored at /var/lib/authselect/backups/NAME. Current time
183               with unique string is used as a name if no value is provided.
184
185       create-profile NAME [--vendor,-v] [options]
186           Create a new custom profile named NAME. The profile can be based on
187           an existing profile in which case the new profile templates are
188           either copied from the base profile or symbolic links to these
189           files are created if such option is selected.
190
191           --vendor,-v
192               The new profile is a vendor profile instead of a custom
193               profile. See authselect-profiles(5) for more information on
194               profile types.
195
196           --base-on=BASE-ID, -b=BASE-ID
197               The new profile will be based on a profile named BASE-ID. The
198               base profile location is determined with these steps:
199
200                1. If BASE-ID starts with prefix custom/ it is a custom
201                   profile.
202
203                2. Try if BASE-ID is found in vendor profiles.
204
205                3. Try if BASE-ID is found in default profiles.
206
207                4. Return an error.
208
209           --base-on-default
210               The base profile is a default profile even if it is found also
211               within vendor profiles.
212
213           --symlink-meta
214               Meta files, such as README and REQUIREMENTS will be symbolic
215               links to the origin profile files instead of their copy.
216
217           --symlink-nsswitch
218               nsswitch.conf template will be symbolic link to the origin
219               profile file instead of its copy.
220
221           --symlink-pam
222               PAM templates will be symbolic links to the origin profile
223               files instead of their copy.
224
225           --symlink-dconf
226               dconf templates will be symbolic links to the origin profile
227               files instead of their copy.
228
229           --symlink=FILE,-s=FILE
230               Create a symbolic link for a template file FILE instead of
231               creating its copy. This option can be passed multiple times.
232

BACKUP COMMANDS

234       These commands can be used to manage backed up configurations.
235
236       backup-list [-r, --raw]
237           Print available backups. If --raw option is specified, the command
238           will print only backup names without any formatting and additional
239           information.
240
241       backup-remove BACKUP
242           Permanently delete backup named BACKUP.
243
244       backup-restore BACKUP
245           Restore configuration from backup named BACKUP.  Note: this will
246           overwrite current configuration.
247

OTHER COMMANDS

249       opt-out
250           Remove authselect configuration. This will restore nsswitch and PAM
251           configuration under its system location and authselect will no
252           longer manage it. Run authselect select to opt-in again.
253

COMMON OPTIONS

255       These options are available with all commands.
256
257       --debug
258           Print debugging information and error messages.
259
260       --trace
261           Print information about what the tool is doing.
262
263       --warn
264           Print information about unexpected situations that do not affect
265           the program execution but may indicate some undesired situations
266           (e.g. unexpected file in a profile directory).
267

TROUBLESHOOTING

269   How can I tell if my system is using authselect?
270       Use authselect check. The output will tell you if you have 1)
271       configuration generated by authselect 2) non-authselect configuration
272       or 3) configuration that was generated by authselect but modified
273       manually at some point.
274
275   Is nsswitch.conf supposed to be a symbolic link now?
276       Authselect generates your system configuration from scratch and stores
277       it at /etc/authselect. System files are then created as symbolic links
278       to this directory. Symbolic links are used to make it clear that
279       authselect is now owning your configuration and should be used instead
280       of any manual modification.
281
282   Error: Unexpected changes to the configuration were detected.
283       For example:
284
285           [error] [/etc/authselect/nsswitch.conf] does not exist!
286           [error] [/etc/nsswitch.conf] is not a symbolic link!
287           [error] [/etc/nsswitch.conf] was not created by authselect!
288           [error] Unexpected changes to the configuration were detected.
289           [error] Refusing to activate profile unless those changes are removed or overwrite is requested.
290
291       This means that your configuration is unknown to authselect and as such
292       it will not be modified. To fix this, please call authselect select
293       with --force parameter to say that it is all right to overwrite it.
294

RETURN CODES

296       The authselect can return these exit codes:
297
298       •   0: Success.
299
300       •   1: Generic error.
301
302       •   2: Profile or configuration was not found or the system was not
303           configured with authselect.
304
305       •   3: Current configuration is not valid, it was edited without
306           authselect.
307
308       •   4: System configuration must be overwritten to activate an
309           authselect profile, --force parameter is needed.
310
311       •   5: Executed command must be run as root.
312
313       •   6: No configuration was detected.
314

GENERATED FILES

316       Authselect creates and maintains the following files to configure
317       system identity and authentication providers properly.
318
319       /etc/nsswitch.conf
320           Name Service Switch configuration file.
321
322       /etc/pam.d/system-auth
323           PAM stack that is included from nearly all individual service
324           configuration files.
325
326       /etc/pam.d/password-auth, smartcard-auth, fingerprint-auth
327           These PAM stacks are for applications which handle authentication
328           from different types of devices via simultaneously running
329           individual conversations instead of one aggregate conversation.
330
331       /etc/pam.d/postlogin
332           The purpose of this PAM stack is to provide a common place for all
333           PAM modules which should be called after the stack configured in
334           system-auth or the other common PAM configuration files. It is
335           included from all individual service configuration files that
336           provide login service with shell or file access.  NOTE: the modules
337           in the postlogin configuration file are executed regardless of the
338           success or failure of the modules in the system-auth configuration
339           file.
340
341       /etc/dconf/db/distro.d/20-authselect
342           Changes to dconf database. The main uses case of this file is to
343           set changes for gnome login screen in order to enable or disable
344           smartcard and fingerprint authentication.
345
346       /etc/dconf/db/distro.d/locks/20-authselect
347           This file define locks on values set in dconf database.
348

SEE ALSO

350       authselect-profiles(5), authselect-migration(7), nsswitch.conf(5),
351       PAM(8)
352
353
354
355                                  2018-03-18                     AUTHSELECT(8)
Impressum