1AUTHSELECT-PROFILES(5) AUTHSELECT-PROFILES(5)
2
6 authselect-profiles - how to extend authselect profiles.
7
9 This manual page explains how are authselect profiles organized and how
10 to create new profiles.
11
13 Profiles can be found in one of three directories.
14 /usr/share/authselect/default
16 Read-only directory containing profiles shipped together with
17 authselect.
18 /usr/share/authselect/vendor
20 Read-only directory for vendor-specific profiles that can override
21 the ones in default directory.
22 /etc/authselect/custom
24 Place for administrator-defined profiles.
25
27 Each profile consists of one or more of these files which provide a
28 mandatory profile description and describe the changes that are done to
29 the system.
30 README
32 Description of the profile. The first line must be a name of the
33 profile.
34 system-auth
36 PAM stack that is included from nearly all individual service
37 configuration files.
38 password-auth, smartcard-auth, fingerprint-auth
40 These PAM stacks are for applications which handle authentication
41 from different types of devices via simultaneously running
42 individual conversations instead of one aggregate conversation.
43 postlogin
45 The purpose of this PAM stack is to provide a common place for all
46 PAM modules which should be called after the stack configured in
47 system-auth or the other common PAM configuration files. It is
48 included from all individual service configuration files that
49 provide login service with shell or file access. NOTE: the modules
50 in the postlogin configuration file are executed regardless of the
51 success or failure of the modules in the system-auth configuration
52 file.
53 nsswitch.conf
55 Name Service Switch configuration file.
56 dconf-db
58 Changes to dconf database. The main uses case of this file is to
59 set changes for gnome login screen in order to enable or disable
60 smartcard and fingerprint authentication.
61 dconf-locks
63 This file define locks on values set in dconf database.
64 CONDITIONAL LINES
66 Each of these files serves as a template. A template is a plain text
67 file with optional usage of several operators that can be used to
68 provide some optional profile features.
69 {continue if "feature"}
71 Immediately stop processing of the file unless "feature" is defined
72 (the rest of the file content will be removed). If "feature" is
73 defined, the whole line with this operator will be removed and the
74 rest of the template will be processed.
75 {stop if "feature"}
77 Opposite of "continue if". Immediately stop processing of the file
78 if "feature" is defined (the rest of the file content will be
79 removed). If "feature" is not defined, the whole line with this
80 operator will be removed and the rest of the template will be
81 processed.
82 {include if "feature"}
84 Include the line where this operator is placed only if "feature" is
85 defined.
86 {exclude if "feature"}
88 Opposite to "include-if". Include the line where this operator is
89 placed only if "feature" is not defined.
90 {imply "implied-feature" if "feature"}
92 Enable feature "implied-feature" if feature "feature" is enabled.
93 The whole line with this operator is removed, thus it is not
94 possible to add anything else around this operator at the same
95 line.
96 {if "feature":true|false}
98 If "feature" is defined, replace this operator with string "true",
99 otherwise with string "false".
100 {if "feature":true}
102 If "feature" is defined, replace this operator with string "true",
103 otherwise with an empty string.
104 It is also possible to use logical expression in conditional line
106 instead of specifying single feature name. In this case the expression
107 will evaluate to true or false and the conditional operator will act
108 upon the result.
109 The expression syntax consists of feature names (e.g. "feature") which
111 returns true if the feature is defined or false if it is not defined
112 and from the following logical operators: and, or and not. The
113 expression may also be enclosed in parentheses and contain multiple
114 subexpressions.
115 For example:
117 {if "feature1" or "feature2":true}
119 If "feature1" or "feature2" is defined, replace this operator with
120 string "true", otherwise with an empty string.
121 {if not "feature":true|false}
123 If "feature" is not defined, replace this operator with string
124 "true", otherwise with string "false".
125 {if not "feature":true}
127 If "feature" is not defined, replace this operator with string
128 "true", otherwise with an empty string.
129 {if "feature1" and ("feature2" or "feature3"):true}
131 If "feature1" is defined, and one of "feature2" and "feature3" is
132 defined replace this operator with string "true", otherwise with an
133 empty string.
134 EXAMPLE
136 Here is an example of using "if" operator. If "with-sudo" feature is
137 enabled, it will add "sss" to sudoers line.
138 passwd: sss files
140 group: sss files
141 netgroup: sss files
142 automount: sss files
143 services: sss files
144 sudoers: files {if "with-sudo":sss}
145 Here is an example of "continue-if" and "include-if" operators. The
147 resulting file will be empty unless "with-smartcard" feature is
148 enabled. If it is enabled and also "with-faillock" feature is enabled,
149 it will also enable support for pam_faillock.
150 {continue if "with-smartcard"}
152 auth required pam_env.so
153 auth required pam_faildelay.so delay=2000000
154 auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
155 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
156 auth [default=1 ignore=ignore success=ok] pam_localuser.so
157 auth sufficient pam_unix.so nullok
158 auth requisite pam_succeed_if.so uid >= 1000 quiet_success
159 auth sufficient pam_sss.so forward_pass
160 auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
161 auth required pam_deny.so
162 ...
163 Here is an example of "continue-if" using logical expression. The file
165 will be empty unless "with-smartcard" or "with-smartcard-required" is
166 set. This will simplify the call of authselect select command which
167 does not have to include both features but only
168 "with-smartcard-required" is necessary.
169 {continue if "with-smartcard" or "with-smartcard-required"}
171 auth required pam_env.so
172 auth required pam_faildelay.so delay=2000000
173 auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
174 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
175 auth [default=1 ignore=ignore success=ok] pam_localuser.so
176 auth sufficient pam_unix.so nullok
177 auth requisite pam_succeed_if.so uid >= 1000 quiet_success
178 auth sufficient pam_sss.so forward_pass
179 auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
180 auth required pam_deny.so
181 ...
182 Here is an example of "imply-if" operator. Enabling feature
184 "with-smartcard-required" will also enable "with-smartcard" to make
185 sure that all relevant PAM modules are used. This will achieve the same
186 behavior as the previous example.
187 {imply "with-smartcard" if "with-smartcard-required"}
189 auth required pam_env.so
190 auth required pam_faildelay.so delay=2000000
191 auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
192 auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
193 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
194 auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
195 auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
196 auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
197 auth sufficient pam_unix.so {if not "without-nullok":nullok}
198 auth requisite pam_succeed_if.so uid >= 1000 quiet_success
199 auth sufficient pam_sss.so forward_pass
200 auth required pam_deny.so
201 ...
202
204 To register a new profile within authselect, create a directory in one
205 of the authselect profile locations with the files listed above. Not
206 all of the files must be present, only README is mandatory. Other files
207 can be created on per-need basis.
208 You may find authselect create-profile command helpful when creating
210 new profile. See authselect(8) manual page or authselect create-profile
211 --help for more information.
212
214 authselect(8), nsswitch.conf(5), PAM(8)
215 2018-02-17 AUTHSELECT-PROFILES(5)