AUTHSELECT−PROFILES - Online Linux Manual PageSection : 5
Updated : 2018−02−17
Source :
Note :
NAMEauthselect-profiles − how to extend authselect profiles.
DESCRIPTIONThis manual page explains how are authselect profiles organized and how to create new profiles.
PROFILE DIRECTORIESProfiles can be found in one of three directories. /usr/share/authselect/default Read−only directory containing profiles shipped together with authselect. /usr/share/authselect/vendor Read−only directory for vendor−specific profiles that can override the ones in default directory. /etc/authselect/custom Place for administrator−defined profiles.
PROFILE FILESEach profile consists of one or more of these files which provide a mandatory profile description and describe the changes that are done to the system. README Description of the profile. The first line must be a name of the profile. system−auth PAM stack that is included from nearly all individual service configuration files. password−auth, smartcard−auth, fingerprint−auth These PAM stacks are for applications which handle authentication from different types of devices via simultaneously running individual conversations instead of one aggregate conversation. postlogin The purpose of this PAM stack is to provide a common place for all PAM modules which should be called after the stack configured in system−auth or the other common PAM configuration files. It is included from all individual service configuration files that provide login service with shell or file access. NOTE: the modules in the postlogin configuration file are executed regardless of the success or failure of the modules in the system−auth configuration file. nsswitch.conf Name Service Switch configuration file. dconf−db Changes to dconf database. The main uses case of this file is to set changes for gnome login screen in order to enable or disable smartcard and fingerprint authentication. dconf−locks This file define locks on values set in dconf database.
CONDITIONAL LINESEach of these files serves as a template. A template is a plain text file with optional usage of several operators that can be used to provide some optional profile features. {continue if "feature"} Immediately stop processing of the file unless "feature" is defined (the rest of the file content will be removed). If "feature" is defined, the whole line with this operator will be removed and the rest of the template will be processed. {stop if "feature"} Opposite of "continue if". Immediately stop processing of the file if "feature" is defined (the rest of the file content will be removed). If "feature" is not defined, the whole line with this operator will be removed and the rest of the template will be processed. {include if "feature"} Include the line where this operator is placed only if "feature" is defined. {exclude if "feature"} Opposite to "include−if". Include the line where this operator is placed only if "feature" is not defined. {imply "implied−feature" if "feature"} Enable feature "implied−feature" if feature "feature" is enabled. The whole line with this operator is removed, thus it is not possible to add anything else around this operator at the same line. {if "feature":true|false} If "feature" is defined, replace this operator with string "true", otherwise with string "false". {if "feature":true} If "feature" is defined, replace this operator with string "true", otherwise with an empty string. It is also possible to use logical expression in conditional line instead of specifying single feature name. In this case the expression will evaluate to true or false and the conditional operator will act upon the result. The expression syntax consists of feature names (e.g. "feature") which returns true if the feature is defined or false if it is not defined and from the following logical operators: and, or and not. The expression may also be enclosed in parentheses and contain multiple subexpressions. For example: {if "feature1" or "feature2":true} If "feature1" or "feature2" is defined, replace this operator with string "true", otherwise with an empty string. {if not "feature":true|false} If "feature" is not defined, replace this operator with string "true", otherwise with string "false". {if not "feature":true} If "feature" is not defined, replace this operator with string "true", otherwise with an empty string. {if "feature1" and ("feature2" or "feature3"):true} If "feature1" is defined, and one of "feature2" and "feature3" is defined replace this operator with string "true", otherwise with an empty string.
EXAMPLEHere is an example of using "if" operator. If "with−sudo" feature is enabled, it will add "sss" to sudoers line. passwd: sss files
group: sss files
netgroup: sss files
automount: sss files
services: sss files
sudoers: files {if "with−sudo":sss}Here is an example of "continue−if" and "include−if" operators. The resulting file will be empty unless "with−smartcard" feature is enabled. If it is enabled and also "with−faillock" feature is enabled, it will also enable support for pam_faillock. {continue if "with−smartcard"}
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with−faillock"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with−faillock"}
auth required pam_deny.so
...Here is an example of "continue−if" using logical expression. The file will be empty unless "with−smartcard" or "with−smartcard−required" is set. This will simplify the call of authselect select command which does not have to include both features but only "with−smartcard−required" is necessary. {continue if "with−smartcard" or "with−smartcard−required"}
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with−faillock"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with−faillock"}
auth required pam_deny.so
...Here is an example of "imply−if" operator. Enabling feature "with−smartcard−required" will also enable "with−smartcard" to make sure that all relevant PAM modules are used. This will achieve the same behavior as the previous example. {imply "with−smartcard" if "with−smartcard−required"}
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome−screensaver:kscreensaver quiet use_uid {include if "with−smartcard−required"}
auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with−smartcard−required"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with−smartcard"}
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with−smartcard"}
auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with−smartcard"}
auth sufficient pam_unix.so {if not "without−nullok":nullok}
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
...
CREATING A NEW PROFILETo register a new profile within authselect, create a directory in one of the authselect profile locations with the files listed above. Not all of the files must be present, only README is mandatory. Other files can be created on per−need basis. You may find authselect create−profile command helpful when creating new profile. See authselect(8) manual page or authselect create−profile −−help for more information.
SEE ALSOauthselect(8), nsswitch.conf(5), PAM(8) 0
Johanes Gumabo
Data Size : 28,928 byte
man-authselect-profiles.5Build : 2024-12-05, 20:55 :
Visitor Screen : x
Visitor Counter ( page / site ) : 3 / 182,954
Visitor ID : :
Visitor IP : 3.149.249.84 :
Visitor Provider : AMAZON-02 :
Provider Position ( lat x lon ) : 39.962500 x -83.006100 : x
Provider Accuracy Radius ( km ) : 1000 :
Provider City : Columbus :
Provider Province : Ohio , : ,
Provider Country : United States :
Provider Continent : North America :
Visitor Recorder : Version :
Visitor Recorder : Library :
Online Linux Manual Page : Version : Online Linux Manual Page - Fedora.40 - march=x86-64 - mtune=generic - 24.12.05
Online Linux Manual Page : Library : lib_c - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Online Linux Manual Page : Library : lib_m - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Data Base : Version : Online Linux Manual Page Database - 24.04.13 - march=x86-64 - mtune=generic - fedora-38
Data Base : Library : lib_c - 23.02.07 - march=x86-64 - mtune=generic - fedora.36
Very long time ago, I have the best tutor, Wenzel Svojanovsky . If someone knows the email address of Wenzel Svojanovsky , please send an email to johanes_gumabo@yahoo.co.id .
If error, please print screen and send to johanes_gumabo@yahoo.co.id
Under development. Support me via PayPal.