RH354 - ch04s04

Bookmark this page

Guided Exercise: Managing User Authentication with Authselect

In this exercise, you will view and configure local user authentication settings using Authselect.

Outcomes

You should be able to configure identity and authorization parameters with Authselect, which replaces Authconfig.

Explore the Authselect application.

[student@workstation ~]$ ssh servera
[student@servera ~]$ sudo -i
[root@servera ~]#

Authselect is installed by default in RHEL 8. Review the available options on servera

[root@servera ~]# authselect --help
Usage:
authselect COMMAND COMMAND-ARGS

Available commands:
- select         	 Select profile
- apply-changes  	 Regenerate configuration for currently selected command
- list           	 List available profiles
- show           	 Show profile information
- requirements   	 Print profile requirements
- current        	 Get identificator of currently selected profile
- check          	 Check if the current configuration is valid
- test           	 Print changes that would be otherwise written
- enable-feature 	 Enable feature in currently selected profile
- disable-feature	 Disable feature in currently selected profile
- create-profile 	 Create new authselect profile

Common options:
  --debug        	 Print error messages
  --trace        	 Print trace messages
  --warn         	 Print warning messages

Help options:
  -?, --help     	 Show this for a command
  --usage        	 Show brief usage message for a command

List the available Authselect profiles.

[root@servera ~]# authselect list
- nis    	 Enable NIS for system authentication
- sssd   	 Enable SSSD for system authentication (also for local users only)
- winbind	 Enable winbind for system authentication

List the currently selected Authselect profile.

[root@servera ~]# authselect current
Profile ID: sssd
Enabled features: None

Determine if the current configuration is valid.

[root@servera ~]# authselect check
Current configuration is valid.

Print the Authselect profile requirements.

[root@servera ~]# authselect requirements sssd
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Show the Authselect profile details and optional features.

[root@servera ~]# authselect show sssd
...output omitted...
AVAILABLE OPTIONAL FEATURES
---------------------------

with-faillock::
    Enable account locking in case of too many consecutive
    authentication failures.

with-mkhomedir::
    Enable automatic creation of home directories for users on their
    first login.

with-ecryptfs::
    Enable automatic per-user ecryptfs.

with-smartcard::
    Enable authentication with smartcards through SSSD. Please note that
    smartcard support must be also explicitly enabled within
    SSSD's configuration.

with-smartcard-lock-on-removal::
    Lock screen when a smartcard is removed.
    Note: "with-smartcard" must be set as well.

with-smartcard-required::
    Smartcard authentication is required. No other means of authentication
    (including password) will be enabled.
    Note: "with-smartcard" must be set as well.

with-fingerprint::
    Enable authentication with fingerprint reader through *pam_fprintd*.

with-silent-lastlog::
    Do not produce pam_lastlog message during login.

with-sudo::
    Allow sudo to use SSSD as a source for sudo rules in addition of /etc/sudoers.

with-pamaccess::
    Check access.conf during account authorization.

without-nullok::
    Do not add nullok parameter to pam_unix.
...output omitted...

Select and review the Authselect profiles.

Select an Authselect profile on servera .

[root@servera ~]# authselect select sssd
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Review the contents of /etc/nsswitch.conf on servera.

[root@servera ~]# grep sss /etc/nsswitch.conf
...output omitted...
passwd:     sss files systemd
group:      sss files systemd
netgroup:   sss files
automount:  sss files
services:   sss files
...output omitted...
shadow:     files sss

Select another Authselect profile on servera to compare.

[root@servera ~]# authselect select nis
Profile "nis" was selected.
The following nsswitch maps are overwritten by the profile:
- aliases
- automount
- ethers
- group
- hosts
- initgroups
- netgroup
- networks
- passwd
- protocols
- publickey
- rpc
- services
- shadow

Make sure that NIS service is configured and enabled. See NIS documentation for more information.

Review the contents of /etc/nsswitch.conf on servera to compare both profiles.

[root@servera ~]# grep nis /etc/nsswitch.conf
...output omitted...
aliases:    files nis
automount:  files nis
ethers:     files nis
group:      files nis systemd
hosts:      files nis dns myhostname
initgroups: files nis
netgroup:   files nis
networks:   files nis
passwd:     files nis systemd
protocols:  files nis
publickey:  files nis
rpc:        files nis
services:   files nis
shadow:     files nis
...output omitted...

Notice the differences between both profiles in the /etc/nsswitch.conf configuration file.

Create a custom Authselect profile.

Create a custom Authselect profile based on the sssd profile on servera. Create symbolic links for meta files.

[root@servera ~]# authselect create-profile my-custom-profile \
> -b sssd --symlink-meta
New profile was created at /etc/authselect/custom/my-custom-profile

Review the contents of the custom Authselect profile on /etc/authselect/custom/my-custom-profile/.

[root@servera ~]# cd /etc/authselect/custom/my-custom-profile/
[root@servera my-custom-profile]# ls -lah
   total 32K
drwxr-xr-x. 2 root root  199 Feb  5 18:15 .
drwxr-xr-x. 3 root root   31 Feb  5 18:15 ..
-rw-r--r--. 1 root root  425 Feb  5 18:15 dconf-db
-rw-r--r--. 1 root root  224 Feb  5 18:15 dconf-locks
-rw-r--r--. 1 root root 2.1K Feb  5 18:15 fingerprint-auth
-rw-r--r--. 1 root root  393 Feb  5 18:15 nsswitch.conf
-rw-r--r--. 1 root root 2.9K Feb  5 18:15 password-auth
-rw-r--r--. 1 root root  588 Feb  5 18:15 postlogin
lrwxrwxrwx. 1 root root   41 Feb  5 18:15 README -> /usr/share/authselect/default/sssd/README
lrwxrwxrwx. 1 root root   47 Feb  5 18:15 REQUIREMENTS -> /usr/share/authselect/default/sssd/REQUIREMENTS
-rw-r--r--. 1 root root 1.9K Feb  5 18:15 smartcard-auth
-rw-r--r--. 1 root root 3.4K Feb  5 18:15 system-auth

Notice the PAM, dconf, and nsswitch.conf templates, and the symbolic links for the README and REQUIREMENTS meta files.

Review the contents of the nsswitch.conf template in the custom Authselect profile.

[root@servera my-custom-profile]# cat nsswitch.conf
passwd:     sss files systemd   {exclude if "with-custom-passwd"}
group:      sss files systemd   {exclude if "with-custom-group"}
netgroup:   sss files           {exclude if "with-custom-netgroup"}
automount:  sss files           {exclude if "with-custom-automount"}
services:   sss files           {exclude if "with-custom-services"}
sudoers:    files sss           {include if "with-sudo"}

Modify the services and sudoers parameters in the custom nsswitch.conf template, as shown below:
```
[root@servera my-custom-profile]# vim nsswitch.conf
...output omitted...
services:   files sss           {exclude if "with-custom-services"}
sudoers:    sss files           {exclude if "with-custom-sudoers"}
```
In this exercise, this modification has no other purpose than allowing you to review those changes in the resulting /etc/nsswitch.conf file in a later step.

List the available Authselect profiles.

[root@servera my-custom-profile]# authselect list
 -nis                     	 Enable NIS for system authentication
- sssd                    	 Enable SSSD for system authentication (also for local users only)
- winbind                 	 Enable winbind for system authentication
- custom/my-custom-profile	 Enable SSSD for system authentication (also for local users only)

Select the custom Authselect profile.

[root@servera my-custom-profile]# authselect select custom/my-custom-profile
Profile "custom/my-custom-profile" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services
- sudoers

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Review the modified options in the /etc/nsswitch.conf configuration file.

[root@servera my-custom-profile]# grep sss /etc/nsswitch.conf
...output omitted...
passwd:     sss files systemd
group:      sss files systemd
netgroup:   sss files
automount:  sss files
services:   files sss
sudoers:    sss files
...output omitted...

Notice the changes in the passwd, group, netgroup, automount and the custom parameters services and sudoers.

Clean up the Authselect configuration.

List the current Authselect profile on servera.

[root@servera my-custom-profile]# authselect current
Profile ID: custom/my-custom-profile
Enabled features: None

Select the default sssd Authselect profile on servera.

[root@servera my-custom-profile]# authselect select sssd
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Delete the custom Authselect profile folder in /etc/authselect/custom/.

[root@servera my-custom-profile]# cd
[root@servera ~]# rm -rf /etc/authselect/custom/my-custom-profile

List the available Authselect profiles.

[root@servera ~]# authselect list
 -nis                     	 Enable NIS for system authentication
- sssd                    	 Enable SSSD for system authentication (also for local users only)
- winbind                 	 Enable winbind for system authentication

Log off from servera.

[root@servera ~]# exit
[student@servera ~]$ exit
[student@workstation ~]$

This concludes the guided exercise.

Discuss RHEL 8 New Features for Experienced Linux Administrators

Go to community

Welcome to the Red Hat Enterprise Linux 8 New Features for Experienced Linux Administrators group!

cschunke

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Enterprise Linux 8 New Features for Experienced Linux Administrators! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH354.Read more about Red Hat Enterprise Linux 8 New Features for Experienced Linux Administrators here.

Revision: rh354-8.0-0e36520