Configuring authselect sssd Centos/RHEL 8

Introduction

So, in previous RHEL releases, the authconfig command was used to control the authentication of user logins on local and remote systems. Authentication methods and various authentication configurations using each of this tool. The authconfig command became too complex as a central management tool and troubleshoot problems with authentication setup. Moreover, for authselect, sssd, steps are indicated below tutorial. Red hat documentation on this link. Configuring Openldap for sssd service.

So, The authselect utility consists of the components:

  • authselect command to manage system authentication. So, you need to be the root user to run this command.
  • Three ready-made profiles implement specific types of authentication. So, /usr/share/autoselect/is the default directory: for the profiles
    • sssd profile. This profile uses the sssd service to perform system authentication. This profile is automatically selected by default after an RHEL 8 installation.
    • winbind profile. This profile uses the winbind service to perform system authentication.
    • The nis profile is included in the directory to maintain compatibility with legacy configurations.

Profiles and Supported Features for authselect sssd

Feature NameDescription
with-faillockLock the account after too many authentication failures.
with-mkhomedirCreate home directory on user’s first log in.
with-ecryptfsThis, enable automatic per-user ecryptfs.
with-smartcardAuthenticate smart cards through SSSD.
with-smartcard-lock-on-removalLock the screen when the smart card is removed. Requires that with-smartcard is also enabled.
with-smartcard-requiredOnly smart card authentication is operative; others, including password, are disabled. Requires that with-smartcard is also enabled.
with-fingerprintAuthenticate through fingerprint reader.
with-silent-lastlogDisable generation of pam_lostlog messages during login
with-sudoEnable sudo to use SSSD for rules besides /etc/sudoers.
with-pamaccessRefer to /etc/access.conf for account authorization.
without-nullockDo not add the nullock parameter to pam_unix

As a default profile, authselect sssd features are automatically enabled.

# sudo authselect current

So, We haven’t setup a profile yet. The output should be “No existing configuration detected.

Creating authselect profile

The following example shows how you would add additional functionalities to the default sssd profile.

First, creating Custom Profiles:

So, If you do not want to use the ready-made profiles from RHEL 8 or vendor-provided profiles, you can create your own specific profile. Follow these steps:

# sudo authselect create-profile newprofile -b sssd \
--symlink-meta --symlink-pam

Then, select your custom profile.

# authselect select custom/hardened --force

Then, verify the configuration of the custom profile.

OptionsDescription
newprofileName of your custom profile.
templateBase to be used for the custom profile, which is either sssd or
winbind.
–symlink-metaCreates symbolic links to the meta files in the original directory of the
template profile you are using as base.
–symlink-pamCreates symbolic links to the PAM templates in the original directory
of the template profile you are using as base.

So, this command creates an /etc/authselect/custom/newprofile directory that contains the
symbolic links to the files in the base’s original directory.

So, Automatically lock an account after too many authentication failures (with-faillock):

# sudo authselect requirements sssd with-faillock

Then, Automatically create a user home directory at the user’s first time log in (with-mkhomedir).

# sudo authselect requirements sssd with-mkhomedir

After that, enable both profile features:

# sudo authselect enable-feature with-faillock
# sudo authselect enable-feature with-mkhomedir

Then, confirm that both profile features have been enabled:

After that, apply the changes.

# authselect apply-changes
Neil
Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

You might also likeRELATED

1 DNS server container Podman dirty easy

Introduction Linux distributions. So, what is a DNS? A DNS server is a service that helps resolve a fully qualified domain name (FQDN) into an IP address...

1 Nagios xi server container Fast and Easy

Introduction Provides monitoring of all mission-critical infrastructure components, including applications, services, operating systems, network protocols, systems metrics, and network infrastructure. In addition, hundreds of third-party...

Remote VS Code fast and dirty easy 100%

Introduction Visual Studio Code or VS Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows,...