This manual page explains how are authselect profiles organized and how to create new profiles.
Profiles can be found in one of three directories.
/usr/share/authselect/default
/usr/share/authselect/vendor
/etc/authselect/custom
Each profile consists of one or more of these files which provide a mandatory profile description and describe the changes that are done to the system.
README
system-auth
password-auth, smartcard-auth, fingerprint-auth
postlogin
nsswitch.conf
dconf-db
dconf-locks
Each of these files serves as a template. A template is a plain text file with optional usage of several operators that can be used to provide some optional profile features.
{continue if "feature"}
{stop if "feature"}
{include if "feature"}
{exclude if "feature"}
{imply "implied-feature" if "feature"}
{if "feature":true|false}
{if "feature":true}
It is also possible to use logical expression in conditional line instead of specifying single feature name. In this case the expression will evaluate to true or false and the conditional operator will act upon the result.
The expression syntax consists of feature names (e.g. "feature") which returns true if the feature is defined or false if it is not defined and from the following logical operators: and, or and not. The expression may also be enclosed in parentheses and contain multiple subexpressions.
For example:
{if "feature1" or "feature2":true}
{if not "feature":true|false}
{if not "feature":true}
{if "feature1" and ("feature2" or "feature3"):true}
Here is an example of using "if" operator. If "with-sudo" feature is enabled, it will add "sss" to sudoers line.
passwd: sss files group: sss files netgroup: sss files automount: sss files services: sss files sudoers: files {if "with-sudo":sss}
Here is an example of "continue-if" and "include-if" operators. The resulting file will be empty unless "with-smartcard" feature is enabled. If it is enabled and also "with-faillock" feature is enabled, it will also enable support for pam_faillock.
{continue if "with-smartcard"} auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"} auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"} auth required pam_deny.so ...
Here is an example of "continue-if" using logical expression. The file will be empty unless "with-smartcard" or "with-smartcard-required" is set. This will simplify the call of authselect select command which does not have to include both features but only "with-smartcard-required" is necessary.
{continue if "with-smartcard" or "with-smartcard-required"} auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"} auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"} auth required pam_deny.so ...
Here is an example of "imply-if" operator. Enabling feature "with-smartcard-required" will also enable "with-smartcard" to make sure that all relevant PAM modules are used. This will achieve the same behavior as the previous example.
{imply "with-smartcard" if "with-smartcard-required"} auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"} auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"} auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"} auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"} auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"} auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so ...
To register a new profile within authselect, create a directory in one of the authselect profile locations with the files listed above. Not all of the files must be present, only README is mandatory. Other files can be created on per-need basis.
You may find authselect create-profile command helpful when creating new profile. See authselect(8) manual page or authselect create-profile --help for more information.
authselect(8), nsswitch.conf(5), PAM(8)