Posted inFedora

Mastering Authselect on Fedora: Professional and Secure PAM Configuration Management

Fedora tutorial - IT technology blog
Fedora tutorial - IT technology blog

Quick Start: Configure Authselect in 2 Minutes

In a hurry and need to enable a standard authentication configuration right away? Fedora uses SSSD (System Security Services Daemon) by default to manage identities. Instead of fumbling around, use this command shortcut.

Check which profile the system is currently running:

authselect current

To switch to the sssd profile and automatically create Home directories when users log in (critical when joining a domain), run:

sudo authselect select sssd with-mkhomedir --force

Enable the oddjobd service immediately to activate the Home directory creation feature:

sudo systemctl enable --now oddjobd

With just a few lines of code, you’ve set up the system without touching messy PAM files.

Authselect: Why You Should Stop Manually Editing PAM Files

After using Fedora as my primary machine for two years, I noticed a classic mistake made by those moving from Ubuntu: the habit of directly editing files in /etc/pam.d/.

Since Fedora 28, authselect has officially replaced authconfig. If you manually edit files like system-auth, the system will ruthlessly overwrite them during updates or when running admin commands. Your efforts will be wasted.

Think of Authselect as a code generator. You select a template (profile) and features, and it automatically generates the most accurate configuration files.

The Core Structure of Authselect

  • Default Profiles: Located at /usr/share/authselect/default/. These are standard templates from the distribution.
  • Custom Profiles: Located at /etc/authselect/custom/. This is where you can be creative if the default templates aren’t enough.
  • Executable Files: The final results are pushed into /etc/pam.d/ and /etc/nsswitch.conf.

Authselect Commands to Master Your System

Mastering these three commands will make you more professional than just copy-pasting from Stack Overflow.

1. Discover Available Profiles

Start by seeing what tools you have at your disposal:

authselect list

Usually, you’ll see sssd, winbind (for joining a Windows Domain), or minimal.

2. Customize with Features

Profiles aren’t static; they allow you to enable or disable accompanying features. Let’s see what the sssd profile supports:

authselect list-features sssd

Three options you’ll use most often:

  • with-faillock: Automatically locks the account after 3 failed password attempts.
  • with-fingerprint: Enables the fingerprint sensor on laptops.
  • with-sudo: Delegates sudo rule management to SSSD.

3. Apply Real-world Configuration

Suppose you need a secure system: using SSSD, with account lockout and fingerprint scanning:

sudo authselect select sssd with-faillock with-fingerprint

Pro tip: Add the --force flag if the command errors out due to legacy configuration conflicts.

Advanced Techniques and Troubleshooting

Create a Unique Profile for Your Team

If you need to insert a specific PAM module for a project, don’t edit system files. Create a safe copy from the sssd profile:

sudo authselect create-profile dev-team-auth -b sssd --description "Custom configuration for the Dev team"

Access /etc/authselect/custom/dev-team-auth/ to edit the template. Then apply it as usual:

sudo authselect select custom/dev-team-auth

Rescue from Account Lockout (pam_faillock)

Enabling with-faillock is a double-edged sword. Juniors often lock themselves out by mistyping passwords. To see who is on the “blacklist”:

sudo faillock --user <username>

To rescue them and reset the counter to zero:

sudo faillock --user <username> --reset

Check Configuration Integrity

Suspect someone has been tinkering with PAM files? Ask authselect to check their integrity:

authselect check

If you get a “Validation failed” message, don’t panic. Simply run the select command again with the --force flag to get everything back on track.

Field Experience and Tips

Here are some notes from my own system “tinkering”:

  1. Watch nsswitch.conf closely: The authselect command modifies this file as well. If your machine suddenly can’t find LDAP users or resolve local IPs, check here first.
  2. Fingerprint latency: On older ThinkPads, the fingerprint module can cause sudo to lag for 2-3 seconds. If this is annoying, disable with-fingerprint for instant speed.
  3. Always keep a “backdoor”: Before changing auth configurations, keep a root terminal or another SSH session open. If PAM fails, you’ll be locked out and forced to use Single User Mode to recover data.
  4. Combine with Cockpit: Fedora Server’s Cockpit web interface is great for user management, but it calls authselect under the hood. Understanding the CLI logic helps you solve complex cases that the web UI might not fully show.

System authentication is no longer a nightmare if you think in terms of Profiles and Features. Authselect makes everything more transparent and secure. Happy Fedora mastering!

Share:
Tags: