F28 System Wide Change: Make authselect default tool instead of authconfig

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



= System Wide Change: Make authselect default tool instead of authconfig =
https://fedoraproject.org/wiki/Changes/AuthselectAsDefault

Change owner(s):
* Pavel Březina <pbrezina AT redhat DOT com>


Replace authconfig with authselect and make authselect a default tool
to configure PAM and nsswitch.conf. A compatibility tool will help
with transition period from authconfig to authselect.
Authselect is a tool to select system authentication and identity
sources from a list of supported profiles and it is available to users
since Fedora 27. Authselect is designed to be a replacement for
authconfig but it takes a different approach to configure the system.
Instead of letting the administrator build the pam stack with a tool
(which may potentially end up with a broken configuration), it ships
several tested stacks (profiles) that solve primary supported use
cases and are well tested and supported. At the same time, some
obsolete features of authconfig are not supported by authselect.
Additionally, authselect is written in C and has a small footprint
which allows it to be also part of minimal installations.


== Detailed Description ==
Authselect allows the administrator to choose one of the supported
profiles. A profile provides description of how the resulting pam and
nsswitch configuration looks like. The tool is packaged with a default
profile set that is fully supported. If an administrator has different
needs they can create a custom profile and make it accessible in
authselect by dropping it in the tool specific directory.

The authentication and identity configuration is hardcoded within the
profile. However each profile is also allowed to contain some
conditional modules that can be either enabled or disabled to allow
the administrator to enable some optional behaviour such as account
locking or ecryptfs support.

Authselect does not configure daemons that provide the selected
identity and authentication services such as SSSD or winbind, it only
configures PAM and nsswitch. Daemons must be configured manually or
through other system tools like realmd or ipa-client-install that are
better suited for this task.

The default profile set contains the following profiles:
* Local users + SSSD -- local users and remote users are handled by sssd
  * With optional smartcard or fingerprint authentication
* Local users + winbind -- local users are handled by files and remote
users by winbind
  * With optional fingerprint authentication

There is no need for a separate local users profile without SSSD
because the SSSD module is not called for local users and it also
gracefully detect when the daemon is not running.

Since authselect is very different from the authconfig, we will
provide a compatibility tool that will mimic most but not all options
of authconfig and translate those operations into an authselect call
and configuration changes so we do not break users scripts.


== Scope ==
* Proposal owners:
Authselect is already ready and shipped with Fedora. Owners will
provide compatibility tool to help with the transition.

* Other developers:
anaconda-core, fprintd-pam, freeipa-client and realmd are packages
that depends on authconfig. We will coordinate efforts to either
switch those packages to authselect or make sure that the
compatibility tool is sufficient to cover their needs.

* Release engineering:
#7241: https://pagure.io/releng/issue/7241

* List of deliverables: all

* Policies and guidelines:
The policies and guidelines do not need to be updated.

* Trademark approval:
N/A (not needed for this Change)
-- 
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux