Configure system authentication with the authselect utility

The authselect utility can be used to configure system authentication on a Red Hat Enterprise Linux (RHEL) host. If you installed SCE on a RHEL 8 operating system, authselect options are available, but should be avoided in almost all cases. The authselect utility is disabled by default because enablement of authselect can break authentication methods, and use of the utility requires extensive configuration.

Guidelines and restrictions

If authselect is used by your system to configure authentication, and you instead want SCE to fully manage authentication, SCE must be configured to manage authentication by using pluggable authentication modules (PAM) directly. For instructions, see Configure authentication rules with PAM.

When using SCE with authselect to configure system authentication, you must set the use_authselect option to true. Failure to do so will cause SCE to attempt to manage system authentication by using PAM instead of authselect and can compromise the security of your system’s authentication configuration.

Before you configure system authentication with authselect, review the following restrictions:

  • If a node is joined to an Active Directory domain or to Red Hat Identity Management (idM), do not enable the authselect utility. Enabling the authselect utility on these nodes will break your authentication configurations.
  • To fully configure system authentication with SCE, you must use PAM instead of authselect.

Authselect options

The following authselect options are available for RHEL 8:

  • use_authselect: - Optional[Boolean] - Whether to use authselect to manage most authentication options. Defaults to false.
  • authselect_profile - Optional[String] - Profile for authselect configuration options. If using the authselect utility, you must specify an authselect profile. Defaults to undef.

Enabling the authselect utility

Both of the authselect options must be set directly in the sce_linux::config hash for the authselect utility to work properly. All authselect configurations are managed via the ensure_custom_authselect_profile_is_used control, regardless of whether you use a custom profile.

To enable the authselect utility:

  1. Set the config option use_authselect to true.
  2. Specify an authselect profile with the config option authselect_profile.

By default, sce_linux uses standard PAM rules to configure the authentication controls specified by CIS. However, if you are enforcing CIS compliance on RHEL 8, CIS guidelines call for the authselect utility to be used. The following configuration example shows how to enable the authselect utility on a node by using the minimal system default profile:

Copy
# control-repo/data/nodes/<node name>.yaml
---
sce_linux::config:
  use_authselect: true
  authselect_profile: 'minimal'

Custom authselect profiles

If you are enforcing CIS compliance on a RHEL 8 system and you want to enable additional features for your authselect profile, you can create a custom profile.

To create a custom authselect profile in sce_linux, prefix the profile name in authselect_profile with custom/. If the custom profile does not exist on the node, the profile will be created automatically. The following example shows how to create and use a custom profile, my_custom_profile, which is based on the minimal system profile with additional features enabled:

Copy
# control-repo/data/nodes/<node name>.yaml
---
sce_linux::config:
  use_authselect: true
  authselect_profile: 'custom/my_custom_profile'
  control_configs:
    ensure_custom_authselect_profile_is_used:
      custom_profile_base: 'minimal'
      profile_features:
        - with-faillock
        - with-mkhomedir

For more information about authselect features, see the authselect documentation in the Red Hat Customer Portal.