Configure system authentication with the authselect utility
The authselect
utility can be used to configure
system authentication on a Red Hat Enterprise Linux (RHEL) host. If you
installed SCE on a RHEL 8
operating system, authselect
options are available, but
should be avoided in almost all cases. The authselect
utility is disabled by default because enablement of authselect
can break authentication methods, and use of the utility requires
extensive configuration.
Guidelines and restrictions
If authselect
is used by your system to configure
authentication, and you instead want SCE to fully
manage authentication, SCE must be configured to
manage authentication by using pluggable authentication modules (PAM) directly. For
instructions, see Configure authentication rules with PAM.
authselect
to configure system authentication, you must
set the use_authselect
option to true
. Failure to do so will cause SCE to attempt to manage system authentication by
using PAM instead of authselect
and can compromise
the security of your system’s authentication configuration.Before you configure system authentication with authselect
, review the following restrictions:
- If a node is joined to an Active Directory domain or to Red Hat Identity
Management (idM), do not enable the
authselect
utility. Enabling theauthselect
utility on these nodes will break your authentication configurations. - To fully configure system authentication with SCE, you must use PAM instead of
authselect
.
Authselect options
The following authselect
options are available for
RHEL 8:
use_authselect:
-Optional[Boolean]
- Whether to useauthselect
to manage most authentication options. Defaults tofalse
.authselect_profile
-Optional[String]
- Profile forauthselect
configuration options. If using theauthselect
utility, you must specify anauthselect
profile. Defaults toundef
.
Enabling the authselect utility
Both of the authselect
options must be set
directly in the sce_linux::config
hash for the
authselect
utility to work properly. All
authselect
configurations are managed via the
ensure_custom_authselect_profile_is_used
control, regardless of
whether you use a custom profile.
To enable the authselect
utility:
- Set the config option
use_authselect
totrue
. - Specify an
authselect
profile with the config optionauthselect_profile
.
By default, sce_linux
uses standard PAM rules to configure the
authentication controls specified by CIS. However, if you are enforcing CIS
compliance on RHEL 8, CIS guidelines call for the
authselect
utility to be used. The following configuration
example shows how to enable the authselect
utility on a node by
using the minimal
system default profile:
# control-repo/data/nodes/<node name>.yaml
---
sce_linux::config:
use_authselect: true
authselect_profile: 'minimal'
Custom authselect profiles
If you are enforcing CIS compliance on a RHEL 8 system
and you want to enable additional features for your authselect
profile, you can create a custom profile.
To create a custom authselect
profile in sce_linux
,
prefix the profile name in authselect_profile
with
custom/
. If the custom profile does not exist on the node, the
profile will be created automatically. The following example shows how to create and
use a custom profile, my_custom_profile
, which is based on the
minimal
system profile with additional features enabled:
# control-repo/data/nodes/<node name>.yaml
---
sce_linux::config:
use_authselect: true
authselect_profile: 'custom/my_custom_profile'
control_configs:
ensure_custom_authselect_profile_is_used:
custom_profile_base: 'minimal'
profile_features:
- with-faillock
- with-mkhomedir
For more information about authselect
features, see
the authselect documentation in the Red Hat Customer
Portal.