Enabling Profile Features

Use the authselect utility to enable features in the active profile.

Specifying the features that are enabled for a profile affects how the system handles authentication. You enable profile features by either:

  • Specifying extra features to enable in the active profile.

  • Replacing enabled features in the active profile. This method is discussed in Selecting a Profile.

The following steps show how to enable extra features in the active profile.

  1. Enabling extra features works only on the active profile. You can't enable features in unselected profiles. Identify the active profile using the following command:

    authselect current

  2. Identify any requirements that the feature needs to work using the following command syntax:

    sudo authselect requirements profile feature

  3. Satisfy any feature requirements that are listed in the output of the last command before proceeding.

  4. Enable the feature:

    sudo authselect enable-feature feature

    Note:

    You can only enable features one at a time.

Example 2-1 Enable account locking and home directories

The following example shows how you can enable extra features in the sssd profile to use account locking and automatically create users' home directories.

  1. Check the requirements for the with-faillock feature.

    The with-faillock feature automatically locks an account after too many authentication failures. Run the following command to list the feature's requirements: 

    authselect requirements sssd with-faillock

    Example output:

    Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

  2. Check the requirements for the with-mkhomedir feature.

    The with-mkhomedir feature automatically creates the user's home directory when they first sign in. Run the following command to list the feature's requirements: 

    authselect requirements sssd with-mkhomedir

    Example output:

    - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
 is present and oddjobd service is enabled
 - systemctl enable oddjobd.service
 - systemctl start oddjobd.service

  3. Satisfy the requirements of both features you want to enable.

  4. Enable both profile features: 

    sudo authselect enable-feature with-faillock
    sudo authselect enable-feature with-mkhomedir

  5. Confirm that both profile features have been enabled in the active profile: 

    authselect current
    Profile ID: sssd
Enabled features:
- with-fingerprint
- with-silent-lastlog
- with-faillock
- with-mkhomedir

Example 2-2 Enable the PAM access feature

The following example shows how you can direct the system to check /etc/security/access.conf to authenticate and authorize users by enabling the with-pamaccess feature in the local profile.

  1. Automatically enable PAM access: 

    authselect requirements local with-pamaccess
    No requirements are specified.

  2. Enable the PAM access profile feature: 

    sudo authselect enable-feature with-pamaccess

  3. Confirm that the PAM access profile feature has been enabled in the active profile: 

    authselect current
    Profile ID: local
Enabled features:
- with-fingerprint
- with-pamaccess