1. Setting Up System Users and Authentication
  2. About System Authentication

1 About System Authentication

Authentication is a way of implementing system security by verifying the identity of an entity, such as a user, to a system. A user logs in by providing a username and a password, and the OS authenticates the user's identity by comparing this information to data stored on the system. If the login credentials match and the user account is active, the user is authenticated and can successfully access the system.

Authentication in Oracle Linux

In Oracle Linux, authentication is profile-based. Each profile has predefined features that use different mechanisms to authenticate system access.

The following profiles are available:

  • sssd profile: Uses the sssd service to perform system authentication.

  • winbind profile: Uses the winbind service to perform system authentication.

  • The minimal profile: Uses system files to perform system authentication for local users.

After an Oracle Linux installation, the sssd profile is selected by default to manage authentication on the system. This profile covers most authentication cases including PAM authentication, Kerberos, and so on.

System authentication isn't restricted to using only the profiles in Oracle Linux. If preferred, you can also use profiles that might be supplied by vendors. You can also create customized profiles to enforce authentication that complies organizational requirements.

As an added flexibility, you can also reconfigure profiles by revising their active features. For example, you can set the profile to use various different backend directory services such as LDAP, FreeIPA, and Active Directory. Also, you can use SSSD with a directory service to centralize and simplify user and group management in an environment where many users and systems with different access requirements exist.

Profiles and Supported Features

Each profile has associated features you can enable to make the profile's service perform a particular method of authentication, such as smart card authentication, fingerprint authentication, kerberos, and so on. After you select a profile and enable preferred features, authselect automatically reads the appropriate configuration files of those features to run the relevant authentication processes. Every user who logs in to the host is authenticated based on that configured profile.

The following tables shows the profiles and their corresponding supported features:

Table 1-1 Features Supported by sssd Profile

Feature Name Description
with-faillock Lock the account after too many authentication failures.
with-mkhomedir Create home directory on user's first log in.
with-ecryptfs Enable automatic per-user ecryptfs.
with-smartcard Authenticate smart cards through SSSD.
with-smartcard-lock-on-removal Lock the screen when the smart card is removed. Requires that with-smartcard is also enabled.
with-smartcard-required Only smart card authentication is operative; others, including password, are disabled. Requires that with-smartcard is also enabled.
with-fingerprint Authenticate through fingerprint reader.
with-silent-lastlog Disable generation of pam_lostlog messages during login
with-sudo Enable sudo to use SSSD for rules besides /etc/sudoers.
with-pamaccess Refer to /etc/access.conf for account authorization.
without-nullock Do not add the nullock parameter to pam_unix

Table 1-2 Features Supported by winbind Profile

Feature Name Description
with-faillock Lock the account after too many authentication failures.
with-mkhomedir Create home directory on user's first log in.
with-ecryptfs Enable automatic per-user ecryptfs.
with-fingerprint Authenticate through fingerprint reader.
with-krb5 Use Kerberos authentication.
with-silent-lastlog Disable generation of pam_lostlog messages during login
with-pamaccess Refer to /etc/access.conf for account authorization.
without-nullock Do not add the nullock parameter to pam_unix

For details about each profile, refer to the profile's corresponding /usr/share/authselect/default/profile/README file. See also the authselect-profiles(5) manual page.

About the authselect Utility

The authselect utility is the Oracle Linux tool for configuring authentication on the system. The tool manages system authentication profiles and is automatically included in any Oracle Linux 8 installation.

The authselect utility consists of the following components:

  • authselect command to manage system authentication. Only users with the appropriate administrator privileges can run this command.

  • Profiles that apply specific authentication mechanisms. These profiles can be those supplied by Oracle, provided by vendors, or created by an organization.

To efficiently manage the variety of profiles, authselect stores different types of profiles in corresponding files:

  • /usr/share/authselect/default contains the Oracle-supplied profiles provided by Oracle Linux.

  • /usr/share/authselect/vendor contains the profiles that are provided by vendors. These profiles can override those that are in the default directory.

  • /etc/authselect/custom contains any profiles you create for the specific environment.

Important:

The authselect utility applies the specifications in the selected profile. However, authselect doesn't change the configuration files of the service on which the profile is based. If, for example, you use the sssd profile, you must configure SSSD for the service to function properly. Consult the proper documentation to configure the profile's service. You must also ensure that the service is started and enabled.

For more details about the utility, see the authselect(8) manual page.