LinuxCommandLibrary

authconfig

Configure system authentication settings

TLDR

Display the current configuration (or dry run)

$ authconfig --test
copy

Configure the server to use a different password hashing algorithm
$ authconfig --update --passalgo=[algorithm]
copy

Enable LDAP authentication
$ authconfig --update --enableldapauth
copy

Disable LDAP authentication
$ authconfig --update --disableldapauth
copy

Enable Network Information Service (NIS)
$ authconfig --update --enablenis
copy

Enable Kerberos
$ authconfig --update --enablekrb5
copy

Enable Winbind (Active Directory) authentication
$ authconfig --update --enablewinbindauth
copy

Enable local authorization
$ authconfig --update --enablelocauthorize
copy

SYNOPSIS

authconfig [options]

PARAMETERS

--updateall
    Applies all specified changes and updates the system configuration.

--enableldap
    Enables LDAP for user information and authentication.

--disableldap
    Disables LDAP configuration.

--ldapserver=server
    Specifies the LDAP server(s) to use.

--ldapbasedn=DN
    Specifies the LDAP base DN for user and group lookups.

--enableldapauth
    Enables authentication against an LDAP server.

--disableldapauth
    Disables LDAP authentication.

--enableldaptls
    Enables TLS/SSL encryption for LDAP communication.

--enablekrb5
    Enables Kerberos 5 for user authentication.

--disablekrb5
    Disables Kerberos 5 configuration.

--krb5realm=realm
    Specifies the Kerberos 5 realm.

--krb5kdc=KDC
    Specifies the Kerberos 5 Key Distribution Center(s).

--krb5adminserver=server
    Specifies the Kerberos 5 administration server.

--enablemd5
    Enables MD5 hashing for local user passwords (older standard).

--disablemd5
    Disables MD5 hashing for local passwords.

--enableshadow
    Enables shadow passwords for local users.

--disableshadow
    Disables shadow passwords (not recommended).

--enablesssd
    Enables SSSD (System Security Services Daemon) for user and group information.

--disablesssd
    Disables SSSD configuration.

--enablesssdauth
    Enables SSSD for authentication.

--disablesssdauth
    Disables SSSD authentication.

--enablefingerprint
    Enables support for fingerprint readers.

--disablefingerprint
    Disables fingerprint reader support.

--enablewinbind
    Enables Winbind for Active Directory/Samba authentication.

--disablewinbind
    Disables Winbind configuration.

--winbindtemplatehomedir=path
    Sets the template home directory for Winbind users.

--winbindtemplateshell=shell
    Sets the template shell for Winbind users.

--passalgo=algorithm
    Sets the password hashing algorithm (e.g., 'sha512', 'sha256', 'md5').

--passminlen=length
    Sets the minimum password length for local users.

--passmaxlen=length
    Sets the maximum password length for local users.

--nostart
    Prevents services from being started or restarted after configuration changes.

--test
    Displays the changes that would be made without actually applying them.

--restorebackup
    Restores the previous configuration from backup files.

--savebackup
    Saves the current configuration as backup files.

--force
    Forces changes even if potential issues are detected.

--text
    Runs the utility in an interactive curses-based text mode.

--probe
    Probes for available authentication methods and displays them.

--enablemkhomedir
    Enables automatic creation of home directories for new users.

--disablemkhomedir
    Disables automatic creation of home directories.

--enablenis
    Enables NIS (Network Information Service) support.

--nisdomain=domain
    Specifies the NIS domain.

--nisserver=server
    Specifies the NIS server(s).

--disablenis
    Disables NIS support.

--enablehesiod
    Enables Hesiod support.

--hesiodlhs=LHS
    Specifies the Hesiod LHS (Left Hand Side) component.

--hesiodrhs=RHS
    Specifies the Hesiod RHS (Right Hand Side) component.

--disablehesiod
    Disables Hesiod support.

--enablecache
    Enables caching for NSS lookups (typically via NSCD).

--disablecache
    Disables NSS caching.

--cacheconfig=file
    Specifies an alternative cache configuration file.

--enablesystemtap
    Enables SystemTap support for debugging authentication.

--disablesystemtap
    Disables SystemTap support.

--enablepamaccess
    Enables PAM access control based on /etc/security/access.conf.

--disablepamaccess
    Disables PAM access control.

--kickstart
    Configures authentication for a kickstart installation, suitable for automated setups.

DESCRIPTION

authconfig is a legacy command-line utility primarily found in Red Hat-based Linux distributions, used for configuring system-wide authentication and authorization services. It serves as a high-level interface to modify crucial system files, including /etc/nsswitch.conf (Name Service Switch) and the various PAM (Pluggable Authentication Modules) configuration files located under /etc/pam.d/.

Administrators utilize authconfig to establish diverse authentication methods such as local user accounts (shadow, MD5), network-based services like LDAP (Lightweight Directory Access Protocol), Kerberos, and more recently, integration with SSSD (System Security Services Daemon). While it automates the complex process of generating necessary PAM and NSS configurations, its direct modification approach to the PAM stack is less flexible and more prone to issues compared to its modern successor, authselect. It ensures consistent authentication across the system by updating standard PAM files used by common services.

CAVEATS

authconfig is considered deprecated in modern Red Hat-based Linux distributions (e.g., RHEL 7 and later, Fedora). It has been largely superseded by the authselect command, which offers a more robust, flexible, and safer way to manage PAM configurations using predefined profiles and allowing controlled local modifications. Using authconfig on newer systems might lead to unexpected or undesirable PAM configurations, potentially breaking system authentication. It directly modifies PAM files, which can be difficult to audit or revert manually if issues arise.

Always back up critical configuration files before using authconfig, especially on production systems, as misconfigurations can lock users out of the system.

INTERACTIVE MODE

When invoked without arguments or with the --text option, authconfig provides an interactive curses-based graphical user interface (GUI) that guides the administrator through the authentication setup process. This mode makes it easier for users less familiar with command-line options to configure basic authentication methods.

PAM AND NSS CONFIGURATION

The primary function of authconfig is to generate and update the necessary configuration files for PAM (in /etc/pam.d/) and NSS (/etc/nsswitch.conf). It automates the process of correctly ordering and enabling modules for services like login, su, ssh, and others, ensuring that user and group lookups and authentication requests are handled by the configured backends (e.g., files, LDAP, SSSD).

HISTORY

The authconfig utility emerged as a high-level tool to simplify the complex task of configuring system-wide authentication settings in Linux, particularly within the Red Hat ecosystem. It was a staple in Fedora and RHEL for many years, providing a user-friendly way to integrate various authentication backends like local files, LDAP, Kerberos, and later SSSD. Its development aimed to abstract the intricacies of PAM and NSS configuration, which traditionally required manual editing of multiple sensitive files.

However, its direct modification approach to PAM configurations could sometimes lead to unmanageable or brittle setups, especially when custom PAM rules were involved. With the release of Red Hat Enterprise Linux 7 and corresponding Fedora versions, authselect was introduced as a more sophisticated and profile-based alternative, offering better manageability, auditability, and preventing common configuration pitfalls. While authconfig might still be present on older systems or for backward compatibility, its active development and recommended usage have largely ceased in favor of authselect.

SEE ALSO

authselect(8), pam(8), nsswitch.conf(5), passwd(5), shadow(5), ldap(3), krb5(3), sssd(8), pam_ldap(8), pam_krb5(8)

Copied to clipboard