authconfig
Configure system authentication settings
TLDR
Display the current configuration (or dry run)
Configure the server to use a different password hashing algorithm
Enable LDAP authentication
Disable LDAP authentication
Enable Network Information Service (NIS)
Enable Kerberos
Enable Winbind (Active Directory) authentication
Enable local authorization
SYNOPSIS
authconfig [options]
PARAMETERS
--updateall
Applies all specified changes and updates the system configuration.
--enableldap
Enables LDAP for user information and authentication.
--disableldap
Disables LDAP configuration.
--ldapserver=server
Specifies the LDAP server(s) to use.
--ldapbasedn=DN
Specifies the LDAP base DN for user and group lookups.
--enableldapauth
Enables authentication against an LDAP server.
--disableldapauth
Disables LDAP authentication.
--enableldaptls
Enables TLS/SSL encryption for LDAP communication.
--enablekrb5
Enables Kerberos 5 for user authentication.
--disablekrb5
Disables Kerberos 5 configuration.
--krb5realm=realm
Specifies the Kerberos 5 realm.
--krb5kdc=KDC
Specifies the Kerberos 5 Key Distribution Center(s).
--krb5adminserver=server
Specifies the Kerberos 5 administration server.
--enablemd5
Enables MD5 hashing for local user passwords (older standard).
--disablemd5
Disables MD5 hashing for local passwords.
--enableshadow
Enables shadow passwords for local users.
--disableshadow
Disables shadow passwords (not recommended).
--enablesssd
Enables SSSD (System Security Services Daemon) for user and group information.
--disablesssd
Disables SSSD configuration.
--enablesssdauth
Enables SSSD for authentication.
--disablesssdauth
Disables SSSD authentication.
--enablefingerprint
Enables support for fingerprint readers.
--disablefingerprint
Disables fingerprint reader support.
--enablewinbind
Enables Winbind for Active Directory/Samba authentication.
--disablewinbind
Disables Winbind configuration.
--winbindtemplatehomedir=path
Sets the template home directory for Winbind users.
--winbindtemplateshell=shell
Sets the template shell for Winbind users.
--passalgo=algorithm
Sets the password hashing algorithm (e.g., 'sha512', 'sha256', 'md5').
--passminlen=length
Sets the minimum password length for local users.
--passmaxlen=length
Sets the maximum password length for local users.
--nostart
Prevents services from being started or restarted after configuration changes.
--test
Displays the changes that would be made without actually applying them.
--restorebackup
Restores the previous configuration from backup files.
--savebackup
Saves the current configuration as backup files.
--force
Forces changes even if potential issues are detected.
--text
Runs the utility in an interactive curses-based text mode.
--probe
Probes for available authentication methods and displays them.
--enablemkhomedir
Enables automatic creation of home directories for new users.
--disablemkhomedir
Disables automatic creation of home directories.
--enablenis
Enables NIS (Network Information Service) support.
--nisdomain=domain
Specifies the NIS domain.
--nisserver=server
Specifies the NIS server(s).
--disablenis
Disables NIS support.
--enablehesiod
Enables Hesiod support.
--hesiodlhs=LHS
Specifies the Hesiod LHS (Left Hand Side) component.
--hesiodrhs=RHS
Specifies the Hesiod RHS (Right Hand Side) component.
--disablehesiod
Disables Hesiod support.
--enablecache
Enables caching for NSS lookups (typically via NSCD).
--disablecache
Disables NSS caching.
--cacheconfig=file
Specifies an alternative cache configuration file.
--enablesystemtap
Enables SystemTap support for debugging authentication.
--disablesystemtap
Disables SystemTap support.
--enablepamaccess
Enables PAM access control based on /etc/security/access.conf.
--disablepamaccess
Disables PAM access control.
--kickstart
Configures authentication for a kickstart installation, suitable for automated setups.
DESCRIPTION
authconfig is a legacy command-line utility primarily found in Red Hat-based Linux distributions, used for configuring system-wide authentication and authorization services. It serves as a high-level interface to modify crucial system files, including /etc/nsswitch.conf (Name Service Switch) and the various PAM (Pluggable Authentication Modules) configuration files located under /etc/pam.d/.
Administrators utilize authconfig to establish diverse authentication methods such as local user accounts (shadow, MD5), network-based services like LDAP (Lightweight Directory Access Protocol), Kerberos, and more recently, integration with SSSD (System Security Services Daemon). While it automates the complex process of generating necessary PAM and NSS configurations, its direct modification approach to the PAM stack is less flexible and more prone to issues compared to its modern successor, authselect. It ensures consistent authentication across the system by updating standard PAM files used by common services.
CAVEATS
authconfig is considered deprecated in modern Red Hat-based Linux distributions (e.g., RHEL 7 and later, Fedora). It has been largely superseded by the authselect command, which offers a more robust, flexible, and safer way to manage PAM configurations using predefined profiles and allowing controlled local modifications. Using authconfig on newer systems might lead to unexpected or undesirable PAM configurations, potentially breaking system authentication. It directly modifies PAM files, which can be difficult to audit or revert manually if issues arise.
Always back up critical configuration files before using authconfig, especially on production systems, as misconfigurations can lock users out of the system.
INTERACTIVE MODE
When invoked without arguments or with the --text
option, authconfig provides an interactive curses-based graphical user interface (GUI) that guides the administrator through the authentication setup process. This mode makes it easier for users less familiar with command-line options to configure basic authentication methods.
PAM AND NSS CONFIGURATION
The primary function of authconfig is to generate and update the necessary configuration files for PAM (in /etc/pam.d/) and NSS (/etc/nsswitch.conf). It automates the process of correctly ordering and enabling modules for services like login, su, ssh, and others, ensuring that user and group lookups and authentication requests are handled by the configured backends (e.g., files, LDAP, SSSD).
HISTORY
The authconfig utility emerged as a high-level tool to simplify the complex task of configuring system-wide authentication settings in Linux, particularly within the Red Hat ecosystem. It was a staple in Fedora and RHEL for many years, providing a user-friendly way to integrate various authentication backends like local files, LDAP, Kerberos, and later SSSD. Its development aimed to abstract the intricacies of PAM and NSS configuration, which traditionally required manual editing of multiple sensitive files.
However, its direct modification approach to PAM configurations could sometimes lead to unmanageable or brittle setups, especially when custom PAM rules were involved. With the release of Red Hat Enterprise Linux 7 and corresponding Fedora versions, authselect was introduced as a more sophisticated and profile-based alternative, offering better manageability, auditability, and preventing common configuration pitfalls. While authconfig might still be present on older systems or for backward compatibility, its active development and recommended usage have largely ceased in favor of authselect.