LinuxCommandLibrary

authconfig

Configure system authentication settings

TLDR

Display the current configuration (or dry run)

$ authconfig --test
copy

Configure the server to use a different password hashing algorithm
$ authconfig --update --passalgo=[algorithm]
copy

Enable LDAP authentication
$ authconfig --update --enableldapauth
copy

Disable LDAP authentication
$ authconfig --update --disableldapauth
copy

Enable Network Information Service (NIS)
$ authconfig --update --enablenis
copy

Enable Kerberos
$ authconfig --update --enablekrb5
copy

Enable Winbind (Active Directory) authentication
$ authconfig --update --enablewinbindauth
copy

Enable local authorization
$ authconfig --update --enablelocauthorize
copy

SYNOPSIS

authconfig [options]

PARAMETERS

--enable
    Enable service like nis, ldap, krb5, hesiod, smartcard, locauthorize, sssd, ssdauth (e.g., --enablenis)

--disable
    Disable matching service (e.g., --disableldap)

--test
    Test and display config changes without applying

--savebackup
    Backup modified config files

--probe[=krb5]
    Probe for Kerberos realm/info (optional krb5 limit)

--update
    Update configs without launching GUI

--updateall
    Update all services unconditionally

--enablesssd
    Enable SSSD backend

--enablenssldap
    Enable NSS LDAP support

--enableldapauth
    Enable LDAP authentication

--passalgo=<algo>
    Set password hash (md5, sha256, sha512)

--enablemkhomedir
    Enable auto home dir creation

--enableshadow
    Enable shadow passwords

--nisdomain=<domain>
    Set NIS domain

--ldapserver=<server>
    Set LDAP server

--krb5realm=<REALM>
    Set Kerberos realm

DESCRIPTION

The authconfig command is a utility for configuring system authentication mechanisms on Red Hat-based distributions like RHEL, CentOS, and older Fedora. It automates updates to key files such as /etc/nsswitch.conf, PAM configurations in /etc/pam.d/, /etc/krb5.conf, and /etc/sysconfig/authconfig. Users can enable/disable services like NIS, LDAP, Kerberos (Krb5), Hesiod, smart cards, and local authorization.

Common tasks include setting up network authentication backends, password algorithms (e.g., SHA512), shadow passwords, and automatic home directory creation. Run with --test to preview changes, --savebackup for backups, and --update to apply non-interactively.

Originally paired with a GTK GUI (system-config-authentication), it simplifies complex PAM and NSS setups. However, it is deprecated in RHEL 7+ (since 2014), replaced by authselect for better security and SSSD integration. Still usable on RHEL 6/CentOS 6 but not recommended for new setups.

CAVEATS

Deprecated in RHEL 7+; use authselect instead.
Not fully compatible with modern SSSD/PAM stacks.
May overwrite custom configs; use --test first.

EXAMPLES

Enable LDAP: authconfig --enableldap --enableldapauth --updateall
Enable NIS: authconfig --enablenis --nisdomain=example.com --update
Test Krb5: authconfig --enablekrb5 --probe --test

FILES MODIFIED

/etc/sysconfig/authconfig, /etc/nsswitch.conf, /etc/pam.d/system-auth, /etc/krb5.conf, /etc/ldap.conf

HISTORY

Developed by Red Hat in late 1990s for RH Linux 6+. Actively used through RHEL 6 (2012). Deprecated in RHEL 7 (2014) due to authselect's improvements in profile-based auth management.

SEE ALSO

authselect(8), system-config-authentication(8), sssctl(1), pam(8)

Copied to clipboard