Poster of Linux kernelThe best gift for a Linux geek
AUTH-CLIENT-CONFIG:

AUTH-CLIENT-CONFIG:

Section: (8) Updated: July 2007
Local index Up
 

NAME

auth-client-config - pam and NSS profile switcher  

DESCRIPTION

This program updates nsswitch.conf and pam configuration files to aid in authentication configuration. If the existing nsswitch.conf and pam system configuration does not exist in the profiles database, auth-client-config will comment out the current configuration in such a way that the changes can be undone by auth-client-config with the -r option.

 

USAGE

auth-client-config -p PROFILE -a -t TYPE [-dn -f FILE]
auth-client-config -p PROFILE -a -t TYPE -r [-n -f FILE]
auth-client-config -p PROFILE -a -t TYPE -s [-f FILE]

 

OPTIONS

--version
show program's version number and exit
-h, --help
show this help message and exit
-a, --all-types
apply all types for specified profile
-d, --database-only
update file(s) only if current entries are in database
-f FILE, --file=FILE
update FILE instead of default
-l, --list-profiles
list available profiles
-L, --list-types
list available types
-n, --dry-run
don't modify anything, just show the changes
-p PROFILE, --profile=PROFILE (required)
use PROFILE
-r, --reset
reset file(s) to previous non-auth-client-config values. Will not remove the current entries unless they match PROFILE
-s, --check-system
determine if system files are set to PROFILE
-S, --show-system
show current system settings as a profile
-t TYPE, --type=TYPE
modify files for TYPE. Multiple types can be specified with a comma separated list.

 

PROFILES DATABASE

Each time auth-client-config is run, it will check the profiles database (by default, /etc/auth-client-config/profile.d) for authentication profiles. Files may be added to the profiles database directory to support custom authentication configurations. This is useful for a distribution maintainer to have his/her authentication package put an authentication profile into the profiles database, and then have his/her package use auth-client-config to update the system configuration. It also allows for an administrator to set up a single profile for site-wide network authentication roll-outs.

The files in the profiles database use the .INI configuration file standard, and the syntax is:


  [example]
  nss_passwd=nsswitch.conf entry for 'passwd'
  nss_group=nsswitch.conf entry for 'group
  nss_shadow=nsswitch.conf entry for 'shadow'
  nss_netgroup=nsswitch.conf entry for 'netgroup'
  pam_auth=pam entry/entries for 'auth'
  pam_account=pam entry/entries for 'account'
  pam_password=pam entry/entries for 'password'
  pam_session=pam entry/entries for 'session'

If you need to specify multiple entries for a specific type (which is often the case with PAM), then simply list additional entries on a newline preceded by a tab. For example, an entry for local configuration might be:


  [example_local]
  nss_passwd=passwd: files
  nss_group=group: files
  nss_shadow=shadow: files
  nss_netgroup=netgroup: nis
  pam_auth=auth    required        pam_unix.so nullok_secure debug
  pam_account=account required        pam_unix.so debug
  pam_password=password   required   pam_unix.so nullok obscure \
    min=4 max=8 md5 debug
  pam_session=session required        pam_unix.so debug
         session optional        pam_foreground.so

Notice how in the above, pam_session has two entries (pam_password in this example should be all on one line, hence the '\').

To use the above entry with auth-client-config, create a file with the above entries in it and put the file into the profiles database directory (typically named after the profile or package that added it). Now call auth-client-config with:


  auth-client-config -a -p example_local

 

EXAMPLES

Set nsswitch.conf and pam to use the 'example_local' profile:
  auth-client-config -a -p example_local

Set only nsswitch.conf to use the 'example_local' profile, but only if current nsswitch.conf entries exist in the profiles database:
  auth-client-config -t nss -p example_local -d

Restore nsswitch.conf and pam to previous non-auth-client-config files:
  auth-client-config -a -p example_local -r

 

KNOWN ISSUES

If two or more profiles have the same name, only the last one will be used. Additionally, if a profile in the profiles database has more than one entry for a particular field (eg, two 'nss_passwd' entries), then then the last one read will be used.

auth-client-config strips out all carriage returns when run on Unix.

 

SEE ALSO


 nsswitch.conf(5), pam(7)

 

AUTHOR

auth-client-config is copyright 2007-2008 by Jamie Strandboge

This manual page was originally written by Jamie Strandboge <jamie@strandboge.com>


 

Index

NAME
DESCRIPTION
USAGE
OPTIONS
PROFILES DATABASE
EXAMPLES
KNOWN ISSUES
SEE ALSO
AUTHOR

This document was created by man2html, using the manual pages.
Time: 22:01:18 GMT, April 16, 2011