= System Wide Change: Make authselect default tool instead of authconfig = https://fedoraproject.org/wiki/Changes/AuthselectAsDefault Change owner(s): * Pavel Březina <pbrezina AT redhat DOT com> Replace authconfig with authselect and make authselect a default tool to configure PAM and nsswitch.conf. A compatibility tool will help with transition period from authconfig to authselect. Authselect is a tool to select system authentication and identity sources from a list of supported profiles and it is available to users since Fedora 27. Authselect is designed to be a replacement for authconfig but it takes a different approach to configure the system. Instead of letting the administrator build the pam stack with a tool (which may potentially end up with a broken configuration), it ships several tested stacks (profiles) that solve primary supported use cases and are well tested and supported. At the same time, some obsolete features of authconfig are not supported by authselect. Additionally, authselect is written in C and has a small footprint which allows it to be also part of minimal installations. == Detailed Description == Authselect allows the administrator to choose one of the supported profiles. A profile provides description of how the resulting pam and nsswitch configuration looks like. The tool is packaged with a default profile set that is fully supported. If an administrator has different needs they can create a custom profile and make it accessible in authselect by dropping it in the tool specific directory. The authentication and identity configuration is hardcoded within the profile. However each profile is also allowed to contain some conditional modules that can be either enabled or disabled to allow the administrator to enable some optional behaviour such as account locking or ecryptfs support. Authselect does not configure daemons that provide the selected identity and authentication services such as SSSD or winbind, it only configures PAM and nsswitch. Daemons must be configured manually or through other system tools like realmd or ipa-client-install that are better suited for this task. The default profile set contains the following profiles: * Local users + SSSD -- local users and remote users are handled by sssd * With optional smartcard or fingerprint authentication * Local users + winbind -- local users are handled by files and remote users by winbind * With optional fingerprint authentication There is no need for a separate local users profile without SSSD because the SSSD module is not called for local users and it also gracefully detect when the daemon is not running. Since authselect is very different from the authconfig, we will provide a compatibility tool that will mimic most but not all options of authconfig and translate those operations into an authselect call and configuration changes so we do not break users scripts. == Scope == * Proposal owners: Authselect is already ready and shipped with Fedora. Owners will provide compatibility tool to help with the transition. * Other developers: anaconda-core, fprintd-pam, freeipa-client and realmd are packages that depends on authconfig. We will coordinate efforts to either switch those packages to authselect or make sure that the compatibility tool is sufficient to cover their needs. * Release engineering: #7241: https://pagure.io/releng/issue/7241 * List of deliverables: all * Policies and guidelines: The policies and guidelines do not need to be updated. * Trademark approval: N/A (not needed for this Change) -- Jan Kuřík Platform & Fedora Program Manager Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic