Of the many changes in Fedora Linux 40, there is one important under-the-hood Authselect profile change that is applied to new Fedora Linux 40 installations. The active Authselect profile will not be changed for upgrades. A new Authselect profile — local — will replace the minimal profile and it will be the default profile for fresh installations of Fedora Linux 40+.
To understand why this change is important and why it might make sense to manually migrate your current installation to use the new profile, this article will explain how the Linux authentication system works and compare and contrast the sssd* and local profiles.
* sssd was the default Authselect profile for installations prior to Fedora Linux 40.
An overview of Linux authentication
The first system component we should look into is PAM. Here’s an excerpt from Red Hat’s PAM documentation:
Pluggable Authentication Modules (PAMs) provide a centralized authentication mechanism which system applications can use to relay authentication to a centrally configured framework. PAM is pluggable because there is a PAM module for different types of authentication sources (such as Kerberos, SSSD, NIS, or the local file system). Different authentication sources can be prioritized.
So, PAM is a system of modules which you can combine to manage how authentication works. But why is that useful?
Several features can be enabled, either by adding new PAM modules, or by reconfiguring existing ones. Examples include:
- auto mounting disks or paths (encrypted or not)
- running a command on login
- Active Directory integration
- U2F (generic or Yubikey-specific)
- fingerprint reader support
- autologin
There are two drawbacks (depending on the experience level of the user/sysadmin) to managing the PAM configuration manually — the syntax used in configuration files is somewhat complex and if they are misconfigured, it might not be possible to log back into the system and undo the mistake.
With that in mind, we arrive at the legacy Authconfig tool. A description of the Authconfig tool from Red Hat is:
The Authconfig tool can help configure what kind of data store to use for user credentials, such as LDAP. On Red Hat Enterprise Linux, Authconfig has both GUI and command-line options to configure any user data stores. The Authconfig tool can configure the system to use specific services — SSSD, LDAP, NIS, or Winbind — for its user database, along with using different forms of authentication mechanisms.
Authconfig was as a tool that operated above the PAM layer and it was used to configure the authentication for a system. However, it has since been replaced by Authselect.
Some insight into Authselect can be gained by reading the rationale for its introduction to Fedora Linux 27. Here is an excerpt from the Fedora Linux 27 change set:
Authselect is a tool to select system authentication and identity sources from a list of supported profiles.
It is designed to be a replacement for Authconfig but it takes a different approach to configuring the system. Instead of letting the administrator build the PAM stack with a tool (which may potentially end up with a broken configuration), it would ship several tested stacks (profiles) that solve a use-case and are well tested and supported. At the same time, some obsolete features of Authconfig would not be supported by Authselect.
With the addition of profiles, Authselect simplifies the task of configuring system authentication and it makes authentication failures due to human error when editing PAM configuration files less likely.
To recap:
- PAM is the underlying system for authentication in Fedora Linux. It sources configuration files under /etc/pam.d on each login and, if one of its configuration files is corrupt or invalid, logins might fail (or succeed when they shouldn’t).
- Authconfig is a tool that provides higher-level management of the PAM configuration. It is a script that sets up PAM as directed by the user/sysadmin.
- Authselect is a replacement for Authconfig. Authselect adds the concept of “profiles” (with optional features that may be enabled or disabled as desired). Authselect should cover most use-cases and it makes manually editing PAM’s low-level configuration files unnecessary.
Authselect became the default in Fedora Linux 28 and later became mandatory in Fedora Linux 36.
Fedora Linux 40, the sssd profile, and the local profile
Now that the fundamentals of PAM, Authconfig, and Authselect have been covered, it is time to compare and contrast the Authselect profiles — the sssd profile versus the new local profile.
First, let’s see what SSSD is. Here is an excerpted from SSSD’s website:
SSSD is an acronym for System Security Services Daemon. It is the client component of centralized identity management solutions such as FreeIPA, 389 Directory Server, Microsoft Active Directory, OpenLDAP, and other directory servers. The client serves and caches the information stored in the remote directory server and provides identity, authentication, and authorization services to the host machine.
To simplify, you might think of SSSD as a system for accessing an organization’s server which holds the user data (passphrases, full names, etc.). Normally, you would only be able to login and access the data from user accounts that are present on your local machine (normally stored in the /etc/passwd file). With SSSD, you can access remote user accounts that are stored on a remote server such as Active Directory or 389 Directory Server.
But why is the sssd profile relevant?
Up to Fedora Linux 39, the default Authselect profile was sssd:
$ authselect current
Profile ID: sssd
Enabled features:
- with-silent-lastlog
- with-mdns4
- with-fingerprint
However, as part of Changes/SSSDRemoveFilesProvider for Fedora Linux 40, the way the sssd profile handles local users has changed:
• New “local” profile to handle local users without SSSD will be introduced. This profile will be based on “minimal”, but it may gain more features.
• “minimal” profile will be removed and replaced by “local”.
• “Local” profile will be now the default profile
• ‘sssd’ profile will lose with‐files‐domain and with‐files‐access‐provider options, and will gain ‐‐with‐tlog option.
So, the upgraded local profile replaces the previous minimal profile and local becomes the default Authselect profile for new installs (instead of sssd).
Below is what Authselect shows on a fresh Fedora Linux 40 installation (or from a Live CD session):
$ authselect current
Profile ID: local
Enabled features:
- with-silent-lastlog
- with-mdns4
Migration
The new local profile should be sufficient for those whom only need local user accounts. If you’ve upgraded to Fedora Linux 40 from an earlier release, you will not be switched to the new local profile automatically. You might want to manually switch your system to use the local profile if you do not need the remote account abilities that the sssd profile provides.
The list of features available for the local profile is:
$ authselect list-features local
with-ecryptfs
with-faillock
with-fingerprint
with-libvirt
with-mdns4
with-mdns6
with-mkhomedir
with-pam-gnome-keyring
with-pam-u2f
with-pam-u2f-2fa
with-pamaccess
with-pwhistory
with-silent-lastlog
with-systemd-homed
without-nullok
without-pam-u2f-nouserok
A description of the profile and each of its features can be seen with authselect show local.
To migrate between profiles, use the authselect select <profile> [feature] [feature...] command.
To migrate to the local profile with the with-silent-lastlog and with-mdns4 features enabled:
# authselect select local with-silent-lastlog with-mdns4
If, for example, you want to add support for fingerprint readers, add that feature name to the list on the command line:
# authselect select local with-silent-lastlog with-mdns4 with-fingerprint
Conclusion
Fedora took the safe route of applying this change only to new Fedora Linux installations. Existing users who upgrade their systems do not need to worry that their PAM authentication stacks will be changed. However, end users may benefit from manually switching to the new local profile on their local-only PCs.
SeeM
It seems like 5 letters ‘files’ in sssd config file, but it’s probably a mountain of code beneath. That’s why it took 12 releases to remove.
Felix Schwarz
Thank you for the nice explanation.
Just a tiny typo: “To migrate between profiles, use the autselect select [feature] [feature…] command.”. (h missing)
Gregory Bartholomew
I’ve fixed it. Thanks.
Michael Jones
Thanks for a well written and interesting article!
Darvond
Here’s a weird hypothetical. I had to do an in place reinstall due to some bootmanager flub beyond my reasonable grok, and as such I reinstalled Fedora 40 over itself; having upgraded in the past. Assuming that the packages have been updated accordingly, does this warrant changing the profiles?
Gregory Bartholomew
You are probably already using the local profile in that case. Run “authselect current” to view what profile your system is set to use.
Darvond
The profile ID is local, the features enabled are with fingerprint, with mdns4, and silent lastlog.
I assume that’s all in order; I just don’t have the PAM modules?
Gregory Bartholomew
I guess I’m not following what you are saying. Why do you think you are missing PAM modules? You can see what modules are available by listing the contents of /usr/lib64/security. FWIW, most modules have corresponding man pages (e.g., “man pam_exec”).
Tomasz Gąsior
Why fingerprint is not enabled by default in new configuration? It looks like it was enabled by default in the old one. Does that mean people with fingerprint readers won’t have working hardware with default user experience? There should be no need for CLI commands just to have hardware working.
I have Fedora installed with in-place upgrades since F32. My current profile is sssd. What will happen if I will never edit my configuration manually and keep that profile. Does that mean I won’t be able to log in after upgrade to new Fedora release some day? There should be no need for CLI commands to have working OS after major upgrade. I hope OS upgrade mechanism will be able to automatically change that profile when there will be need for that.
Gregory Bartholomew
If you don’t change anything, then nothing should change. 🙂 You should only see a difference when you do a fresh installation (or re-installation). Upgrades should keep the previous settings.
Again, an upgrade should not trigger any settings changes (in PAM). Only if you do a fresh installation would there be a need to manually enable the fingerprint PAM module.
Tomasz Gąsior
If I will keep upgrading my Fedora installation in place for a long time, to F41, F42, F43, etc. without changing “sssd” profile to “local” will my OS work correctly all the time?
Gregory Bartholomew
It should, yes.
Mateus Rodrigues Costa
About fingerprint reader support, I should mention that the
on Fedora 40 was run on a live session, so it might make some sense for the live session to have fingerprint support disabled. But I have asked to some people about what was the output for fresh installs, and apparently fingerprint support was enabled.
Basically, the sssd profile will continue working, it only received small changes in how it deals with local users (due to such changes the “local” profile now is a better choice.
The thing is that Fedora can’t just migrate all users to the “local” profile, since some users might be using the remote users feature from the “sssd” profile and this might break for them.
That’s exactly why it has to be either done manually (that’s why this article was written) or be the new default for new installs (so if you need soemthing different you can change while getting the machine up to speed).
Joka63
Thanks for a well written and interesting article. Authconfig and Authselect have always been a mystery to me. I use pam_mount for my LUKS encrypted home directory for 15 years and edited manually /etc/security/*dm-password according to the man page of pam_mount. However, pam_mount does not seem to be supported yet as a feature for authselect profiles.
The article was an opportunity for me to take a closer look at authselect. The template mechanism of authselect is quite simple. So I could create and successfully test a custom “local” profile with an additional option “with-pam-mount”, by adding lines like
auth optional pam_mount.so {include if “with-pam-mount”}
to the template file password-auth.
On Debian, the package libpam-mount adds pam_mount.so entries to PAM when executing its postinstall script, using another template mechanism. Technically, this would be possible in Fedora as well: simply call “authselect {enable|disable}-feature …” in a postinstall or preremove script (provided the feature is supported by the current authselect profile).
Justin Searle
I think I missed the?WHY? answer. What are the benefits for transitioning and what are the disadvantages for not transitionaling? All I see in the article are “there may be benefits”…
Mateus Rodrigues Costa
You will be effectively migrating to a profile which only ever cares about local users.
That’s the difference, you can still use the “sssd” profile while your system has only local users, but going forward new installs will use the “local” profile.
Stuart Gathman
The more features and potential login paths enabled, the more potential for a security bug. If you have no need to work with enterprise authentication systems, then you are much safer only looking at /etc/passwd and /etc/shadow.
Gregory Bartholomew
There might also be some small overhead when having sssd enabled. I remember seeing a YouTube video about SELinux (or maybe it was about containers) where someone pointed out that every time “ls” was run, network connections were being established. (Unfortunately, I don’t remember the details. I’m not sure if it was always, over localhost or local socket connections, or if that only happened if sssd was actually configured to connect to a remote server.)
hannes
Thanks for this article.
I’ve got a Fedora installation running (now F40), initially setup with Fedora 26 or 27. In my case, no profile is reported when executing ‘authselect current’. When was ‘sssd’ set as default profile?
Maybe I should think about reinstalling this old box at some point in time (but it’s running so well:) ).
Gregory Bartholomew
I have systems that pre-date authconfig/authselect as well. 🙂 IIRC, I manually activated authselect on them when that option became available. It should be safe to enable authselect, but I’d make a backup copy of /etc/pam.d first (and maybe /etc/nsswitch.conf as well). Also, you’ll want to test signing in (as root) from another VT before you sign out from the one where you first enabled authselect, just to be sure you can get back in after the changes have been applied.
George N. White III
Does the installer check for a working fingerprint reader before configuring authselect?
Gregory Bartholomew
The best I can make of it, it looks like it just defaults to false.
https://github.com/rhinstaller/anaconda/blob/183eccf06ac990dd7f42e1f78bfea37b27e3e38c/pyanaconda/modules/security/security.py#L55
rugk
Fedora 40 Silverblue here, upgraded for what feels like centuries from Fedora versions, but If I run the mentioned command, it seems it actually has been updated (which is fine for me, everything works etc. and I would have switched anyway, but just curious here):
Profile ID: local
Enabled features:
- with-silent-lastlog
- with-mdns4
Also, if you are going to change authentication things and upgrade these, you may want to run
and re-hash your password, as Fedora 37 switched to a newer algorithm and you may still be using the old one.
More information and how to check whether that’s the case here: https://discussion.fedoraproject.org/t/how-to-re-hash-your-etc-shadow-login-passwords-with-a-newer-algorithm-like-yescrypt/113496
mihalyr
Interesting, I am on F40 Sericea upgraded from F39 when it came out but I have:
Profile ID: sssd
Enabled features:
- with-silent-lastlog
- with-mdns4
- with-fingerprint
Maybe not every Silverblue flavour works the same.
mihalyr
Hi, thank you for the article. Very easy to follow and the actual command at the end to switch saves time.
In the past I used to have a custom PAM setup that decrypted a LUKS home folder on user login, but after a past upgrade (don’t remember which Fedora version) it stopped working. Probably this isn’t something that would be already covered by a profile or feature that I can just enable, right?
Gregory Bartholomew
This is all I am aware of: https://discussion.fedoraproject.org/t/building-a-new-home-with-systemd-homed-on-fedora/72690
mihalyr
Thank you for the link, I haven’t seen this before. In my old setup I had PAM script to open the LUKS volume with the user password then systemd would auto-mount it. I’ll take a look if I can make it work again.