Oracle Cloud Infrastructure Documentation

Setting Up System Users and Authentication

Overview of Oracle Linux authentication profiles and release-specific defaults.

Authentication is a way of implementing system security by verifying the identity of any user that tries to access the system.

A user signs in to the system by providing a username and a password, and the OS authenticates that user's identity by comparing this information to data stored on the system.

If the credentials match and the user account is active, the user is authenticated and can successfully access the system.

Authentication in Oracle Linux

In Oracle Linux, authentication is profile-based. Each profile uses different mechanisms to authenticate system access.

The following profiles are installed with Oracle Linux:

  • sssd: Uses the System Security Services Daemon (sssd) service to perform system authentication. The sssd service is a client for many centralized directory and authentication providers such as Kerberos, Active Directory, FreeIPA, and LDAP.

  • winbind: Uses the winbind service to perform system authentication. The winbind service is a client-side service that resolves user and group information on a Windows server, and lets Oracle Linux understand Windows users and groups.

Profile availability and defaults vary by release; see the tabs following this section.

You can adapt these existing profiles to suit the authentication needs of the organization. For example, you can configure the sssd profile to use different backend directory services.

You can also use profiles supplied by external vendors, or create custom profiles to enforce specific authentication requirements.

    • nis: Included only for compatibility with legacy Network Information Service (NIS) systems. NIS is deprecated in Oracle Linux 8. If you're using NIS for authentication, convert to use the sssd profile instead.

    • minimal: Uses system files to perform system authentication for local users.

    The default authentication profile is sssd.

    • minimal: Uses system files to perform system authentication for local users.

    The default authentication profile is sssd.

    • local: Uses system files to perform system authentication for local users.

    The default authentication profile is local.

Profiles and Features

Each profile has associated features you can enable to make the profile's service use a specific authentication method, such as smart card authentication, fingerprint authentication, Kerberos, and so on.

After you select a profile to make it active and enable the features you want, authselect reads the appropriate configuration files for those features to run the relevant authentication processes. Every user who signs in to the host is authenticated based on that configured profile.

To see a full list of features available for a specific profile, use the authselect show command:

authselect show profile
The output of the command shows the optional features available for the named profile. For example, the following extract shows the optional features available in the sssd profile:
authselect show sssd
...
AVAILABLE OPTIONAL FEATURES
---------------------------

with-faillock::
    Enable account locking in case of too many consecutive
    authentication failures.

with-mkhomedir::
    Enable automatic creation of home directories for users on their
    first login.
...

This information is also available in the profile's corresponding /usr/share/authselect/default/profile/README file.

For more information on how profile files are organized, see the authselect-profiles(5) manual page.

About the authselect Utility

You configure authentication on the system using the authselect utility. The authselect utility manages system authentication profiles and is included in any Oracle Linux installation.

Note

For Oracle Linux 8, authselect replaces the legacy authconfig tool. To migrate from authconfig to authselect, see Migrating From authconfig to authselect.

The authselect utility consists of the following components:

  • The authselect command, which manages authentication profiles and their features. Only users with the appropriate administrator privileges can run this command.

  • The profiles themselves, that enforce specific authentication mechanisms. These profiles include those supplied by Oracle, provided by vendors, or created by an organization.

The authselect utility stores these different profiles in separate directories:

  • /usr/share/authselect/default contains the profiles provided by Oracle Linux.

  • /usr/share/authselect/vendor contains the profiles that are provided by vendors. These profiles can override those that are in the default directory.

  • /etc/authselect/custom contains any custom profiles you create.

Important

The authselect utility applies the selected profile. However, authselect doesn't configure the service on which the profile is based. Consult the appropriate documentation to configure the profile's service. You must also ensure that the service is started and enabled.

For more details about the authselect utility, see the authselect(8) manual page.