Article Summary:
Up until a while ago on Fedora 39 there were several authselect profiles, the two most interesting ones being minimal and sssd. Due to
Changes/SSSDRemoveFilesProvider, the sssd profile received some changes and the minimal profile got upgraded into the more featureful local profile.
System upgraded to Fedora 40 will not have the profile automatically changed but new installs will have the local profile as default.
Therefore I propose an article urging users to change the profile.
Article Description:
For starters I think the article should explain a bit about PAM, authconfig (which is a past tool) and authselect. I know that authselect is a useful tool to select the authentication config for a user based on profiles, meaning there’s no need to edit authentication files (owned by PAM, I think) and possibly risk breaking user authentication.
Then we should probably say a bit about sssd, which as far as I know is some tool that allow authenticating with both local and remote users.
At this point we should explain the minimal profile from Fedora 39 vs the local profile from Fedora 40 and that sssd has been the default for a while.
We point out how the local profile could be beneficial assuming the user won’t login to remote users and that’s also the new default on Fedora 40.
We should touch a bit into the features that can be enabled on a profile. While currently with-silent-lastlog, with-mdns4 and with-fingerprint are the ones used by Fedora by default, there could be some extra ones useful (although needing extra configuration) such as the ones related to u2f (such as with-pam-u2f and with-pam-u2f-2fa).
For example, on my system on which I manually chnaged the profiles:
$ authselect current
Profile ID: local
Enabled features:
- with-silent-lastlog
- with-mdns4
- with-fingerprint