Article Summary:
Up until a while ago on Fedora 39 there were several authselect profiles, the two most interesting ones being minimal
and sssd
. Due to
Changes/SSSDRemoveFilesProvider, the sssd
profile received some changes and the minimal
profile got upgraded into the more featureful local
profile.
System upgraded to Fedora 40 will not have the profile automatically changed but new installs will have the local
profile as default.
Therefore I propose an article urging users to change the profile.
Article Description:
For starters I think the article should explain a bit about PAM, authconfig (which is a past tool) and authselect. I know that authselect is a useful tool to select the authentication config for a user based on profiles, meaning there’s no need to edit authentication files (owned by PAM, I think) and possibly risk breaking user authentication.
Then we should probably say a bit about sssd, which as far as I know is some tool that allow authenticating with both local and remote users.
At this point we should explain the minimal
profile from Fedora 39 vs the local
profile from Fedora 40 and that sssd
has been the default for a while.
We point out how the local
profile could be beneficial assuming the user won’t login to remote users and that’s also the new default on Fedora 40.
We should touch a bit into the features that can be enabled on a profile. While currently with-silent-lastlog
, with-mdns4
and with-fingerprint
are the ones used by Fedora by default, there could be some extra ones useful (although needing extra configuration) such as the ones related to u2f (such as with-pam-u2f
and with-pam-u2f-2fa
).
For example, on my system on which I manually chnaged the profiles:
$ authselect current
Profile ID: local
Enabled features:
- with-silent-lastlog
- with-mdns4
- with-fingerprint