时间:2017.11.16
作者:李强
参考:man,info,magedu讲义
声明:以下英文纯属个人翻译,英文B级,欢迎纠正,盗版不纠,才能有限,希望不误人子弟为好。
1、使用目的与场景
先列在这里,以后就知道怎么用了
2、官方说明
an interface for configuring system authentication resources
3、写在前面
现在用authconfig --passalgo=sha256 --update 来更新加密算法
4、修改文件及涉及的环境变量
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
/etc/sysconfig/authconfig
用于跟踪是否启用了特定的身份验证机制。目前包括变量名为 USESHADOW, USEMD5,
USEKERBEROS, USELDAPAUTH, USESMBAUTH, USEWINBIND,USEWINBINDAUTH、USEHESIOD、
USENIS、USELDAP等其他
/etc/passwd
/etc/shadow
Used
for
shadow password support.
/etc/yp
.conf
Configuration
file
for
NIS support.
/etc/sysconfig/network
Another configuration
file
for
NIS support.
/etc/ldap
.conf
/etc/nss_ldap
.conf
/etc/pam_ldap
.conf
/etc/nslcd
.conf
/etc/openldap/ldap
.conf
用于配置 nss_ldap、pam_ldap、nslcd 和 OpenLDAP 库。仅当经存在系统上的文件被更改。
/etc/krb5
.conf 用于Kerberos 5.
/etc/hesiod
.conf 用于配置Hesiod
/etc/samba/smb
.conf 用于配置 winbind 身份验证
/etc/nsswitch
.conf 用于配置用户信息服务
/etc/login
.defs 用于配置用户帐户的参数 (常规用户的最小UID, 密码哈希算法)
/etc/pam
.d
/system-auth
用于系统服务的通用 PAM 配置,其中包括使用 include,指令只能被添加软链接不能被添加硬链接
/etc/pam
.d
/system-auth-ac
包含系统服务的实际 PAM 配置, 并且是
/etc/pam
.d
/system-auth
的符号链接
如果创建了PAM的本地配置 (并symlinked从system-auth文件),该文件就会被包含在那里。
|
5、用法
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
NAME
系统验证资源配置的一个接口,authconfig-tui是简单的图形化配置界面,就好像setup一样的。
SYNOPSIS
authconfig
[options] {--update|--updateall|--
test
|--probe|--restorebackup
<name>|--savebackup <name>|--restorelastbackup}
DESCRIPTION
authconfig提供了一个简单的方式去配置
/etc/sysconfig/network
去支持NIS功能,
也为
/etc/passwd
和
/etc/shadow
提供密码策略方面的支持,
同时也支持Basic LDAP, Kerberos 5, 和Winbind 客户端的配置。
--
test
参数的话,authconfig可以被除了root意外的用户使用,任何改变都不会被保存
只会被打印出来,看下效果。
--update参数的话,就必须是root权限用户,配置会被保存,仅仅修改的文件会被重新写入
--updateall参数的话,同上,但是所有的配置文件都会被修改
--probe 使用DNS或者其他的方式来猜测当前主机的配置,如果找到就通过STDOUT输出然后退出
--restorebackup --savebackup --restorelastbackup参数提供了保存和恢复被authconfg修改的
文件的可能,authconfig每次操作前也会自动备份配置文件信息,这个备份信息可以被
--restorelastbackup恢复
以下是一些options
如果指定了--nostart (这是安装程序所做的), ypbind 或其他守护进程将不会启动
或在程序执行后立即停止, 但只在启动时启用或停止。
--enablenis,--enableldap,--enablewinbind, 和--enablehesiod选项用于配置用户的信息服务
/etc/nsswitch
.conf, --enablecache 选项用于配置命名服务缓存,
--enableshadow,--enableldapauth,--enablekrb5, --enablewinbindauth 选项用于配置
认证功能通过
/etc/pam
.d
/system-auth
。
每一个--
enable
都对应一个--disable选项
用于存储新密码哈希值的算法可以由 --passalgo 选项指定, 它采用
下列可能的值作为参数: descrypt、bigcrypt、md5、sha256 和 sha512。
--enablelocauthorize 选项允许绕过检查网络认证服务的授权
--enablesysnetauth 允许这些服务对系统帐户 (uid <500或者1000(centos7)) 进行身份验证。
当配置设置允许用户信息服务和身份验证使用 SSSD 时, SSSD将自动使用,而不是老的服务,
SSSD 配置将被设置, 所以有一个使用连接服务所需的设置填充的默认域。
--enablesssd和--enablesss 选项强制添加SSSD到
/etc/nsswitch
.conf and
/etc/pam
.d
/system-auth
,
但它们不设置SSSD 配置文件中的域。 SSSD配置必须手动设置。允许的配置SSSD 服务的配给是:
LDAP为用户信息(-enableldap)和任一LDAP(--enableldapauth),或 Kerberos(--enablekrb5)
进行身份验证。
如果 SSSD不支持站点配置所需的旧式服务的某些功能,
通过在
/etc/sysconfig/authconfig
中设置 FORCELEGACY=
yes
, 可以强制使用旧式服务。
在手册页中提到的选项列表不是详尽无遗的, 请参考 authconfig--help 完整的列表
authconfig--tui支持authconfig所有的选项,但它意味着--update作为默认操作。
它的窗口默认情况下包含
"Cancel"
按钮。如果在运行时指定了--back选项,则显示
"Back"
按钮而不是
"Cancel"
.如果指定了
"--kickstart"
,将不会看到交互式屏幕。程序将使用的值将由其他选项
(-passalgo,-enableshadow, 等等)指定。
对于namelist,您可以用单个名称或逗号分隔的名称列表替换。
|
以下是authconfig --help 的完整options
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
Options:
-h, --help show this help message and
exit
--enableshadow, --useshadow
enable
shadowed passwords by default
--disableshadow disable shadowed passwords by default
--enablemd5, --usemd5
enable
MD5 passwords by default
--disablemd5 disable MD5 passwords by default
--passalgo=<descrypt|bigcrypt|md5|sha256|sha512>
hash
/crypt
algorithm
for
new passwords
--enablenis
enable
NIS
for
user information by default
--disablenis disable NIS
for
user information by default
--nisdomain=<domain> default NIS domain
--nisserver=<server> default NIS server
--enableldap
enable
LDAP
for
user information by default
--disableldap disable LDAP
for
user information by default
--enableldapauth
enable
LDAP
for
authentication by default
--disableldapauth disable LDAP
for
authentication by default
--ldapserver=<server>
default LDAP server
hostname
or URI
--ldapbasedn=<dn> default LDAP base DN
--enableldaptls, --enableldapstarttls
enable
use of TLS with LDAP (RFC-2830)
--disableldaptls, --disableldapstarttls
disable use of TLS with LDAP (RFC-2830)
--enablerfc2307bis
enable
use of RFC-2307bis schema
for
LDAP user information lookups
--disablerfc2307bis disable use of RFC-2307bis schema
for
LDAP user information lookups
--ldaploadcacert=<URL>
load CA certificate from the URL
--enablesmartcard
enable
authentication with smart card by default
--disablesmartcard disable authentication with smart card by default
--enablerequiresmartcard
require smart card
for
authentication by default
--disablerequiresmartcard
do
not require smart card
for
authentication by default
--smartcardmodule=<module>
default smart card module to use
--smartcardaction=<0=Lock|1=Ignore>
action to be taken on smart card removal
--enablefingerprint
enable
authentication with fingerprint readers by default
--disablefingerprint disable authentication with fingerprint readers by default
--enablekrb5
enable
kerberos authentication by default
--disablekrb5 disable kerberos authentication by default
--krb5kdc=<server> default kerberos KDC
--krb5adminserver=<server>
default kerberos admin server
--krb5realm=<realm> default kerberos realm
--enablekrb5kdcdns
enable
use of DNS to
find
kerberos KDCs
--disablekrb5kdcdns disable use of DNS to
find
kerberos KDCs
--enablekrb5realmdns
enable
use of DNS to
find
kerberos realms
--disablekrb5realmdns
disable use of DNS to
find
kerberos realms
--enablewinbind
enable
winbind
for
user information by default
--disablewinbind disable winbind
for
user information by default
--enablewinbindauth
enable
winbind
for
authentication by default
--disablewinbindauth disable winbind
for
authentication by default
--smbsecurity=<user|server|domain|ads>
security mode to use
for
samba and winbind
--smbrealm=<realm> default realm
for
samba and winbind when security=ads
--smbservers=<servers>
names of servers to authenticate against
--smbworkgroup=<workgroup>
workgroup authentication servers are
in
--smbidmaprange=<lowest-highest>, --smbidmapuid=<lowest-highest>, --smbidmapgid=<lowest-highest>
uid range winbind will assign to domain or ads
users
--winbindseparator=<\>
the character
which
will be used to separate the domain and user part of winbind-created user names
if
winbindusedefaultdomain is not enabled
--winbindtemplatehomedir=<
/home/
%D/%U>
the directory
which
winbind-created
users
will have as home directories
--winbindtemplateprimarygroup=<nobody>
the group
which
winbind-created
users
will have as their primary group
--winbindtemplateshell=<
/bin/false
>
the shell
which
winbind-created
users
will have as their login shell
--enablewinbindusedefaultdomain
configures winbind to assume that
users
with no domain
in
their user names are domain
users
--disablewinbindusedefaultdomain
configures winbind to assume that
users
with no domain
in
their user names are not domain
users
--enablewinbindoffline
configures winbind to allow offline login
--disablewinbindoffline
configures winbind to prevent offline login
--winbindjoin=<Administrator>
join
the winbind domain or ads realm now as this administrator
--enableipav2
enable
IPAv2
for
user information and authentication by default
--disableipav2 disable IPAv2
for
user information and authentication by default
--ipav2domain=<domain>
the IPAv2 domain the system should be part of
--ipav2realm=<realm> the realm
for
the IPAv2 domain
--ipav2server=<servers>
the server
for
the IPAv2 domain
--enableipav2nontp
do
not setup the NTP against the IPAv2 domain
--disableipav2nontp setup the NTP against the IPAv2 domain (default)
--ipav2join=<account>
join
the IPAv2 domain as this account
--enablewins
enable
wins
for
hostname
resolution
--disablewins disable wins
for
hostname
resolution
--enablepreferdns prefer dns over wins or nis
for
hostname
resolution
--disablepreferdns
do
not prefer dns over wins or nis
for
hostname
resolution
--enablehesiod
enable
hesiod
for
user information by default
--disablehesiod disable hesiod
for
user information by default
--hesiodlhs=<lhs> default hesiod LHS
--hesiodrhs=<rhs> default hesiod RHS
--enablesssd
enable
SSSD
for
user information by default with manually managed configuration
--disablesssd disable SSSD
for
user information by default (still used
for
supported configurations)
--enablesssdauth
enable
SSSD
for
authentication by default with manually managed configuration
--disablesssdauth disable SSSD
for
authentication by default (still used
for
supported configurations
--enableforcelegacy never use SSSD implicitly even
for
supported configurations
--disableforcelegacy use SSSD implicitly
if
it supports the configuration
--enablecachecreds
enable
caching of user credentials
in
SSSD by default
--disablecachecreds disable caching of user credentials
in
SSSD by default
--enablecache
enable
caching of user information by default (automatically disabled when SSSD is used)
--disablecache disable caching of user information by default
--enablelocauthorize
local
authorization is sufficient
for
local
users
--disablelocauthorize
authorize
local
users
also through remote service
--enablepamaccess check access.conf during account authorization
--disablepamaccess
do
not check access.conf during account authorization
--enablesysnetauth authenticate system accounts by network services
--disablesysnetauth authenticate system accounts by
local
files only
--enablemkhomedir create home directories
for
users
on their first login
--disablemkhomedir
do
not create home directories
for
users
on their first login
--nostart
do
not start
/stop
portmap, ypbind, and nscd
--
test
do
not update the configuration files, only print new settings
--update, --kickstart
opposite of --
test
, update configuration files with changed settings
--updateall update all configuration files
--probe probe network
for
defaults and print them
--savebackup=<name> save a backup of all configuration files
--restorebackup=<name>
restore the backup of configuration files
--restorelastbackup restore the backup of configuration files saved before the previous configuration change
|
本文转自 lajifeiwomoshu 51CTO博客,原文链接:http://blog.51cto.com/lajifeiwomoshu/1982378
扫一扫
3495
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
