AUTH-CLIENT-CONFIG(8) - Linux man page online | Administration and privileged commands

Pam and NSS profile switcher.

July 2007


auth-client-config - pam and NSS profile switcher


This program updates nsswitch.conf and pam configuration files to aid in authentication configuration. If the existing nsswitch.conf and pam system configuration does not exist in the profiles database, auth-client-config will comment out the current configuration in such a way that the changes can be undone by auth-client-config with the -r option.


auth-client-config -p PROFILE -a -t TYPE [-dn -f FILE] auth-client-config -p PROFILE -a -t TYPE -r [-n -f FILE] auth-client-config -p PROFILE -a -t TYPE -s [-f FILE]


--version show program's version number and exit -h, --help show this help message and exit -a, --all-types apply all types for specified profile -d, --database-only update file(s) only if current entries are in database -f FILE, --file=FILE update FILE instead of default -l, --list-profiles list available profiles -L, --list-types list available types -n, --dry-run don't modify anything, just show the changes -p PROFILE, --profile=PROFILE (required) use PROFILE -r, --reset reset file(s) to previous non-auth-client-config values. Will not remove the cur‐ rent entries unless they match PROFILE -s, --check-system determine if system files are set to PROFILE -S, --show-system show current system settings as a profile -t TYPE, --type=TYPE modify files for TYPE. Multiple types can be specified with a comma separated list.


Each time auth-client-config is run, it will check the profiles database (by default, /etc/auth-client-config/profile.d) for authentication profiles. Files may be added to the profiles database directory to support custom authentication configurations. This is use‐ ful for a distribution maintainer to have his/her authentication package put an authenti‐ cation profile into the profiles database, and then have his/her package use auth-client- config to update the system configuration. It also allows for an administrator to set up a single profile for site-wide network authentication roll-outs. The files in the profiles database use the .INI configuration file standard, and the syn‐ tax is: [example] nss_passwd=nsswitch.conf entry for 'passwd' nss_group=nsswitch.conf entry for 'group nss_shadow=nsswitch.conf entry for 'shadow' nss_netgroup=nsswitch.conf entry for 'netgroup' pam_auth=pam entry/entries for 'auth' pam_account=pam entry/entries for 'account' pam_password=pam entry/entries for 'password' pam_session=pam entry/entries for 'session' If you need to specify multiple entries for a specific type (which is often the case with PAM), then simply list additional entries on a newline preceded by a tab. For example, an entry for local configuration might be: [example_local] nss_passwd=passwd: files nss_group=group: files nss_shadow=shadow: files nss_netgroup=netgroup: nis pam_auth=auth required nullok_secure debug pam_account=account required debug pam_password=password required nullok obscure \ min=4 max=8 md5 debug pam_session=session required debug session optional Notice how in the above, pam_session has two entries (pam_password in this example should be all on one line, hence the '\'). To use the above entry with auth-client-config, create a file with the above entries in it and put the file into the profiles database directory (typically named after the profile or package that added it). Now call auth-client-config with: auth-client-config -a -p example_local


Set nsswitch.conf and pam to use the 'example_local' profile: auth-client-config -a -p example_local Set only nsswitch.conf to use the 'example_local' profile, but only if current nss‐ witch.conf entries exist in the profiles database: auth-client-config -t nss -p example_local -d Restore nsswitch.conf and pam to previous non-auth-client-config files: auth-client-config -a -p example_local -r


If two or more profiles have the same name, only the last one will be used. Additionally, if a profile in the profiles database has more than one entry for a particular field (eg, two 'nss_passwd' entries), then then the last one read will be used. auth-client-config strips out all carriage returns when run on Unix.


nsswitch.conf(5), pam(7)


auth-client-config is copyright 2007-2008 by Jamie Strandboge This manual page was originally written by Jamie Strandboge <>
This manual Reference Other manuals
auth-client-config(8) referred by
refer to nsswitch.conf(5) | PAM(7)
Download raw manual
Index № 8 (+5755)
Go top