時間：2017.11.16

作者：李強

參考：man,info，magedu講義

聲明：以下英文純屬個人翻譯，英文B級，歡迎糾正，盜版不糾,才能有限，希望不誤人子弟為好。

1、使用目的與場景

? 先列在這里，以后就知道怎么用了

2、官方說明

??

?an interface for configuring system authentication resources

3、寫在前面

? ??現在用authconfig --passalgo=sha256 --update 來更新加密算法

?

4、修改文件及涉及的環境變量

?/etc/sysconfig/authconfig用于跟蹤是否啟用了特定的身份驗證機制。目前包括變量名為?USESHADOW,?USEMD5,USEKERBEROS,?USELDAPAUTH,?USESMBAUTH,?USEWINBIND,USEWINBINDAUTH、USEHESIOD、USENIS、USELDAP等其他/etc/passwd/etc/shadowUsed?for?shadow?password?support./etc/yp.confConfiguration?file?for?NIS?support./etc/sysconfig/networkAnother?configuration?file?for?NIS?support./etc/ldap.conf/etc/nss_ldap.conf/etc/pam_ldap.conf/etc/nslcd.conf/etc/openldap/ldap.conf用于配置?nss_ldap、pam_ldap、nslcd?和?OpenLDAP?庫。僅當經存在系統上的文件被更改。/etc/krb5.conf???????用于Kerberos?5.???/etc/hesiod.conf?????用于配置Hesiod???????/etc/samba/smb.conf??用于配置?winbind?身份驗證?????????/etc/nsswitch.conf???用于配置用戶信息服務?????????/etc/login.defs??????用于配置用戶帳戶的參數?(常規用戶的最小UID,?密碼哈希算法)??????????/etc/pam.d/system-auth用于系統服務的通用?PAM?配置,其中包括使用?include，指令只能被添加軟鏈接不能被添加硬鏈接??????????/etc/pam.d/system-auth-ac?包含系統服務的實際?PAM?配置,?并且是/etc/pam.d/system-auth的符號鏈接如果創建了PAM的本地配置?(并symlinked從system-auth文件)，該文件就會被包含在那里。

? ?

5、用法

NAME系統驗證資源配置的一個接口，authconfig-tui是簡單的圖形化配置界面，就好像setup一樣的。
SYNOPSISauthconfig[options]?{--update|--updateall|--test|--probe|--restorebackup<name>|--savebackup?<name>|--restorelastbackup}
DESCRIPTIONauthconfig提供了一個簡單的方式去配置?/etc/sysconfig/network去支持NIS功能,也為/etc/passwd和/etc/shadow提供密碼策略方面的支持，同時也支持Basic?LDAP,?Kerberos?5,?和Winbind?客戶端的配置。???--test參數的話，authconfig可以被除了root意外的用戶使用，任何改變都不會被保存只會被打印出來，看下效果。--update參數的話，就必須是root權限用戶，配置會被保存，僅僅修改的文件會被重新寫入--updateall參數的話，同上，但是所有的配置文件都會被修改--probe?使用DNS或者其他的方式來猜測當前主機的配置，如果找到就通過STDOUT輸出然后退出--restorebackup?--savebackup?--restorelastbackup參數提供了保存和恢復被authconfg修改的文件的可能，authconfig每次操作前也會自動備份配置文件信息，這個備份信息可以被--restorelastbackup恢復以下是一些options如果指定了--nostart?(這是安裝程序所做的),?ypbind?或其他守護進程將不會啟動
或在程序執行后立即停止,?但只在啟動時啟用或停止。
--enablenis,--enableldap,--enablewinbind,?和--enablehesiod選項用于配置用戶的信息服務
/etc/nsswitch.conf,?--enablecache?選項用于配置命名服務緩存,
--enableshadow,--enableldapauth,--enablekrb5,?--enablewinbindauth?選項用于配置
認證功能通過/etc/pam.d/system-auth。
每一個--enable都對應一個--disable選項
用于存儲新密碼哈希值的算法可以由?--passalgo?選項指定,?它采用
下列可能的值作為參數:?descrypt、bigcrypt、md5、sha256?和?sha512。
--enablelocauthorize?選項允許繞過檢查網絡認證服務的授權
--enablesysnetauth???允許這些服務對系統帳戶?(uid?<500或者1000(centos7）)?進行身份驗證。
當配置設置允許用戶信息服務和身份驗證使用?SSSD?時,?SSSD將自動使用,而不是老的服務，
SSSD?配置將被設置,?所以有一個使用連接服務所需的設置填充的默認域。
--enablesssd和--enablesss?選項強制添加SSSD到/etc/nsswitch.conf?and?/etc/pam.d/system-auth,
但它們不設置SSSD?配置文件中的域。?SSSD配置必須手動設置。允許的配置SSSD?服務的配給是:?
LDAP為用戶信息(-enableldap)和任一LDAP(--enableldapauth),或?Kerberos(--enablekrb5)
進行身份驗證。
如果?SSSD不支持站點配置所需的舊式服務的某些功能,
通過在/etc/sysconfig/authconfig中設置?FORCELEGACY=yes?,?可以強制使用舊式服務。
在手冊頁中提到的選項列表不是詳盡無遺的,?請參考?authconfig--help?完整的列表authconfig--tui支持authconfig所有的選項,但它意味著--update作為默認操作。
它的窗口默認情況下包含"Cancel"按鈕。如果在運行時指定了--back選項,則顯示"Back"按鈕而不是
"Cancel".如果指定了"--kickstart",將不會看到交互式屏幕。程序將使用的值將由其他選項
(-passalgo,-enableshadow,?等等)指定。對于namelist,您可以用單個名稱或逗號分隔的名稱列表替換。

? 以下是authconfig --help 的完整options

Options:-h,?--help??????????????show?this?help?message?and?exit--enableshadow,?--useshadowenable?shadowed?passwords?by?default--disableshadow?????????disable?shadowed?passwords?by?default--enablemd5,?--usemd5enable?MD5?passwords?by?default--disablemd5????????????disable?MD5?passwords?by?default--passalgo=<descrypt|bigcrypt|md5|sha256|sha512>hash/crypt?algorithm?for?new?passwords--enablenis?????????????enable?NIS?for?user?information?by?default--disablenis????????????disable?NIS?for?user?information?by?default--nisdomain=<domain>????default?NIS?domain--nisserver=<server>????default?NIS?server--enableldap????????????enable?LDAP?for?user?information?by?default--disableldap???????????disable?LDAP?for?user?information?by?default--enableldapauth????????enable?LDAP?for?authentication?by?default--disableldapauth???????disable?LDAP?for?authentication?by?default--ldapserver=<server>default?LDAP?server?hostname?or?URI--ldapbasedn=<dn>???????default?LDAP?base?DN--enableldaptls,?--enableldapstarttlsenable?use?of?TLS?with?LDAP?(RFC-2830)--disableldaptls,?--disableldapstarttlsdisable?use?of?TLS?with?LDAP?(RFC-2830)--enablerfc2307bis??????enable?use?of?RFC-2307bis?schema?for?LDAP?user?information?lookups--disablerfc2307bis?????disable?use?of?RFC-2307bis?schema?for?LDAP?user?information?lookups--ldaploadcacert=<URL>load?CA?certificate?from?the?URL--enablesmartcard???????enable?authentication?with?smart?card?by?default--disablesmartcard??????disable?authentication?with?smart?card?by?default--enablerequiresmartcardrequire?smart?card?for?authentication?by?default--disablerequiresmartcarddo?not?require?smart?card?for?authentication?by?default--smartcardmodule=<module>default?smart?card?module?to?use--smartcardaction=<0=Lock|1=Ignore>action?to?be?taken?on?smart?card?removal--enablefingerprint?????enable?authentication?with?fingerprint?readers?by?default--disablefingerprint????disable?authentication?with?fingerprint?readers?by?default--enablekrb5????????????enable?kerberos?authentication?by?default--disablekrb5???????????disable?kerberos?authentication?by?default--krb5kdc=<server>??????default?kerberos?KDC--krb5adminserver=<server>default?kerberos?admin?server--krb5realm=<realm>?????default?kerberos?realm--enablekrb5kdcdns??????enable?use?of?DNS?to?find?kerberos?KDCs--disablekrb5kdcdns?????disable?use?of?DNS?to?find?kerberos?KDCs--enablekrb5realmdns????enable?use?of?DNS?to?find?kerberos?realms--disablekrb5realmdnsdisable?use?of?DNS?to?find?kerberos?realms--enablewinbind?????????enable?winbind?for?user?information?by?default--disablewinbind????????disable?winbind?for?user?information?by?default--enablewinbindauth?????enable?winbind?for?authentication?by?default--disablewinbindauth????disable?winbind?for?authentication?by?default--smbsecurity=<user|server|domain|ads>security?mode?to?use?for?samba?and?winbind--smbrealm=<realm>??????default?realm?for?samba?and?winbind?when?security=ads--smbservers=<servers>names?of?servers?to?authenticate?against--smbworkgroup=<workgroup>workgroup?authentication?servers?are?in--smbidmaprange=<lowest-highest>,?--smbidmapuid=<lowest-highest>,?--smbidmapgid=<lowest-highest>uid?range?winbind?will?assign?to?domain?or?ads?users--winbindseparator=<\>the?character?which?will?be?used?to?separate?the?domain?and?user?part?of?winbind-created?user?names?if?winbindusedefaultdomain?is?not?enabled--winbindtemplatehomedir=</home/%D/%U>the?directory?which?winbind-created?users?will?have?as?home?directories--winbindtemplateprimarygroup=<nobody>the?group?which?winbind-created?users?will?have?as?their?primary?group--winbindtemplateshell=</bin/false>the?shell?which?winbind-created?users?will?have?as?their?login?shell--enablewinbindusedefaultdomainconfigures?winbind?to?assume?that?users?with?no?domain?in?their?user?names?are?domain?users--disablewinbindusedefaultdomainconfigures?winbind?to?assume?that?users?with?no?domain?in?their?user?names?are?not?domain?users--enablewinbindofflineconfigures?winbind?to?allow?offline?login--disablewinbindofflineconfigures?winbind?to?prevent?offline?login--winbindjoin=<Administrator>join?the?winbind?domain?or?ads?realm?now?as?this?administrator--enableipav2???????????enable?IPAv2?for?user?information?and?authentication?by?default--disableipav2??????????disable?IPAv2?for?user?information?and?authentication?by?default--ipav2domain=<domain>the?IPAv2?domain?the?system?should?be?part?of--ipav2realm=<realm>????the?realm?for?the?IPAv2?domain--ipav2server=<servers>the?server?for?the?IPAv2?domain--enableipav2nontp??????do?not?setup?the?NTP?against?the?IPAv2?domain--disableipav2nontp?????setup?the?NTP?against?the?IPAv2?domain?(default)--ipav2join=<account>join?the?IPAv2?domain?as?this?account--enablewins????????????enable?wins?for?hostname?resolution--disablewins???????????disable?wins?for?hostname?resolution--enablepreferdns???????prefer?dns?over?wins?or?nis?for?hostname?resolution--disablepreferdns??????do?not?prefer?dns?over?wins?or?nis?for?hostname?resolution--enablehesiod??????????enable?hesiod?for?user?information?by?default--disablehesiod?????????disable?hesiod?for?user?information?by?default--hesiodlhs=<lhs>???????default?hesiod?LHS--hesiodrhs=<rhs>???????default?hesiod?RHS--enablesssd????????????enable?SSSD?for?user?information?by?default?with?manually?managed?configuration--disablesssd???????????disable?SSSD?for?user?information?by?default?(still?used?for?supported?configurations)--enablesssdauth????????enable?SSSD?for?authentication?by?default?with?manually?managed?configuration--disablesssdauth???????disable?SSSD?for?authentication?by?default?(still?used?for?supported?configurations--enableforcelegacy?????never?use?SSSD?implicitly?even?for?supported?configurations--disableforcelegacy????use?SSSD?implicitly?if?it?supports?the?configuration--enablecachecreds??????enable?caching?of?user?credentials?in?SSSD?by?default--disablecachecreds?????disable?caching?of?user?credentials?in?SSSD?by?default--enablecache???????????enable?caching?of?user?information?by?default?(automatically?disabled?when?SSSD?is?used)--disablecache??????????disable?caching?of?user?information?by?default--enablelocauthorize????local?authorization?is?sufficient?for?local?users--disablelocauthorizeauthorize?local?users?also?through?remote?service--enablepamaccess???????check?access.conf?during?account?authorization--disablepamaccess??????do?not?check?access.conf?during?account?authorization--enablesysnetauth??????authenticate?system?accounts?by?network?services--disablesysnetauth?????authenticate?system?accounts?by?local?files?only--enablemkhomedir???????create?home?directories?for?users?on?their?first?login--disablemkhomedir??????do?not?create?home?directories?for?users?on?their?first?login--nostart???????????????do?not?start/stop?portmap,?ypbind,?and?nscd--test??????????????????do?not?update?the?configuration?files,?only?print?new?settings--update,?--kickstartopposite?of?--test,?update?configuration?files?with?changed?settings--updateall?????????????update?all?configuration?files--probe?????????????????probe?network?for?defaults?and?print?them--savebackup=<name>?????save?a?backup?of?all?configuration?files--restorebackup=<name>restore?the?backup?of?configuration?files--restorelastbackup?????restore?the?backup?of?configuration?files?saved?before?the?previous?configuration?change