profiles: support switchable auth in sssd

pbrezina · pbrezina · commit 99fde7bd68d1 · 2025-12-04T12:26:21.000+01:00
Resolves: authselect#369 (cherry picked from commit 1a84758)
diff --git a/profiles/Makefile.am b/profiles/Makefile.am
@@ -39,6 +39,7 @@ dist_profile_sssd_DATA = \
     $(top_srcdir)/profiles/sssd/README \
     $(top_srcdir)/profiles/sssd/REQUIREMENTS \
     $(top_srcdir)/profiles/sssd/smartcard-auth \
+    $(top_srcdir)/profiles/sssd/switchable-auth \
     $(top_srcdir)/profiles/sssd/system-auth \
     $(top_srcdir)/profiles/sssd/fingerprint-auth \
     $(top_srcdir)/profiles/sssd/dconf-db \
diff --git a/profiles/sssd/README b/profiles/sssd/README
@@ -128,6 +128,11 @@ Ignore "automount" database set by the profile.
 with-custom-services::
 Ignore "services" database set by the profile.
 
+with-switchable-auth::
+    Generate switchable-auth PAM stack that can be used by login applications
+    to select the authentication method that shall be used to authenticate the
+    user.
+
 EXAMPLES
 --------
 
diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS
@@ -25,3 +25,6 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo
 - with-gssapi is selected, make sure that GSSAPI authenticaiton is enabled in SSSD        {include if "with-gssapi"}
   - set pam_gssapi_services to a list of allowed services in /etc/sssd/sssd.conf          {include if "with-gssapi"}
   - see additional information in pam_sss_gss(8)                                          {include if "with-gssapi"}
+                                                                                          {include if "with-switchable-auth"}
+- with-switchable-auth is selected, make sure to enable it in sssd.conf                   {include if "with-switchable-auth"}
+  - set "pam_json_services = list-of-services" in [pam] section                           {include if "with-switchable-auth"}
diff --git a/profiles/sssd/dconf-db b/profiles/sssd/dconf-db
@@ -4,6 +4,7 @@
 enable-smartcard-authentication={if "with-smartcard":true|false}
 enable-fingerprint-authentication={if "with-fingerprint":true|false}
 enable-password-authentication={if "with-smartcard-required":false|true}
+enable-switchable-authentication={if "with-switchable-auth":true|false}
 
 [org/gnome/settings-daemon/peripherals/smartcard] {include if "with-smartcard-lock-on-removal"}
 removal-action='lock-screen'                      {include if "with-smartcard-lock-on-removal"}
diff --git a/profiles/sssd/dconf-locks b/profiles/sssd/dconf-locks
@@ -1,4 +1,5 @@
 /org/gnome/login-screen/enable-smartcard-authentication
 /org/gnome/login-screen/enable-fingerprint-authentication
 /org/gnome/login-screen/enable-password-authentication
+/org/gnome/login-screen/enable-switchable-authentication
 /org/gnome/settings-daemon/peripherals/smartcard/removal-action {include if "with-smartcard-lock-on-removal"}
diff --git a/profiles/sssd/switchable-auth b/profiles/sssd/switchable-auth
@@ -0,0 +1,17 @@
+auth required pam_debug.so auth=authinfo_unavail {exclude if "with-switchable-auth"}
+{continue if "with-switchable-auth"}
+auth      [success=done ignore=ignore default=bad]     pam_selinux_permit.so
+auth      required                                     pam_env.so
+auth      required                                     pam_faildelay.so delay=2000000
+auth      required                                     pam_faillock.so preauth silent                         {include if "with-faillock"}
+auth      [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
+auth      [default=1 ignore=ignore success=ok]         pam_localuser.so
+auth      sufficient                                   pam_unix.so nullok
+auth      [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
+auth      sufficient                                   pam_sss.so
+auth      optional                                     pam_gnome_keyring.so only_if=login auto_start          {include if "with-pam-gnome-keyring"}
+auth      required                                     pam_deny.so
+
+account   include system-auth
+password  include system-auth
+session	  include system-auth
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
@@ -199,6 +199,7 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
 %{_datadir}/authselect/default/sssd/README
 %{_datadir}/authselect/default/sssd/REQUIREMENTS
 %{_datadir}/authselect/default/sssd/smartcard-auth
+%{_datadir}/authselect/default/sssd/switchable-auth
 %{_datadir}/authselect/default/sssd/system-auth
 %{_datadir}/authselect/default/winbind/dconf-db
 %{_datadir}/authselect/default/winbind/dconf-locks
