profiles: support switchable auth in sssd

pbrezina · next-actions/backport · commit c81614053696 · 2025-12-03T14:29:18.000Z
Resolves: authselect#369 (cherry picked from commit 1a84758)
diff --git a/profiles/Makefile.am b/profiles/Makefile.am
@@ -41,6 +41,7 @@ dist_profile_sssd_DATA = \
     $(top_srcdir)/profiles/sssd/README \
     $(top_srcdir)/profiles/sssd/REQUIREMENTS \
     $(top_srcdir)/profiles/sssd/smartcard-auth \
+    $(top_srcdir)/profiles/sssd/switchable-auth \
     $(top_srcdir)/profiles/sssd/system-auth \
     $(top_srcdir)/profiles/sssd/fingerprint-auth \
     $(top_srcdir)/profiles/sssd/dconf-db \
diff --git a/profiles/sssd/README b/profiles/sssd/README
@@ -122,6 +122,11 @@ with-libvirt::
 with-tlog::
     Enable support for tlog session recordings in cooperation with SSSD.
 
+with-switchable-auth::
+    Generate switchable-auth PAM stack that can be used by login applications
+    to select the authentication method that shall be used to authenticate the
+    user.
+
 EXAMPLES
 --------
 
diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS
@@ -28,3 +28,6 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo
                                                                                           {include if "with-systemd-homed"}
 - with-systemd-homed is selected, make sure that the system-homed service is enabled      {include if "with-systemd-homed"}
   - systemctl enable --now systemd-homed.service                                          {include if "with-systemd-homed"}
+                                                                                          {include if "with-switchable-auth"}
+- with-switchable-auth is selected, make sure to enable it in sssd.conf                   {include if "with-switchable-auth"}
+  - set "pam_json_services = list-of-services" in [pam] section                           {include if "with-switchable-auth"}
diff --git a/profiles/sssd/dconf-db b/profiles/sssd/dconf-db
@@ -4,6 +4,7 @@
 enable-smartcard-authentication={if "with-smartcard":true|false}
 enable-fingerprint-authentication={if "with-fingerprint":true|false}
 enable-password-authentication={if "with-smartcard-required":false|true}
+enable-switchable-authentication={if "with-switchable-auth":true|false}
 
 [org/gnome/settings-daemon/peripherals/smartcard] {include if "with-smartcard-lock-on-removal"}
 removal-action='lock-screen'                      {include if "with-smartcard-lock-on-removal"}
diff --git a/profiles/sssd/dconf-locks b/profiles/sssd/dconf-locks
@@ -1,4 +1,5 @@
 /org/gnome/login-screen/enable-smartcard-authentication
 /org/gnome/login-screen/enable-fingerprint-authentication
 /org/gnome/login-screen/enable-password-authentication
+/org/gnome/login-screen/enable-switchable-authentication
 /org/gnome/settings-daemon/peripherals/smartcard/removal-action {include if "with-smartcard-lock-on-removal"}
diff --git a/profiles/sssd/switchable-auth b/profiles/sssd/switchable-auth
@@ -0,0 +1,17 @@
+auth required pam_debug.so auth=authinfo_unavail {exclude if "with-switchable-auth"}
+{continue if "with-switchable-auth"}
+auth      [success=done ignore=ignore default=bad]     pam_selinux_permit.so
+auth      required                                     pam_env.so
+auth      required                                     pam_faildelay.so delay=2000000
+auth      required                                     pam_faillock.so preauth silent                         {include if "with-faillock"}
+auth      [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
+auth      [default=1 ignore=ignore success=ok]         pam_localuser.so
+auth      sufficient                                   pam_unix.so nullok
+auth      [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
+auth      sufficient                                   pam_sss.so
+auth      optional                                     pam_gnome_keyring.so only_if=login auto_start          {include if "with-pam-gnome-keyring"}
+auth      required                                     pam_deny.so
+
+account   include system-auth
+password  include system-auth
+session	  include system-auth
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
@@ -165,6 +165,7 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
 %{_datadir}/authselect/default/sssd/README
 %{_datadir}/authselect/default/sssd/REQUIREMENTS
 %{_datadir}/authselect/default/sssd/smartcard-auth
+%{_datadir}/authselect/default/sssd/switchable-auth
 %{_datadir}/authselect/default/sssd/system-auth
 %{_datadir}/authselect/default/winbind/dconf-db
 %{_datadir}/authselect/default/winbind/dconf-locks
