/login.defs

http://github.com/brinkman83/bashrc · Unknown · 348 lines · 311 code · 37 blank · 0 comment · 0 complexity · 182bb938192636c8b62e3d4349de6f72 MD5 · raw file

  1. #
  2. # /etc/login.defs - Configuration control definitions for the login package.
  3. #
  4. # Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
  5. # If unspecified, some arbitrary (and possibly incorrect) value will
  6. # be assumed. All other items are optional - if not specified then
  7. # the described action or option will be inhibited.
  8. #
  9. # Comment lines (lines beginning with "#") and blank lines are ignored.
  10. #
  11. # Modified for Linux. --marekm
  12. # REQUIRED for useradd/userdel/usermod
  13. # Directory where mailboxes reside, _or_ name of file, relative to the
  14. # home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
  15. # MAIL_DIR takes precedence.
  16. #
  17. # Essentially:
  18. # - MAIL_DIR defines the location of users mail spool files
  19. # (for mbox use) by appending the username to MAIL_DIR as defined
  20. # below.
  21. # - MAIL_FILE defines the location of the users mail spool files as the
  22. # fully-qualified filename obtained by prepending the user home
  23. # directory before $MAIL_FILE
  24. #
  25. # NOTE: This is no more used for setting up users MAIL environment variable
  26. # which is, starting from shadow 4.0.12-1 in Debian, entirely the
  27. # job of the pam_mail PAM modules
  28. # See default PAM configuration files provided for
  29. # login, su, etc.
  30. #
  31. # This is a temporary situation: setting these variables will soon
  32. # move to /etc/default/useradd and the variables will then be
  33. # no more supported
  34. MAIL_DIR /var/mail
  35. #MAIL_FILE .mail
  36. #
  37. # Enable logging and display of /var/log/faillog login failure info.
  38. # This option conflicts with the pam_tally PAM module.
  39. #
  40. FAILLOG_ENAB yes
  41. #
  42. # Enable display of unknown usernames when login failures are recorded.
  43. #
  44. # WARNING: Unknown usernames may become world readable.
  45. # See #290803 and #298773 for details about how this could become a security
  46. # concern
  47. LOG_UNKFAIL_ENAB no
  48. #
  49. # Enable logging of successful logins
  50. #
  51. LOG_OK_LOGINS no
  52. #
  53. # Enable "syslog" logging of su activity - in addition to sulog file logging.
  54. # SYSLOG_SG_ENAB does the same for newgrp and sg.
  55. #
  56. SYSLOG_SU_ENAB yes
  57. SYSLOG_SG_ENAB yes
  58. #
  59. # If defined, all su activity is logged to this file.
  60. #
  61. #SULOG_FILE /var/log/sulog
  62. #
  63. # If defined, file which maps tty line to TERM environment parameter.
  64. # Each line of the file is in a format something like "vt100 tty01".
  65. #
  66. #TTYTYPE_FILE /etc/ttytype
  67. #
  68. # If defined, login failures will be logged here in a utmp format
  69. # last, when invoked as lastb, will read /var/log/btmp, so...
  70. #
  71. FTMP_FILE /var/log/btmp
  72. #
  73. # If defined, the command name to display when running "su -". For
  74. # example, if this is defined as "su" then a "ps" will display the
  75. # command is "-su". If not defined, then "ps" would display the
  76. # name of the shell actually being run, e.g. something like "-sh".
  77. #
  78. SU_NAME su
  79. #
  80. # If defined, file which inhibits all the usual chatter during the login
  81. # sequence. If a full pathname, then hushed mode will be enabled if the
  82. # user's name or shell are found in the file. If not a full pathname, then
  83. # hushed mode will be enabled if the file exists in the user's home directory.
  84. #
  85. HUSHLOGIN_FILE .hushlogin
  86. #HUSHLOGIN_FILE /etc/hushlogins
  87. #
  88. # *REQUIRED* The default PATH settings, for superuser and normal users.
  89. #
  90. # (they are minimal, add the rest in the shell startup files)
  91. ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  92. ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
  93. #
  94. # Terminal permissions
  95. #
  96. # TTYGROUP Login tty will be assigned this group ownership.
  97. # TTYPERM Login tty will be set to this permission.
  98. #
  99. # If you have a "write" program which is "setgid" to a special group
  100. # which owns the terminals, define TTYGROUP to the group number and
  101. # TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
  102. # TTYPERM to either 622 or 600.
  103. #
  104. # In Debian /usr/bin/bsd-write or similar programs are setgid tty
  105. # However, the default and recommended value for TTYPERM is still 0600
  106. # to not allow anyone to write to anyone else console or terminal
  107. # Users can still allow other people to write them by issuing
  108. # the "mesg y" command.
  109. TTYGROUP tty
  110. TTYPERM 0600
  111. #
  112. # Login configuration initializations:
  113. #
  114. # ERASECHAR Terminal ERASE character ('\010' = backspace).
  115. # KILLCHAR Terminal KILL character ('\025' = CTRL/U).
  116. # UMASK Default "umask" value.
  117. #
  118. # The ERASECHAR and KILLCHAR are used only on System V machines.
  119. #
  120. # UMASK usage is discouraged because it catches only some classes of user
  121. # entries to system, in fact only those made through login(1), while setting
  122. # umask in shell rc file will catch also logins through su, cron, ssh etc.
  123. #
  124. # At the same time, using shell rc to set umask won't catch entries which use
  125. # non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp"
  126. # user and alike.
  127. #
  128. # Therefore the use of pam_umask is recommended as the solution which
  129. # catches all these cases on PAM-enabled systems.
  130. #
  131. # This avoids the confusion created by having the umask set
  132. # in two different places -- in login.defs and shell rc files (i.e.
  133. # /etc/profile).
  134. #
  135. # For discussion, see #314539 and #248150 as well as the thread starting at
  136. # http://lists.debian.org/debian-devel/2005/06/msg01598.html
  137. #
  138. # Prefix these values with "0" to get octal, "0x" to get hexadecimal.
  139. #
  140. ERASECHAR 0177
  141. KILLCHAR 025
  142. # 022 is the "historical" value in Debian for UMASK when it was used
  143. # 027, or even 077, could be considered better for privacy
  144. # There is no One True Answer here : each sysadmin must make up his/her
  145. # mind.
  146. #UMASK 022
  147. #
  148. # Password aging controls:
  149. #
  150. # PASS_MAX_DAYS Maximum number of days a password may be used.
  151. # PASS_MIN_DAYS Minimum number of days allowed between password changes.
  152. # PASS_WARN_AGE Number of days warning given before a password expires.
  153. #
  154. PASS_MAX_DAYS 99999
  155. PASS_MIN_DAYS 0
  156. PASS_WARN_AGE 7
  157. #
  158. # Min/max values for automatic uid selection in useradd
  159. #
  160. UID_MIN 1000
  161. UID_MAX 60000
  162. # System accounts
  163. #SYS_UID_MIN 100
  164. #SYS_UID_MAX 999
  165. #
  166. # Min/max values for automatic gid selection in groupadd
  167. #
  168. GID_MIN 1000
  169. GID_MAX 60000
  170. # System accounts
  171. #SYS_GID_MIN 100
  172. #SYS_GID_MAX 999
  173. #
  174. # Max number of login retries if password is bad. This will most likely be
  175. # overriden by PAM, since the default pam_unix module has it's own built
  176. # in of 3 retries. However, this is a safe fallback in case you are using
  177. # an authentication module that does not enforce PAM_MAXTRIES.
  178. #
  179. LOGIN_RETRIES 5
  180. #
  181. # Max time in seconds for login
  182. #
  183. LOGIN_TIMEOUT 60
  184. #
  185. # Which fields may be changed by regular users using chfn - use
  186. # any combination of letters "frwh" (full name, room number, work
  187. # phone, home phone). If not defined, no changes are allowed.
  188. # For backward compatibility, "yes" = "rwh" and "no" = "frwh".
  189. #
  190. CHFN_RESTRICT rwh
  191. #
  192. # Should login be allowed if we can't cd to the home directory?
  193. # Default in no.
  194. #
  195. DEFAULT_HOME yes
  196. #
  197. # If defined, this command is run when removing a user.
  198. # It should remove any at/cron/print jobs etc. owned by
  199. # the user to be removed (passed as the first argument).
  200. #
  201. #USERDEL_CMD /usr/sbin/userdel_local
  202. #
  203. # This enables userdel to remove user groups if no members exist.
  204. #
  205. # Other former uses of this variable such as setting the umask when
  206. # user==primary group are not used in PAM environments, thus in Debian
  207. #
  208. USERGROUPS_ENAB yes
  209. #
  210. # Instead of the real user shell, the program specified by this parameter
  211. # will be launched, although its visible name (argv[0]) will be the shell's.
  212. # The program may do whatever it wants (logging, additional authentification,
  213. # banner, ...) before running the actual shell.
  214. #
  215. # FAKE_SHELL /bin/fakeshell
  216. #
  217. # If defined, either full pathname of a file containing device names or
  218. # a ":" delimited list of device names. Root logins will be allowed only
  219. # upon these devices.
  220. #
  221. # This variable is used by login and su.
  222. #
  223. #CONSOLE /etc/consoles
  224. #CONSOLE console:tty01:tty02:tty03:tty04
  225. #
  226. # List of groups to add to the user's supplementary group set
  227. # when logging in on the console (as determined by the CONSOLE
  228. # setting). Default is none.
  229. #
  230. # Use with caution - it is possible for users to gain permanent
  231. # access to these groups, even when not logged in on the console.
  232. # How to do it is left as an exercise for the reader...
  233. #
  234. # This variable is used by login and su.
  235. #
  236. #CONSOLE_GROUPS floppy:audio:cdrom
  237. #
  238. # If set to "yes", new passwords will be encrypted using the MD5-based
  239. # algorithm compatible with the one used by recent releases of FreeBSD.
  240. # It supports passwords of unlimited length and longer salt strings.
  241. # Set to "no" if you need to copy encrypted passwords to other systems
  242. # which don't understand the new algorithm. Default is "no".
  243. #
  244. # This variable is deprecated. You should use ENCRYPT_METHOD.
  245. #
  246. #MD5_CRYPT_ENAB no
  247. #
  248. # If set to MD5 , MD5-based algorithm will be used for encrypting password
  249. # If set to SHA256, SHA256-based algorithm will be used for encrypting password
  250. # If set to SHA512, SHA512-based algorithm will be used for encrypting password
  251. # If set to DES, DES-based algorithm will be used for encrypting password (default)
  252. # Overrides the MD5_CRYPT_ENAB option
  253. #
  254. # Note: It is recommended to use a value consistent with
  255. # the PAM modules configuration.
  256. #
  257. ENCRYPT_METHOD SHA512
  258. #
  259. # Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
  260. #
  261. # Define the number of SHA rounds.
  262. # With a lot of rounds, it is more difficult to brute forcing the password.
  263. # But note also that it more CPU resources will be needed to authenticate
  264. # users.
  265. #
  266. # If not specified, the libc will choose the default number of rounds (5000).
  267. # The values must be inside the 1000-999999999 range.
  268. # If only one of the MIN or MAX values is set, then this value will be used.
  269. # If MIN > MAX, the highest value will be used.
  270. #
  271. # SHA_CRYPT_MIN_ROUNDS 5000
  272. # SHA_CRYPT_MAX_ROUNDS 5000
  273. ################# OBSOLETED BY PAM ##############
  274. # #
  275. # These options are now handled by PAM. Please #
  276. # edit the appropriate file in /etc/pam.d/ to #
  277. # enable the equivelants of them.
  278. #
  279. ###############
  280. #MOTD_FILE
  281. #DIALUPS_CHECK_ENAB
  282. #LASTLOG_ENAB
  283. #MAIL_CHECK_ENAB
  284. #OBSCURE_CHECKS_ENAB
  285. #PORTTIME_CHECKS_ENAB
  286. #SU_WHEEL_ONLY
  287. #CRACKLIB_DICTPATH
  288. #PASS_CHANGE_TRIES
  289. #PASS_ALWAYS_WARN
  290. #ENVIRON_FILE
  291. #NOLOGINS_FILE
  292. #ISSUE_FILE
  293. #PASS_MIN_LEN
  294. #PASS_MAX_LEN
  295. #ULIMIT
  296. #ENV_HZ
  297. #CHFN_AUTH
  298. #CHSH_AUTH
  299. #FAIL_DELAY
  300. ################# OBSOLETED #######################
  301. # #
  302. # These options are no more handled by shadow. #
  303. # #
  304. # Shadow utilities will display a warning if they #
  305. # still appear. #
  306. # #
  307. ###################################################
  308. # CLOSE_SESSIONS
  309. # LOGIN_STRING
  310. # NO_PASSWORD_CONSOLE
  311. # QMAIL_DIR