/login.defs
Unknown | 348 lines | 311 code | 37 blank | 0 comment | 0 complexity | 182bb938192636c8b62e3d4349de6f72 MD5 | raw file
1# 2# /etc/login.defs - Configuration control definitions for the login package. 3# 4# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. 5# If unspecified, some arbitrary (and possibly incorrect) value will 6# be assumed. All other items are optional - if not specified then 7# the described action or option will be inhibited. 8# 9# Comment lines (lines beginning with "#") and blank lines are ignored. 10# 11# Modified for Linux. --marekm 12 13# REQUIRED for useradd/userdel/usermod 14# Directory where mailboxes reside, _or_ name of file, relative to the 15# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, 16# MAIL_DIR takes precedence. 17# 18# Essentially: 19# - MAIL_DIR defines the location of users mail spool files 20# (for mbox use) by appending the username to MAIL_DIR as defined 21# below. 22# - MAIL_FILE defines the location of the users mail spool files as the 23# fully-qualified filename obtained by prepending the user home 24# directory before $MAIL_FILE 25# 26# NOTE: This is no more used for setting up users MAIL environment variable 27# which is, starting from shadow 4.0.12-1 in Debian, entirely the 28# job of the pam_mail PAM modules 29# See default PAM configuration files provided for 30# login, su, etc. 31# 32# This is a temporary situation: setting these variables will soon 33# move to /etc/default/useradd and the variables will then be 34# no more supported 35MAIL_DIR /var/mail 36#MAIL_FILE .mail 37 38# 39# Enable logging and display of /var/log/faillog login failure info. 40# This option conflicts with the pam_tally PAM module. 41# 42FAILLOG_ENAB yes 43 44# 45# Enable display of unknown usernames when login failures are recorded. 46# 47# WARNING: Unknown usernames may become world readable. 48# See #290803 and #298773 for details about how this could become a security 49# concern 50LOG_UNKFAIL_ENAB no 51 52# 53# Enable logging of successful logins 54# 55LOG_OK_LOGINS no 56 57# 58# Enable "syslog" logging of su activity - in addition to sulog file logging. 59# SYSLOG_SG_ENAB does the same for newgrp and sg. 60# 61SYSLOG_SU_ENAB yes 62SYSLOG_SG_ENAB yes 63 64# 65# If defined, all su activity is logged to this file. 66# 67#SULOG_FILE /var/log/sulog 68 69# 70# If defined, file which maps tty line to TERM environment parameter. 71# Each line of the file is in a format something like "vt100 tty01". 72# 73#TTYTYPE_FILE /etc/ttytype 74 75# 76# If defined, login failures will be logged here in a utmp format 77# last, when invoked as lastb, will read /var/log/btmp, so... 78# 79FTMP_FILE /var/log/btmp 80 81# 82# If defined, the command name to display when running "su -". For 83# example, if this is defined as "su" then a "ps" will display the 84# command is "-su". If not defined, then "ps" would display the 85# name of the shell actually being run, e.g. something like "-sh". 86# 87SU_NAME su 88 89# 90# If defined, file which inhibits all the usual chatter during the login 91# sequence. If a full pathname, then hushed mode will be enabled if the 92# user's name or shell are found in the file. If not a full pathname, then 93# hushed mode will be enabled if the file exists in the user's home directory. 94# 95HUSHLOGIN_FILE .hushlogin 96#HUSHLOGIN_FILE /etc/hushlogins 97 98# 99# *REQUIRED* The default PATH settings, for superuser and normal users. 100# 101# (they are minimal, add the rest in the shell startup files) 102ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 103ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games 104 105# 106# Terminal permissions 107# 108# TTYGROUP Login tty will be assigned this group ownership. 109# TTYPERM Login tty will be set to this permission. 110# 111# If you have a "write" program which is "setgid" to a special group 112# which owns the terminals, define TTYGROUP to the group number and 113# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign 114# TTYPERM to either 622 or 600. 115# 116# In Debian /usr/bin/bsd-write or similar programs are setgid tty 117# However, the default and recommended value for TTYPERM is still 0600 118# to not allow anyone to write to anyone else console or terminal 119 120# Users can still allow other people to write them by issuing 121# the "mesg y" command. 122 123TTYGROUP tty 124TTYPERM 0600 125 126# 127# Login configuration initializations: 128# 129# ERASECHAR Terminal ERASE character ('\010' = backspace). 130# KILLCHAR Terminal KILL character ('\025' = CTRL/U). 131# UMASK Default "umask" value. 132# 133# The ERASECHAR and KILLCHAR are used only on System V machines. 134# 135# UMASK usage is discouraged because it catches only some classes of user 136# entries to system, in fact only those made through login(1), while setting 137# umask in shell rc file will catch also logins through su, cron, ssh etc. 138# 139# At the same time, using shell rc to set umask won't catch entries which use 140# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp" 141# user and alike. 142# 143# Therefore the use of pam_umask is recommended as the solution which 144# catches all these cases on PAM-enabled systems. 145# 146# This avoids the confusion created by having the umask set 147# in two different places -- in login.defs and shell rc files (i.e. 148# /etc/profile). 149# 150# For discussion, see #314539 and #248150 as well as the thread starting at 151# http://lists.debian.org/debian-devel/2005/06/msg01598.html 152# 153# Prefix these values with "0" to get octal, "0x" to get hexadecimal. 154# 155ERASECHAR 0177 156KILLCHAR 025 157# 022 is the "historical" value in Debian for UMASK when it was used 158# 027, or even 077, could be considered better for privacy 159# There is no One True Answer here : each sysadmin must make up his/her 160# mind. 161#UMASK 022 162 163# 164# Password aging controls: 165# 166# PASS_MAX_DAYS Maximum number of days a password may be used. 167# PASS_MIN_DAYS Minimum number of days allowed between password changes. 168# PASS_WARN_AGE Number of days warning given before a password expires. 169# 170PASS_MAX_DAYS 99999 171PASS_MIN_DAYS 0 172PASS_WARN_AGE 7 173 174# 175# Min/max values for automatic uid selection in useradd 176# 177UID_MIN 1000 178UID_MAX 60000 179# System accounts 180#SYS_UID_MIN 100 181#SYS_UID_MAX 999 182 183# 184# Min/max values for automatic gid selection in groupadd 185# 186GID_MIN 1000 187GID_MAX 60000 188# System accounts 189#SYS_GID_MIN 100 190#SYS_GID_MAX 999 191 192# 193# Max number of login retries if password is bad. This will most likely be 194# overriden by PAM, since the default pam_unix module has it's own built 195# in of 3 retries. However, this is a safe fallback in case you are using 196# an authentication module that does not enforce PAM_MAXTRIES. 197# 198LOGIN_RETRIES 5 199 200# 201# Max time in seconds for login 202# 203LOGIN_TIMEOUT 60 204 205# 206# Which fields may be changed by regular users using chfn - use 207# any combination of letters "frwh" (full name, room number, work 208# phone, home phone). If not defined, no changes are allowed. 209# For backward compatibility, "yes" = "rwh" and "no" = "frwh". 210# 211CHFN_RESTRICT rwh 212 213# 214# Should login be allowed if we can't cd to the home directory? 215# Default in no. 216# 217DEFAULT_HOME yes 218 219# 220# If defined, this command is run when removing a user. 221# It should remove any at/cron/print jobs etc. owned by 222# the user to be removed (passed as the first argument). 223# 224#USERDEL_CMD /usr/sbin/userdel_local 225 226# 227# This enables userdel to remove user groups if no members exist. 228# 229# Other former uses of this variable such as setting the umask when 230# user==primary group are not used in PAM environments, thus in Debian 231# 232USERGROUPS_ENAB yes 233 234# 235# Instead of the real user shell, the program specified by this parameter 236# will be launched, although its visible name (argv[0]) will be the shell's. 237# The program may do whatever it wants (logging, additional authentification, 238# banner, ...) before running the actual shell. 239# 240# FAKE_SHELL /bin/fakeshell 241 242# 243# If defined, either full pathname of a file containing device names or 244# a ":" delimited list of device names. Root logins will be allowed only 245# upon these devices. 246# 247# This variable is used by login and su. 248# 249#CONSOLE /etc/consoles 250#CONSOLE console:tty01:tty02:tty03:tty04 251 252# 253# List of groups to add to the user's supplementary group set 254# when logging in on the console (as determined by the CONSOLE 255# setting). Default is none. 256# 257# Use with caution - it is possible for users to gain permanent 258# access to these groups, even when not logged in on the console. 259# How to do it is left as an exercise for the reader... 260# 261# This variable is used by login and su. 262# 263#CONSOLE_GROUPS floppy:audio:cdrom 264 265# 266# If set to "yes", new passwords will be encrypted using the MD5-based 267# algorithm compatible with the one used by recent releases of FreeBSD. 268# It supports passwords of unlimited length and longer salt strings. 269# Set to "no" if you need to copy encrypted passwords to other systems 270# which don't understand the new algorithm. Default is "no". 271# 272# This variable is deprecated. You should use ENCRYPT_METHOD. 273# 274#MD5_CRYPT_ENAB no 275 276# 277# If set to MD5 , MD5-based algorithm will be used for encrypting password 278# If set to SHA256, SHA256-based algorithm will be used for encrypting password 279# If set to SHA512, SHA512-based algorithm will be used for encrypting password 280# If set to DES, DES-based algorithm will be used for encrypting password (default) 281# Overrides the MD5_CRYPT_ENAB option 282# 283# Note: It is recommended to use a value consistent with 284# the PAM modules configuration. 285# 286ENCRYPT_METHOD SHA512 287 288# 289# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. 290# 291# Define the number of SHA rounds. 292# With a lot of rounds, it is more difficult to brute forcing the password. 293# But note also that it more CPU resources will be needed to authenticate 294# users. 295# 296# If not specified, the libc will choose the default number of rounds (5000). 297# The values must be inside the 1000-999999999 range. 298# If only one of the MIN or MAX values is set, then this value will be used. 299# If MIN > MAX, the highest value will be used. 300# 301# SHA_CRYPT_MIN_ROUNDS 5000 302# SHA_CRYPT_MAX_ROUNDS 5000 303 304################# OBSOLETED BY PAM ############## 305# # 306# These options are now handled by PAM. Please # 307# edit the appropriate file in /etc/pam.d/ to # 308# enable the equivelants of them. 309# 310############### 311 312#MOTD_FILE 313#DIALUPS_CHECK_ENAB 314#LASTLOG_ENAB 315#MAIL_CHECK_ENAB 316#OBSCURE_CHECKS_ENAB 317#PORTTIME_CHECKS_ENAB 318#SU_WHEEL_ONLY 319#CRACKLIB_DICTPATH 320#PASS_CHANGE_TRIES 321#PASS_ALWAYS_WARN 322#ENVIRON_FILE 323#NOLOGINS_FILE 324#ISSUE_FILE 325#PASS_MIN_LEN 326#PASS_MAX_LEN 327#ULIMIT 328#ENV_HZ 329#CHFN_AUTH 330#CHSH_AUTH 331#FAIL_DELAY 332 333################# OBSOLETED ####################### 334# # 335# These options are no more handled by shadow. # 336# # 337# Shadow utilities will display a warning if they # 338# still appear. # 339# # 340################################################### 341 342# CLOSE_SESSIONS 343# LOGIN_STRING 344# NO_PASSWORD_CONSOLE 345# QMAIL_DIR 346 347 348