PageRenderTime 16ms CodeModel.GetById 9ms app.highlight 3ms RepoModel.GetById 1ms app.codeStats 0ms

/login.defs

http://github.com/brinkman83/bashrc
Unknown | 348 lines | 311 code | 37 blank | 0 comment | 0 complexity | 182bb938192636c8b62e3d4349de6f72 MD5 | raw file
  1#
  2# /etc/login.defs - Configuration control definitions for the login package.
  3#
  4# Three items must be defined:  MAIL_DIR, ENV_SUPATH, and ENV_PATH.
  5# If unspecified, some arbitrary (and possibly incorrect) value will
  6# be assumed.  All other items are optional - if not specified then
  7# the described action or option will be inhibited.
  8#
  9# Comment lines (lines beginning with "#") and blank lines are ignored.
 10#
 11# Modified for Linux.  --marekm
 12
 13# REQUIRED for useradd/userdel/usermod
 14#   Directory where mailboxes reside, _or_ name of file, relative to the
 15#   home directory.  If you _do_ define MAIL_DIR and MAIL_FILE,
 16#   MAIL_DIR takes precedence.
 17#
 18#   Essentially:
 19#      - MAIL_DIR defines the location of users mail spool files
 20#        (for mbox use) by appending the username to MAIL_DIR as defined
 21#        below.
 22#      - MAIL_FILE defines the location of the users mail spool files as the
 23#        fully-qualified filename obtained by prepending the user home
 24#        directory before $MAIL_FILE
 25#
 26# NOTE: This is no more used for setting up users MAIL environment variable
 27#       which is, starting from shadow 4.0.12-1 in Debian, entirely the
 28#       job of the pam_mail PAM modules
 29#       See default PAM configuration files provided for
 30#       login, su, etc.
 31#
 32# This is a temporary situation: setting these variables will soon
 33# move to /etc/default/useradd and the variables will then be
 34# no more supported
 35MAIL_DIR        /var/mail
 36#MAIL_FILE      .mail
 37
 38#
 39# Enable logging and display of /var/log/faillog login failure info.
 40# This option conflicts with the pam_tally PAM module.
 41#
 42FAILLOG_ENAB		yes
 43
 44#
 45# Enable display of unknown usernames when login failures are recorded.
 46#
 47# WARNING: Unknown usernames may become world readable. 
 48# See #290803 and #298773 for details about how this could become a security
 49# concern
 50LOG_UNKFAIL_ENAB	no
 51
 52#
 53# Enable logging of successful logins
 54#
 55LOG_OK_LOGINS		no
 56
 57#
 58# Enable "syslog" logging of su activity - in addition to sulog file logging.
 59# SYSLOG_SG_ENAB does the same for newgrp and sg.
 60#
 61SYSLOG_SU_ENAB		yes
 62SYSLOG_SG_ENAB		yes
 63
 64#
 65# If defined, all su activity is logged to this file.
 66#
 67#SULOG_FILE	/var/log/sulog
 68
 69#
 70# If defined, file which maps tty line to TERM environment parameter.
 71# Each line of the file is in a format something like "vt100  tty01".
 72#
 73#TTYTYPE_FILE	/etc/ttytype
 74
 75#
 76# If defined, login failures will be logged here in a utmp format
 77# last, when invoked as lastb, will read /var/log/btmp, so...
 78#
 79FTMP_FILE	/var/log/btmp
 80
 81#
 82# If defined, the command name to display when running "su -".  For
 83# example, if this is defined as "su" then a "ps" will display the
 84# command is "-su".  If not defined, then "ps" would display the
 85# name of the shell actually being run, e.g. something like "-sh".
 86#
 87SU_NAME		su
 88
 89#
 90# If defined, file which inhibits all the usual chatter during the login
 91# sequence.  If a full pathname, then hushed mode will be enabled if the
 92# user's name or shell are found in the file.  If not a full pathname, then
 93# hushed mode will be enabled if the file exists in the user's home directory.
 94#
 95HUSHLOGIN_FILE	.hushlogin
 96#HUSHLOGIN_FILE	/etc/hushlogins
 97
 98#
 99# *REQUIRED*  The default PATH settings, for superuser and normal users.
100#
101# (they are minimal, add the rest in the shell startup files)
102ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
103ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
104
105#
106# Terminal permissions
107#
108#	TTYGROUP	Login tty will be assigned this group ownership.
109#	TTYPERM		Login tty will be set to this permission.
110#
111# If you have a "write" program which is "setgid" to a special group
112# which owns the terminals, define TTYGROUP to the group number and
113# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
114# TTYPERM to either 622 or 600.
115#
116# In Debian /usr/bin/bsd-write or similar programs are setgid tty
117# However, the default and recommended value for TTYPERM is still 0600
118# to not allow anyone to write to anyone else console or terminal
119
120# Users can still allow other people to write them by issuing 
121# the "mesg y" command.
122
123TTYGROUP	tty
124TTYPERM		0600
125
126#
127# Login configuration initializations:
128#
129#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
130#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
131#	UMASK		Default "umask" value.
132#
133# The ERASECHAR and KILLCHAR are used only on System V machines.
134# 
135# UMASK usage is discouraged because it catches only some classes of user
136# entries to system, in fact only those made through login(1), while setting
137# umask in shell rc file will catch also logins through su, cron, ssh etc.
138#
139# At the same time, using shell rc to set umask won't catch entries which use
140# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp"
141# user and alike.
142#
143# Therefore the use of pam_umask is recommended as the solution which
144# catches all these cases on PAM-enabled systems.
145# 
146# This avoids the confusion created by having the umask set
147# in two different places -- in login.defs and shell rc files (i.e.
148# /etc/profile).
149#
150# For discussion, see #314539 and #248150 as well as the thread starting at
151# http://lists.debian.org/debian-devel/2005/06/msg01598.html
152#
153# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
154#
155ERASECHAR	0177
156KILLCHAR	025
157# 022 is the "historical" value in Debian for UMASK when it was used
158# 027, or even 077, could be considered better for privacy
159# There is no One True Answer here : each sysadmin must make up his/her
160# mind.
161#UMASK		022
162
163#
164# Password aging controls:
165#
166#	PASS_MAX_DAYS	Maximum number of days a password may be used.
167#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
168#	PASS_WARN_AGE	Number of days warning given before a password expires.
169#
170PASS_MAX_DAYS	99999
171PASS_MIN_DAYS	0
172PASS_WARN_AGE	7
173
174#
175# Min/max values for automatic uid selection in useradd
176#
177UID_MIN			 1000
178UID_MAX			60000
179# System accounts
180#SYS_UID_MIN		  100
181#SYS_UID_MAX		  999
182
183#
184# Min/max values for automatic gid selection in groupadd
185#
186GID_MIN			 1000
187GID_MAX			60000
188# System accounts
189#SYS_GID_MIN		  100
190#SYS_GID_MAX		  999
191
192#
193# Max number of login retries if password is bad. This will most likely be
194# overriden by PAM, since the default pam_unix module has it's own built
195# in of 3 retries. However, this is a safe fallback in case you are using
196# an authentication module that does not enforce PAM_MAXTRIES.
197#
198LOGIN_RETRIES		5
199
200#
201# Max time in seconds for login
202#
203LOGIN_TIMEOUT		60
204
205#
206# Which fields may be changed by regular users using chfn - use
207# any combination of letters "frwh" (full name, room number, work
208# phone, home phone).  If not defined, no changes are allowed.
209# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
210# 
211CHFN_RESTRICT		rwh
212
213#
214# Should login be allowed if we can't cd to the home directory?
215# Default in no.
216#
217DEFAULT_HOME	yes
218
219#
220# If defined, this command is run when removing a user.
221# It should remove any at/cron/print jobs etc. owned by
222# the user to be removed (passed as the first argument).
223#
224#USERDEL_CMD	/usr/sbin/userdel_local
225
226#
227# This enables userdel to remove user groups if no members exist.
228#
229# Other former uses of this variable such as setting the umask when
230# user==primary group are not used in PAM environments, thus in Debian
231#
232USERGROUPS_ENAB yes
233
234#
235# Instead of the real user shell, the program specified by this parameter
236# will be launched, although its visible name (argv[0]) will be the shell's.
237# The program may do whatever it wants (logging, additional authentification,
238# banner, ...) before running the actual shell.
239#
240# FAKE_SHELL /bin/fakeshell
241
242#
243# If defined, either full pathname of a file containing device names or
244# a ":" delimited list of device names.  Root logins will be allowed only
245# upon these devices.
246#
247# This variable is used by login and su.
248#
249#CONSOLE	/etc/consoles
250#CONSOLE	console:tty01:tty02:tty03:tty04
251
252#
253# List of groups to add to the user's supplementary group set
254# when logging in on the console (as determined by the CONSOLE
255# setting).  Default is none.
256#
257# Use with caution - it is possible for users to gain permanent
258# access to these groups, even when not logged in on the console.
259# How to do it is left as an exercise for the reader...
260#
261# This variable is used by login and su.
262#
263#CONSOLE_GROUPS		floppy:audio:cdrom
264
265#
266# If set to "yes", new passwords will be encrypted using the MD5-based
267# algorithm compatible with the one used by recent releases of FreeBSD.
268# It supports passwords of unlimited length and longer salt strings.
269# Set to "no" if you need to copy encrypted passwords to other systems
270# which don't understand the new algorithm.  Default is "no".
271#
272# This variable is deprecated. You should use ENCRYPT_METHOD.
273#
274#MD5_CRYPT_ENAB	no
275
276#
277# If set to MD5 , MD5-based algorithm will be used for encrypting password
278# If set to SHA256, SHA256-based algorithm will be used for encrypting password
279# If set to SHA512, SHA512-based algorithm will be used for encrypting password
280# If set to DES, DES-based algorithm will be used for encrypting password (default)
281# Overrides the MD5_CRYPT_ENAB option
282#
283# Note: It is recommended to use a value consistent with
284# the PAM modules configuration.
285#
286ENCRYPT_METHOD SHA512
287
288#
289# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
290#
291# Define the number of SHA rounds.
292# With a lot of rounds, it is more difficult to brute forcing the password.
293# But note also that it more CPU resources will be needed to authenticate
294# users.
295#
296# If not specified, the libc will choose the default number of rounds (5000).
297# The values must be inside the 1000-999999999 range.
298# If only one of the MIN or MAX values is set, then this value will be used.
299# If MIN > MAX, the highest value will be used.
300#
301# SHA_CRYPT_MIN_ROUNDS 5000
302# SHA_CRYPT_MAX_ROUNDS 5000
303
304################# OBSOLETED BY PAM ##############
305#						#
306# These options are now handled by PAM. Please	#
307# edit the appropriate file in /etc/pam.d/ to	#
308# enable the equivelants of them.
309#
310###############
311
312#MOTD_FILE
313#DIALUPS_CHECK_ENAB
314#LASTLOG_ENAB
315#MAIL_CHECK_ENAB
316#OBSCURE_CHECKS_ENAB
317#PORTTIME_CHECKS_ENAB
318#SU_WHEEL_ONLY
319#CRACKLIB_DICTPATH
320#PASS_CHANGE_TRIES
321#PASS_ALWAYS_WARN
322#ENVIRON_FILE
323#NOLOGINS_FILE
324#ISSUE_FILE
325#PASS_MIN_LEN
326#PASS_MAX_LEN
327#ULIMIT
328#ENV_HZ
329#CHFN_AUTH
330#CHSH_AUTH
331#FAIL_DELAY
332
333################# OBSOLETED #######################
334#						  #
335# These options are no more handled by shadow.    #
336#                                                 #
337# Shadow utilities will display a warning if they #
338# still appear.                                   #
339#                                                 #
340###################################################
341
342# CLOSE_SESSIONS
343# LOGIN_STRING
344# NO_PASSWORD_CONSOLE
345# QMAIL_DIR
346
347
348