Penguin
Recent Changes
Blame: login.defs(5)
EditPageHistoryDiffInfoLikePages
Annotated edit history of login.defs(5) version 1, including all changes. View license author blame.
Rev Author # Line
1 perry 1 LOGIN
2 !!!LOGIN
3 NAME
4 DESCRIPTION
5 CROSS REFERENCE
6 BUGS
7 SEE ALSO
8 AUTHORS
9 ----
10 !!NAME
11
12
13 /etc/login.defs - Login configuration
14 !!DESCRIPTION
15
16
17 The ''/etc/login.defs'' file defines the site-specific
18 configuration for the shadow login suite. This file is
19 required. Absence of this file will not prevent system
20 operation, but will probably result in undesirable
21 operation.
22
23
24 This file is a readable text file, each line of the file
25 describing one configuration parameter. The lines consist of
26 a configuration name and value, seperated by whitespace.
27 Blank lines and comment lines are ignored. Comments are
28 introduced with a `#' pound sign and the pound sign must be
29 the first non-white character of the line.
30
31
32 Parameter values may be of four types: strings, booleans,
33 numbers, and long numbers. A string is comprised of any
34 printable characters. A boolean should be either the value
35 ``yes'' or ``no''. An undefined boolean parameter or one
36 with a value other than these will be given a ``no'' value.
37 Numbers (both regular and long) may be either decimal
38 values, octal values (precede the value with ``0'') or
39 hexadecimal values (precede the value with ``0x''). The
40 maximum value of the regular and long numeric parameters is
41 machine-dependant.
42
43
44 The following configuration items are provided:
45
46
47 CHFN_AUTH (boolean)
48
49
50 If ''yes'', the __chfn__ and __chsh__ programs will
51 ask for password before making any changes, unless run by
52 the superuser.
53
54
55 CHFN_RESTRICT (string)
56
57
58 This parameter specifies which values in the ''gecos''
59 field of the ''passwd'' file may be changed by regular
60 users using the __chfn__ program. It can be any
61 combination of letters ''f'', ''r'', ''w'',
62 ''h'', for Full name, Room number, Work phone, and Home
63 phone, respectively. If not specified, only the superuser
64 can make any changes.
65
66
67 CLOSE_SESSIONS (boolean)
68
69
70 Enable pam_close_session() calling. When using normal
71 (pam_unix.so) session handling modules, this is not needed.
72 However with modules (such as kerberos or other persistent
73 session models), __login__ needs to fork and wait for the
74 shell to exit, so that sessions can be cleaned
75 up.
76
77
78 CONSOLE (string)
79
80
81 If specified, this definition provides for a restricted set
82 of lines on which root logins will be allowed. An attempted
83 root login which does not meet the criteria established here
84 will be rejected. The value of this field may be one of two
85 forms, either a fully-rooted pathname such as
86
87
88 ''CONSOLE /etc/consoles''
89
90
91 or a colon-delimited list of terminal lines such
92 as:
93
94
95 ''CONSOLE console:tty01:tty02:tty03:tty04''
96
97
98 If a pathname is given, each line of the file should specify
99 one terminal line. If this parameter is not defined or the
100 specified file does not exist, then root logins will be
101 allowed from any terminal line. Because the removal of this
102 file, or its truncation, could result in unauthorized root
103 logins, this file must be protected. Where security is
104 critical, the colon-separated form should be used to prevent
105 this potential method of attack.
106
107
108 CONSOLE_GROUPS (string)
109
110
111 XXX needs to be documented.
112
113
114 CRACKLIB_DICTPATH (string)
115
116
117 XXX needs to be documented.
118
119
120 DEFAULT_HOME (boolean)
121
122
123 XXX needs to be documented.
124
125
126 DIALUPS_CHECK_ENAB (boolean)
127
128
129 If ''yes'' and an ''/etc/dialups'' file exists, then
130 secondary passwords are enabled upon the dialup lines
131 specified in this file. This file should contain a list of
132 dialups, one per line, for example:
133
134
135 '' ttyfm01
136 ttyfm02
137 .
138 .
139 .
140 ''
141
142
143 ENVIRON_FILE (string)
144
145
146 File containing a list of environment variables (one per
147 line) to set when logging in or su'ing.
148
149
150 ENV_HZ (string)
151
152
153 This parameter specifies a value for an HZ environment
154 parameter. Example usage is:
155
156
157 ''ENV_HZ HZ=50''
158
159
160 If this parameter is not defined then no HZ value will be
161 established.
162
163
164 ENV_PATH (string)
165
166
167 This parameter must be defined as the search path for
168 regular users. When a login with UID other than zero occurs,
169 the PATH environment parameter is initialized to this value.
170 This parameter is required; if undefined a possibly
171 incorrect default value will be provided.
172
173
174 ENV_SUPATH (string)
175
176
177 This parameter must be defined as the search path for the
178 superuser. When a login with UID zero occurs, the PATH
179 environment parameter is initialized to this value. This
180 parameter is required; if undefined a possibly incorrect
181 default value will be provided.
182
183
184 ENV_TZ (string)
185
186
187 This parameter specifies information for generating a TZ
188 environment parameter. The value must either be the desired
189 contents of TZ, or the full pathname of a file which
190 contains this information. Example usage is:
191
192
193 ''ENV_TZ TZ=CST6CDT''
194
195
196 or
197
198
199 ''ENV_TZ /etc/tzname''
200
201
202 If a nonexistent file is named, then TZ will be initialized
203 to some default value. If this parameter is not defined then
204 no TZ value will be established.
205
206
207 ERASECHAR (number)
208
209
210 The terminal ''erase'' character is initialized to this
211 value. This is supported only on systems with the
212 ''termio'' interface, e.g. System V. If not specified,
213 the erase character will be initialized to a backspace. See
214 KILLCHAR for related information.
215
216
217 FAILLOG_ENAB (boolean)
218
219
220 If ''yes'' then login failures will be accumulated in
221 ''/var/log/faillog'' in a faillog(8)
222 format.
223
224
225 FAIL_DELAY (number)
226
227
228 Delay time in seconds after each failed login
229 attempt.
230
231
232 FAKE_SHELL (string)
233
234
235 Instead of the real user shell, the program specified by
236 this parameter will be launched, although its visible name
237 (argv[[0]) will be the shell's. The program may do whatever
238 it wants (logging, additional authentification, banner, ...)
239 before running the actual shell.
240
241
242 FTMP_FILE (string)
243
244
245 This parameter specifies the full pathname to a file to
246 which login failures are recorded. When a login failure
247 occurs, a ''utmp'' format record will be appended to this
248 file. Note that this differs from the
249 ''/var/log/faillog'' failure logging in that this
250 facility logs every failure whereas the ``faillog'' facility
251 accumulates failure information per user. If this parameter
252 is not specified then logging will be inhibited. See
253 FAILLOG_ENAB and LOG_UNKFAIL_ENAB for related
254 information.
255
256
257 GID_MAX (number)
258
259
260 GID_MIN (number)
261
262
263 Range of group IDs to choose from for the __groupadd__
264 program.
265
266
267 HUSHLOGIN_FILE (string)
268
269
270 This parameter is used to establish ``hushlogin''
271 conditions. There are two possible ways to establish these
272 conditions. First, if the value of this parameter is a
273 filename and that file exists in the user's home directory
274 then ``hushlogin'' conditions will be in effect. The
275 contents of this file are ignored; its mere presence
276 triggers ``hushlogin'' conditions. Second, if the value of
277 this parameter is a full pathname and either the user's
278 login name or the user's shell is found in this file, then
279 ``hushlogin'' conditions will be in effect. In this case,
280 the file should be in a format similar to:
281
282
283 '' demo
284 /usr/lib/uucp/uucico
285 .
286 .
287 .
288 ''If this parameter is not defined, then ``hushlogin'' conditions will never occur. When ``hushlogin'' conditions are established, the message of the day, last successful and unsuccessful login display, mail status display, and password aging checks are suppressed. Note that allowing hushlogin files in user home directories allows the user to disable password aging checks. See MOTD_FILE, FAILLOG_ENAB, LASTLOG_ENAB, and MAIL_CHECK_ENAB for related information.
289
290
291 ISSUE_FILE (string)
292
293
294 Full pathname of the file to display before each login
295 prompt.
296
297
298 KILLCHAR (number)
299
300
301 The terminal ''kill'' character is initialized to this
302 value. This is supported only on systems with the
303 ''termio'' interface, e.g. System V. If not specified,
304 the kill character will be initialized to a
305 CTRL/U . See ERASECHAR for related
306 information.
307
308
309 LASTLOG_ENAB (boolean)
310
311
312 If ''yes'', and if the ''/var/log/lastlog'' file
313 exists, then a successful user login will be recorded to
314 this file. Furthermore, if this option is enabled then the
315 times of the most recent successful and unsuccessful logins
316 will be displayed to the user upon login. The unsuccessful
317 login display will be suppressed if FAILLOG_ENAB is not
318 enabled. If ``hushlogin'' conditions are in effect, then
319 both the successful and unsuccessful login information will
320 be suppressed.
321
322
323 LOGIN_RETRIES (number)
324
325
326 Number of login attempts allowed before the __login__
327 program exits.
328
329
330 LOGIN_STRING (string)
331
332
333 XXX needs to be documented.
334
335
336 LOGIN_TIMEOUT (number)
337
338
339 XXX needs to be documented.
340
341
342 LOG_OK_LOGINS (boolean)
343
344
345 XXX needs to be documented.
346
347
348 LOG_UNKFAIL_ENAB (boolean)
349
350
351 If ''yes'' then unknown usernames will be included when a
352 login failure is recorded. Note that this is a potential
353 security risk; a common login failure mode is transposition
354 of the user name and password, thus this mode will often
355 cause passwords to accumulate in the failure logs. If this
356 option is disabled then unknown usernames will be suppressed
357 in login failure messages.
358
359
360 MAIL_CHECK_ENAB (boolean)
361
362
363 If ''yes'', the user will be notified of his or her
364 mailbox status upon login. See MAIL_DIR for related
365 information.
366
367
368 MAIL_DIR (string)
369
370
371 This parameter specifies the full pathname to the directory
372 which contains the user mailbox files. The user's login name
373 is appended to this path to form the MAIL environment
374 parameter - the path to the user's mailbox. Either this
375 parameter or MAIL_FILE must be defined; if undefined some
376 possibly incorrect default value will be assumed. See
377 MAIL_CHECK_ENAB for related information.
378
379
380 MAIL_FILE (string)
381
382
383 This parameter specifies the name of the user's mailbox
384 file. This name is appended to the name of the user's home
385 directory to form the MAIL environment parameter - the path
386 to the user's mailbox. Either this parameter or MAIL_DIR
387 must be defined; if undefined some possibly incorrect
388 default value will be assumed. See MAIL_CHECK_ENAB for
389 related information.
390
391
392 MD5_CRYPT_ENAB (boolean)
393
394
395 If ''yes'', the __passwd__ program will encrypt newly
396 changed passwords using a new MD5-based crypt(3)
397 password hashing algorithm, which originally appeared in
398 FreeBSD, and is also supported by libc-5.4.38 and glibc-2.0
399 (or higher) on Linux. This algorithm allows passwords longer
400 than 8 characters (limited by getpass(3) to 127
401 characters), but is incompatible with traditional
402 crypt(3) implementations.
403
404
405 MOTD_FILE (string)
406
407
408 This parameter specifies a colon-delimited list of pathnames
409 to ``message of the day'' files. If a specified file exists,
410 then its contents are displayed to the user upon login. If
411 this parameter is not defined or ``hushlogin'' login
412 conditions are in effect, this information will be
413 suppressed.
414
415
416 NOLOGINS_FILE (string)
417
418
419 This parameter specifies the full pathname to a file which
420 inhibits non-root logins. If this file exists and a user
421 other than root attempts to log in, the contents of the file
422 will be displayed and the user will be disconnected. If this
423 parameter is not specified then this feature will be
424 inhibited.
425
426
427 NOLOGIN_STR (string)
428
429
430 XXX needs to be documented.
431
432
433 OBSCURE_CHECKS_ENAB (boolean)
434
435
436 If ''yes'', the __passwd__ program will perform
437 additional checks before accepting a password change. The
438 checks performed are fairly simple, and their use is
439 recommended. These obscurity checks are bypassed if
440 __passwd__ is run by ''root''. See PASS_MIN_LEN for
441 related information.
442
443
444 PASS_ALWAYS_WARN (boolean)
445
446
447 XXX needs to be documented.
448
449
450 PASS_CHANGE_TRIES (number)
451
452
453 XXX needs to be documented.
454
455
456 PASS_MIN_DAYS (number)
457
458
459 The minimum number of days allowed between password changes.
460 Any password changes attempted sooner than this will be
461 rejected. If not specified, a zero value will be
462 assumed.
463
464
465 PASS_MIN_LEN (number)
466
467
468 The minimum number of characters in an acceptable password.
469 An attempt to assign a password with fewer characters will
470 be rejected. A zero value suppresses this check. If not
471 specified, a zero value will be assumed.
472
473
474 PASS_MAX_DAYS (number)
475
476
477 The maximum number of days a password may be used. If the
478 password is older than this, then the account will be
479 locked. If not specified, a large value will be
480 assumed.
481
482
483 PASS_MAX_LEN (number)
484
485
486 XXX needs to be documented.
487
488
489 PASS_WARN_AGE (number)
490
491
492 The number of days warning given before a password expires.
493 A zero means warning is given only upon the day of
494 expiration, a negative value means no warning is given. If
495 not specified, no warning will be provided.
496
497
498 PORTTIME_CHECKS_ENAB (boolean)
499
500
501 If ''yes'' and an ''/etc/porttime'' file exists, that
502 file will be consulted to ensure the user may login at this
503 time on the given line. c.f. porttime(5)
504
505
506 QMAIL_DIR (string)
507
508
509 For Qmail users, this parameter specifies a directory where
510 a Maildir hierarchy is stored. See MAIL_CHECK_ENAB for
511 related information.
512
513
514 QUOTAS_ENAB (boolean)
515
516
517 If ''yes ,'' then the user's ``ulimit,'' ``umask,'' and
518 ``niceness'' will be initialized to the values if specified
519 in the ''gecos'' field of the ''passwd'' file. c.f.
520 passwd(5).
521
522
523 SU_NAME (string)
524
525
526 This parameter assigns a command name when ``su -'' is run.
527 For example, if the parameter is defined as ``su'', then a
528 ps(1) listing would show the command running as
529 ``-su''. If this parameter is undefined, then a ps(1)
530 listing would show the name of the actual shell being run,
531 e.g. something like ``-sh''.
532
533
534 SULOG_FILE (string)
535
536
537 This parameter specifies a full pathname of a file in which
538 __su__ activity is logged. If this parameter is not
539 specified, the logging is suppressed. Because the __su__
540 command may be used when attempting to authenticate a
541 password, either this option, or ''syslog'' should be
542 used to note __su__ activity. See the SYSLOG_SU_ENAB
543 option for related information.
544
545
546 SU_WHEEL_ONLY (boolean)
547
548
549 XXX needs to be documented.
550
551
552 SYSLOG_SG_ENAB (boolean)
553
554
555 XXX needs to be documented.
556
557
558 SYSLOG_SU_ENAB (boolean)
559
560
561 If ''yes'' and __login__ was compiled with
562 ''syslog'' support, then all __su__ activity will be
563 noted through the ''syslog'' facility. See SULOG_FILE for
564 related information.
565
566
567 TTYGROUP (string or number)
568
569
570 The group ownership of the terminal is initialized to this
571 group name or number. One well-known security attack
572 involves forcing terminal control sequences upon another
573 user's terminal line. This problem can be averted by
574 disabling permissions which allow other users to access the
575 terminal line, but this unfortunately prevents programs such
576 as __write__ from operating. Another solution is to use a
577 version of the __write__ program which filters out
578 potentially dangerous character sequences, make this program
579 ``setgid'' to a special group, assign group ownership of the
580 terminal line to this special group, and assign permissions
581 of ''0620'' to the terminal line. The TTYGROUP definition
582 has been provided for just this situation. If this item is
583 not defined, then the group ownership of the terminal is
584 initialized to the user's group number. See TTYPERMS for
585 related information.
586
587
588 TTYPERM (number)
589
590
591 The login terminal permissions are initialized to this
592 value. Typical values will be ''0622'' to permit others
593 write access to the line or ''0600'' to secure the line
594 from other users. If not specified, the terminal permissions
595 will be initialized to ''0622''. See TTYGROUP for related
596 information.
597
598
599 TTYTYPE_FILE (string)
600
601
602 This parameter specifies the full pathname to a file which
603 maps terminal lines to terminal types. Each line of the file
604 contains a terminal type and a terminal line, seperated by
605 whitespace, for example:
606
607
608 '' vt100 tty01
609 wyse60 tty02
610 . .
611 . .
612 . .
613 ''This information is only used to initialize the TERM environment parameter when it does not already exist. A line starting with a ``#'' pound sign will be treated as a comment. If this paramter is not specified, the file does not exist, or the terminal line is not found in the file, then the TERM environment parameter will not be set.
614
615
616 UID_MAX (number)
617
618
619 XXX needs to be documented.
620
621
622 UID_MIN (number)
623
624
625 XXX needs to be documented.
626
627
628 ULIMIT (long number)
629
630
631 The file size limit is initialized to this value. This is
632 supported only on systems with a ''ulimit'', e.g. System
633 V. If not specified, the file size limit will be initialized
634 to some large value.
635
636
637 UMASK (number)
638
639
640 The permission mask is initialized to this value. If not
641 specified, the permission mask will be initialized to
642 zero.
643
644
645 USERDEL_CMD (string)
646
647
648 XXX needs to be documented.
649 !!CROSS REFERENCE
650
651
652 The following cross reference shows which programs in the
653 shadow login suite use which parameters.
654
655
656 login
657
658
659 CONSOLE DIALUPS_CHECK_ENAB ENV_HZ ENV_SUPATH ENV_TZ
660 ERASECHAR FAILLOG_ENAB FTMP_FILE HUSHLOGIN_FILE KILLCHAR
661 LASTLOG_ENAB LOG_UNKFAIL_ENAB MAIL_CHECK_ENAB MAIL_DIR
662 MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB QUOTAS_ENAB
663 TTYPERM TTYTYPE_FILE ULIMIT UMASK
664
665
666 newusers
667
668
669 PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE UMASK
670
671
672 passwd
673
674
675 OBSCURE_CHECKS_ENAB PASS_MIN_LEN
676
677
678 pwconv
679
680
681 PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
682
683
684 su ENV_HZ ENV_SUPATH ENV_TZ HUSHLOGIN_FILE MAIL_CHECK_ENAB
685 MAIL_DIR MOTD_FILE NOLOGIN_STR QUOTAS_ENAB SULOG_FILE
686 SYSLOG_SU_ENAB
687
688
689 sulogin
690
691
692 ENV_HZ ENV_SUPATH ENV_TZ MAIL_DIR QUOTAS_ENAB
693 TTYPERM
694 !!BUGS
695
696
697 Some of the supported configuration parameters are not
698 documented in this manual page.
699 !!SEE ALSO
700
701
702 login(1), passwd(5), faillog(5),
703 porttime(5), faillog(8)
704 !!AUTHORS
705
706
707 Julianne Frances Haugh (jfh@austin.ibm.com)
708 Chip Rosenthal (chip@unicom.com)
709 ----
This page is a man page (or other imported legacy content). We are unable to automatically determine the license status of this page.