/etc/login.defs - Login configuration
The /etc/login.defs file defines the site-specific configuration for
the shadow login suite. This file is required. Absence of this file
will not prevent system operation, but will probably result in undesirable
operation.
This file is a readable text file, each line of the file describing one
configuration parameter. The lines consist of a configuration name and
value, seperated by whitespace. Blank lines and comment lines are
ignored. Comments are introduced with a `#' pound sign and the pound
sign must be the first non-white character of the line.
Parameter values may be of four types: strings, booleans, numbers, and
long numbers. A string is comprised of any printable characters. A
boolean should be either the value ``yes'' or ``no''. An undefined
boolean parameter or one with a value other than these will be given a
``no'' value. Numbers (both regular and long) may be either decimal
values, octal values (precede the value with ``0'') or hexadecimal values
(precede the value with ``0x''). The maximum value of the regular
and long numeric parameters is machine-dependant.
The following configuration items are provided:
CHFN_AUTH (boolean)
If yes, the chfn and chsh programs will ask for password before
making any changes, unless run by the superuser.
CHFN_RESTRICT (string)
This parameter specifies which values in the gecos field of the
passwd file may be changed by regular users using the chfn program.
It can be any combination of letters f, r, w, h, for Full
name, Room number, Work phone, and Home phone, respectively. If
not specified, only the superuser can make any changes.
CLOSE_SESSIONS (boolean)
Enable pam_close_session() calling. When using normal
(pam_unix.so) session handling modules, this is not needed. However
with modules (such as kerberos or other persistent session
models), login needs to fork and wait for the shell to exit, so
that sessions can be cleaned up.
CONSOLE (string)
If specified, this definition provides for a restricted set of
lines on which root logins will be allowed. An attempted root
login which does not meet the criteria established here will be
rejected. The value of this field may be one of two forms,
either a fully-rooted pathname such as
CONSOLE /etc/consoles
or a colon-delimited list of terminal lines such as:
CONSOLE console:tty01:tty02:tty03:tty04
If a pathname is given, each line of the file should specify one
terminal line. If this parameter is not defined or the specified
file does not exist, then root logins will be allowed from
any terminal line. Because the removal of this file, or its
truncation, could result in unauthorized root logins, this file
must be protected. Where security is critical, the colon-separated
form should be used to prevent this potential method of
attack.
CONSOLE_GROUPS (string)
XXX needs to be documented.
CRACKLIB_DICTPATH (string)
XXX needs to be documented.
DEFAULT_HOME (boolean)
XXX needs to be documented.
DIALUPS_CHECK_ENAB (boolean)
If yes and an /etc/dialups file exists, then secondary passwords
are enabled upon the dialup lines specified in this file. This
file should contain a list of dialups, one per line, for example:
ttyfm01
ttyfm02
.
.
.
ENVIRON_FILE (string)
File containing a list of environment variables (one per line)
to set when logging in or su'ing.
ENV_HZ (string)
This parameter specifies a value for an HZ environment parameter.
Example usage is:
ENV_HZ HZ=50
If this parameter is not defined then no HZ value will be established.
ENV_PATH (string)
This parameter must be defined as the search path for regular
users. When a login with UID other than zero occurs, the PATH
environment parameter is initialized to this value. This parameter
is required; if undefined a possibly incorrect default
value will be provided.
ENV_SUPATH (string)
This parameter must be defined as the search path for the superuser.
When a login with UID zero occurs, the PATH environment
parameter is initialized to this value. This parameter is
required; if undefined a possibly incorrect default value will
be provided.
ENV_TZ (string)
This parameter specifies information for generating a TZ environment
parameter. The value must either be the desired contents
of TZ, or the full pathname of a file which contains this
information. Example usage is:
ENV_TZ TZ=CST6CDT
or
ENV_TZ /etc/tzname
If a nonexistent file is named, then TZ will be initialized to
some default value. If this parameter is not defined then no TZ
value will be established.
ERASECHAR (number)
The terminal erase character is initialized to this value. This
is supported only on systems with the termio interface, e.g.
System V. If not specified, the erase character will be initialized
to a backspace. See KILLCHAR for related information.
FAILLOG_ENAB (boolean)
If yes then login failures will be accumulated in /var/log/fail-
log in a faillog(8) format.
FAIL_DELAY (number)
Delay time in seconds after each failed login attempt.
FAKE_SHELL (string)
Instead of the real user shell, the program specified by this
parameter will be launched, although its visible name (argv[0])
will be the shell's. The program may do whatever it wants (logging,
additional authentification, banner, ...) before running
the actual shell.
FTMP_FILE (string)
This parameter specifies the full pathname to a file to which
login failures are recorded. When a login failure occurs, a
utmp format record will be appended to this file. Note that
this differs from the /var/log/faillog failure logging in that
this facility logs every failure whereas the ``faillog'' facility
accumulates failure information per user. If this parameter
is not specified then logging will be inhibited. See FAILLOG_ENAB
and LOG_UNKFAIL_ENAB for related information.
GID_MAX (number)
GID_MIN (number)
Range of group IDs to choose from for the groupadd program.
HUSHLOGIN_FILE (string)
This parameter is used to establish ``hushlogin'' conditions.
There are two possible ways to establish these conditions.
First, if the value of this parameter is a filename and that
file exists in the user's home directory then ``hushlogin'' conditions
will be in effect. The contents of this file are
ignored; its mere presence triggers ``hushlogin'' conditions.
Second, if the value of this parameter is a full pathname and
either the user's login name or the user's shell is found in
this file, then ``hushlogin'' conditions will be in effect. In
this case, the file should be in a format similar to:
demo
/usr/lib/uucp/uucico
.
.
.
If this parameter is not defined, then ``hushlogin'' conditions
will never occur. When ``hushlogin'' conditions are established,
the message of the day, last successful and unsuccessful
login display, mail status display, and password aging checks
are suppressed. Note that allowing hushlogin files in user home
directories allows the user to disable password aging checks.
See MOTD_FILE, FAILLOG_ENAB, LASTLOG_ENAB, and MAIL_CHECK_ENAB
for related information.
ISSUE_FILE (string)
Full pathname of the file to display before each login prompt.
KILLCHAR (number)
The terminal kill character is initialized to this value. This
is supported only on systems with the termio interface, e.g.
System V. If not specified, the kill character will be initialized
to a CTRL/U. See ERASECHAR for related information.
LASTLOG_ENAB (boolean)
If yes, and if the /var/log/lastlog file exists, then a successful
user login will be recorded to this file. Furthermore, if
this option is enabled then the times of the most recent successful
and unsuccessful logins will be displayed to the user
upon login. The unsuccessful login display will be suppressed
if FAILLOG_ENAB is not enabled. If ``hushlogin'' conditions are
in effect, then both the successful and unsuccessful login
information will be suppressed.
LOGIN_RETRIES (number)
Number of login attempts allowed before the login program exits.
LOGIN_STRING (string)
XXX needs to be documented.
LOGIN_TIMEOUT (number)
XXX needs to be documented.
LOG_OK_LOGINS (boolean)
XXX needs to be documented.
LOG_UNKFAIL_ENAB (boolean)
If yes then unknown usernames will be included when a login
failure is recorded. Note that this is a potential security
risk; a common login failure mode is transposition of the user
name and password, thus this mode will often cause passwords to
accumulate in the failure logs. If this option is disabled then
unknown usernames will be suppressed in login failure messages.
MAIL_CHECK_ENAB (boolean)
If yes, the user will be notified of his or her mailbox status
upon login. See MAIL_DIR for related information.
MAIL_DIR (string)
This parameter specifies the full pathname to the directory
which contains the user mailbox files. The user's login name is
appended to this path to form the MAIL environment parameter -
the path to the user's mailbox. Either this parameter or
MAIL_FILE must be defined; if undefined some possibly incorrect
default value will be assumed. See MAIL_CHECK_ENAB for related
information.
MAIL_FILE (string)
This parameter specifies the name of the user's mailbox file.
This name is appended to the name of the user's home directory
to form the MAIL environment parameter - the path to the user's
mailbox. Either this parameter or MAIL_DIR must be defined; if
undefined some possibly incorrect default value will be assumed.
See MAIL_CHECK_ENAB for related information.
MD5_CRYPT_ENAB (boolean)
If yes, the passwd program will encrypt newly changed passwords
using a new MD5-based crypt(3) password hashing algorithm, which
originally appeared in FreeBSD, and is also supported by
libc-5.4.38 and glibc-2.0 (or higher) on Linux. This algorithm
allows passwords longer than 8 characters (limited by getpass(3)
to 127 characters), but is incompatible with traditional
crypt(3) implementations.
MOTD_FILE (string)
This parameter specifies a colon-delimited list of pathnames to
``message of the day'' files. If a specified file exists, then
its contents are displayed to the user upon login. If this
parameter is not defined or ``hushlogin'' login conditions are
in effect, this information will be suppressed.
NOLOGINS_FILE (string)
This parameter specifies the full pathname to a file which
inhibits non-root logins. If this file exists and a user other
than root attempts to log in, the contents of the file will be
displayed and the user will be disconnected. If this parameter
is not specified then this feature will be inhibited.
NOLOGIN_STR (string)
XXX needs to be documented.
OBSCURE_CHECKS_ENAB (boolean)
If yes, the passwd program will perform additional checks before
accepting a password change. The checks performed are fairly
simple, and their use is recommended. These obscurity checks
are bypassed if passwd is run by root. See PASS_MIN_LEN for
related information.
PASS_ALWAYS_WARN (boolean)
XXX needs to be documented.
PASS_CHANGE_TRIES (number)
XXX needs to be documented.
PASS_MIN_DAYS (number)
The minimum number of days allowed between password changes.
Any password changes attempted sooner than this will be
rejected. If not specified, a zero value will be assumed.
PASS_MIN_LEN (number)
The minimum number of characters in an acceptable password. An
attempt to assign a password with fewer characters will be
rejected. A zero value suppresses this check. If not specified,
a zero value will be assumed.
PASS_MAX_DAYS (number)
The maximum number of days a password may be used. If the password
is older than this, then the account will be locked. If
not specified, a large value will be assumed.
PASS_MAX_LEN (number)
XXX needs to be documented.
PASS_WARN_AGE (number)
The number of days warning given before a password expires. A
zero means warning is given only upon the day of expiration, a
negative value means no warning is given. If not specified, no
warning will be provided.
PORTTIME_CHECKS_ENAB (boolean)
If yes and an /etc/porttime file exists, that file will be consulted
to ensure the user may login at this time on the given
line. c.f. porttime(5)
QMAIL_DIR (string)
For Qmail users, this parameter specifies a directory where a
Maildir hierarchy is stored. See MAIL_CHECK_ENAB for related
information.
QUOTAS_ENAB (boolean)
If yes , then the user's ``ulimit,'' ``umask,'' and ``niceness''
will be initialized to the values if specified in the gecos
field of the passwd file. c.f. passwd(5).
SU_NAME (string)
This parameter assigns a command name when ``su -'' is run. For
example, if the parameter is defined as ``su'', then a ps(1)
listing would show the command running as ``-su''. If this
parameter is undefined, then a ps(1) listing would show the name
of the actual shell being run, e.g. something like ``-sh''.
SULOG_FILE (string)
This parameter specifies a full pathname of a file in which su
activity is logged. If this parameter is not specified, the
logging is suppressed. Because the su command may be used when
attempting to authenticate a password, either this option, or
syslog should be used to note su activity. See the SYSLOG_SU_ENAB
option for related information.
SU_WHEEL_ONLY (boolean)
XXX needs to be documented.
SYSLOG_SG_ENAB (boolean)
XXX needs to be documented.
SYSLOG_SU_ENAB (boolean)
If yes and login was compiled with syslog support, then all su
activity will be noted through the syslog facility. See
SULOG_FILE for related information.
TTYGROUP (string or number)
The group ownership of the terminal is initialized to this group
name or number. One well-known security attack involves forcing
terminal control sequences upon another user's terminal line.
This problem can be averted by disabling permissions which allow
other users to access the terminal line, but this unfortunately
prevents programs such as write from operating. Another solution
is to use a version of the write program which filters out
potentially dangerous character sequences, make this program
``setgid'' to a special group, assign group ownership of the
terminal line to this special group, and assign permissions of
0620 to the terminal line. The TTYGROUP definition has been
provided for just this situation. If this item is not defined,
then the group ownership of the terminal is initialized to the
user's group number. See TTYPERMS for related information.
TTYPERM (number)
The login terminal permissions are initialized to this value.
Typical values will be 0622 to permit others write access to the
line or 0600 to secure the line from other users. If not specified,
the terminal permissions will be initialized to 0622. See
TTYGROUP for related information.
TTYTYPE_FILE (string)
This parameter specifies the full pathname to a file which maps
terminal lines to terminal types. Each line of the file contains
a terminal type and a terminal line, seperated by whitespace,
for example:
vt100 tty01
wyse60 tty02
. .
. .
. .
This information is only used to initialize the TERM environment
parameter when it does not already exist. A line starting with
a ``#'' pound sign will be treated as a comment. If this
paramter is not specified, the file does not exist, or the terminal
line is not found in the file, then the TERM environment
parameter will not be set.
UID_MAX (number)
XXX needs to be documented.
UID_MIN (number)
XXX needs to be documented.
ULIMIT (long number)
The file size limit is initialized to this value. This is supported
only on systems with a ulimit, e.g. System V. If not
specified, the file size limit will be initialized to some large
value.
UMASK (number)
The permission mask is initialized to this value. If not specified,
the permission mask will be initialized to zero.
USERDEL_CMD (string)
XXX needs to be documented.
The following cross reference shows which programs in the shadow login
suite use which parameters.
login CONSOLE DIALUPS_CHECK_ENAB ENV_HZ ENV_SUPATH ENV_TZ
ERASECHAR FAILLOG_ENAB FTMP_FILE HUSHLOGIN_FILE KILLCHAR
LASTLOG_ENAB LOG_UNKFAIL_ENAB MAIL_CHECK_ENAB MAIL_DIR
MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB QUOTAS_ENAB
TTYPERM TTYTYPE_FILE ULIMIT UMASK
newusers PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE UMASK
passwd OBSCURE_CHECKS_ENAB PASS_MIN_LEN
pwconv PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
su ENV_HZ ENV_SUPATH ENV_TZ HUSHLOGIN_FILE MAIL_CHECK_ENAB
MAIL_DIR MOTD_FILE NOLOGIN_STR QUOTAS_ENAB SULOG_FILE SYSLOG_SU_ENAB
sulogin ENV_HZ ENV_SUPATH ENV_TZ MAIL_DIR QUOTAS_ENAB TTYPERM
Some of the supported configuration parameters are not documented in
this manual page.
login(1), passwd(5), faillog(5), porttime(5), faillog(8)
Julianne Frances Haugh (jfh@austin.ibm.com)
Chip Rosenthal (chip@unicom.com)
LOGIN(5)
[ Back ] |