*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->Linux man pages -> login.defs (5)              
Title
Content
Arch
Section
 

LOGIN(5)

Contents


NAME    [Toc]    [Back]

       /etc/login.defs - Login configuration

DESCRIPTION    [Toc]    [Back]

       The  /etc/login.defs  file  defines the site-specific configuration for
       the shadow login suite.	This file is required.	Absence of  this  file
       will not prevent system operation, but will probably result in undesirable
 operation.

       This file is a readable text file, each line of the file describing one
       configuration parameter.  The lines consist of a configuration name and
       value, seperated by whitespace.	Blank  lines  and  comment  lines  are
       ignored.   Comments  are introduced with a `#' pound sign and the pound
       sign must be the first non-white character of the line.

       Parameter values may be of four types:  strings, booleans, numbers, and
       long  numbers.	A  string is comprised of any printable characters.  A
       boolean should be either the value ``yes''  or  ``no''.	 An  undefined
       boolean	parameter or one with a value other than these will be given a
       ``no'' value.  Numbers (both regular and long) may  be  either  decimal
       values, octal values (precede the value with ``0'') or hexadecimal values
 (precede the value with ``0x'').  The maximum value of the  regular
       and long numeric parameters is machine-dependant.

       The following configuration items are provided:

       CHFN_AUTH (boolean)
	      If  yes, the chfn and chsh programs will ask for password before
	      making any changes, unless run by the superuser.

       CHFN_RESTRICT (string)
	      This parameter specifies which values in the gecos field of  the
	      passwd  file may be changed by regular users using the chfn program.
  It can be any combination of letters f, r, w, h, for Full
	      name, Room number, Work phone, and Home phone, respectively.  If
	      not specified, only the superuser can make any changes.

       CLOSE_SESSIONS (boolean)
	      Enable   pam_close_session()   calling.	When   using	normal
	      (pam_unix.so) session handling modules, this is not needed. However
 with modules (such as kerberos or other persistent  session
	      models),	login needs to fork and wait for the shell to exit, so
	      that sessions can be cleaned up.

       CONSOLE (string)
	      If specified, this definition provides for a restricted  set  of
	      lines  on  which root logins will be allowed.  An attempted root
	      login which does not meet the criteria established here will  be
	      rejected.   The  value  of  this	field may be one of two forms,
	      either a fully-rooted pathname such as

		   CONSOLE /etc/consoles

	      or a colon-delimited list of terminal lines such as:

		   CONSOLE console:tty01:tty02:tty03:tty04

	      If a pathname is given, each line of the file should specify one
	      terminal	line.	If this parameter is not defined or the specified
 file does not exist, then root logins will be allowed  from
	      any  terminal  line.   Because  the removal of this file, or its
	      truncation, could result in unauthorized root logins, this  file
	      must  be protected.  Where security is critical, the colon-separated
 form should be used to prevent this  potential  method  of
	      attack.

       CONSOLE_GROUPS (string)
	      XXX needs to be documented.

       CRACKLIB_DICTPATH (string)
	      XXX needs to be documented.

       DEFAULT_HOME (boolean)
	      XXX needs to be documented.

       DIALUPS_CHECK_ENAB (boolean)
	      If yes and an /etc/dialups file exists, then secondary passwords
	      are enabled upon the dialup lines specified in this file.   This
	      file  should  contain a list of dialups, one per line, for example:


		   ttyfm01
		   ttyfm02
		     .
		     .
		     .


       ENVIRON_FILE (string)
	      File containing a list of environment variables (one  per  line)
	      to set when logging in or su'ing.

       ENV_HZ (string)
	      This  parameter  specifies a value for an HZ environment parameter.
  Example usage is:

		   ENV_HZ     HZ=50

	      If this parameter is not defined then no HZ value will be established.


       ENV_PATH (string)
	      This  parameter  must  be defined as the search path for regular
	      users.  When a login with UID other than zero occurs,  the  PATH
	      environment parameter is initialized to this value.  This parameter
 is required; if  undefined  a  possibly  incorrect  default
	      value will be provided.

       ENV_SUPATH (string)
	      This  parameter must be defined as the search path for the superuser.
  When a login with UID zero occurs, the PATH  environment
	      parameter  is  initialized  to  this  value.   This parameter is
	      required; if undefined a possibly incorrect default  value  will
	      be provided.

       ENV_TZ (string)
	      This  parameter  specifies information for generating a TZ environment
 parameter.  The value must either be  the  desired  contents
  of TZ, or the full pathname of a file which contains this
	      information.  Example usage is:

		   ENV_TZ    TZ=CST6CDT

	      or

		   ENV_TZ    /etc/tzname

	      If a nonexistent file is named, then TZ will be  initialized  to
	      some default value.  If this parameter is not defined then no TZ
	      value will be established.

       ERASECHAR (number)
	      The terminal erase character is initialized to this value.  This
	      is  supported  only  on  systems with the termio interface, e.g.
	      System V.  If not specified, the erase character	will  be  initialized
	to a backspace.  See KILLCHAR for related information.

       FAILLOG_ENAB (boolean)
	      If yes then login failures will be accumulated in /var/log/fail-
	      log in a faillog(8) format.

       FAIL_DELAY (number)
	      Delay time in seconds after each failed login attempt.

       FAKE_SHELL (string)
	      Instead  of  the	real user shell, the program specified by this
	      parameter will be launched, although its visible name  (argv[0])
	      will  be the shell's. The program may do whatever it wants (logging,
 additional authentification, banner, ...)  before  running
	      the actual shell.

       FTMP_FILE (string)
	      This  parameter  specifies  the full pathname to a file to which
	      login failures are recorded.  When a  login  failure  occurs,  a
	      utmp  format  record  will  be appended to this file.  Note that
	      this differs from the /var/log/faillog failure logging  in  that
	      this  facility logs every failure whereas the ``faillog'' facility
 accumulates failure information per user.  If this parameter
	      is  not  specified  then	logging  will be inhibited.  See FAILLOG_ENAB
 and LOG_UNKFAIL_ENAB for related information.

       GID_MAX (number)

       GID_MIN (number)
	      Range of group IDs to choose from for the groupadd program.

       HUSHLOGIN_FILE (string)
	      This parameter is used to  establish  ``hushlogin''  conditions.
	      There  are  two  possible  ways  to  establish these conditions.
	      First, if the value of this parameter is	a  filename  and  that
	      file exists in the user's home directory then ``hushlogin'' conditions
 will be in  effect.   The  contents  of  this  file  are
	      ignored;	its  mere  presence triggers ``hushlogin'' conditions.
	      Second, if the value of this parameter is a  full  pathname  and
	      either  the  user's  login  name or the user's shell is found in
	      this file, then ``hushlogin'' conditions will be in effect.   In
	      this case, the file should be in a format similar to:

		   demo
		   /usr/lib/uucp/uucico
		     .
		     .
		     .

	      If  this parameter is not defined, then ``hushlogin'' conditions
	      will never occur.   When	``hushlogin''  conditions  are	established,
 the message of the day, last successful and unsuccessful
	      login display, mail status display, and  password  aging	checks
	      are suppressed.  Note that allowing hushlogin files in user home
	      directories allows the user to disable  password	aging  checks.
	      See  MOTD_FILE,  FAILLOG_ENAB, LASTLOG_ENAB, and MAIL_CHECK_ENAB
	      for related information.

       ISSUE_FILE (string)
	      Full pathname of the file to display before each login prompt.

       KILLCHAR (number)
	      The terminal kill character is initialized to this value.   This
	      is  supported  only  on  systems with the termio interface, e.g.
	      System V.  If not specified, the kill character will be initialized
 to a CTRL/U.  See ERASECHAR for related information.

       LASTLOG_ENAB (boolean)
	      If yes, and if the /var/log/lastlog file exists, then a successful
 user login will be recorded to this file.   Furthermore,  if
	      this  option  is	enabled then the times of the most recent successful
 and unsuccessful logins will be displayed  to  the  user
	      upon  login.   The unsuccessful login display will be suppressed
	      if FAILLOG_ENAB is not enabled.  If ``hushlogin'' conditions are
	      in  effect,  then  both  the  successful	and unsuccessful login
	      information will be suppressed.

       LOGIN_RETRIES (number)
	      Number of login attempts allowed before the login program exits.

       LOGIN_STRING (string)
	      XXX needs to be documented.

       LOGIN_TIMEOUT (number)
	      XXX needs to be documented.

       LOG_OK_LOGINS (boolean)
	      XXX needs to be documented.

       LOG_UNKFAIL_ENAB (boolean)
	      If  yes  then  unknown  usernames  will be included when a login
	      failure is recorded.  Note that this  is	a  potential  security
	      risk;  a	common login failure mode is transposition of the user
	      name and password, thus this mode will often cause passwords  to
	      accumulate in the failure logs.  If this option is disabled then
	      unknown usernames will be suppressed in login failure  messages.

       MAIL_CHECK_ENAB (boolean)
	      If  yes,	the user will be notified of his or her mailbox status
	      upon login.  See MAIL_DIR for related information.

       MAIL_DIR (string)
	      This parameter specifies the  full  pathname  to	the  directory
	      which contains the user mailbox files.  The user's login name is
	      appended to this path to form the MAIL environment  parameter  -
	      the  path  to  the  user's  mailbox.   Either  this parameter or
	      MAIL_FILE must be defined; if undefined some possibly  incorrect
	      default  value will be assumed.  See MAIL_CHECK_ENAB for related
	      information.

       MAIL_FILE (string)
	      This parameter specifies the name of the	user's	mailbox  file.
	      This  name  is appended to the name of the user's home directory
	      to form the MAIL environment parameter - the path to the	user's
	      mailbox.	 Either this parameter or MAIL_DIR must be defined; if
	      undefined some possibly incorrect default value will be assumed.
	      See MAIL_CHECK_ENAB for related information.

       MD5_CRYPT_ENAB (boolean)
	      If  yes, the passwd program will encrypt newly changed passwords
	      using a new MD5-based crypt(3) password hashing algorithm, which
	      originally  appeared  in	FreeBSD,  and  is  also  supported  by
	      libc-5.4.38 and glibc-2.0 (or higher) on Linux.  This  algorithm
	      allows passwords longer than 8 characters (limited by getpass(3)
	      to  127  characters),  but  is  incompatible  with   traditional
	      crypt(3) implementations.

       MOTD_FILE (string)
	      This  parameter specifies a colon-delimited list of pathnames to
	      ``message of the day'' files.  If a specified file exists,  then
	      its  contents  are  displayed  to  the user upon login.  If this
	      parameter is not defined or ``hushlogin'' login  conditions  are
	      in effect, this information will be suppressed.

       NOLOGINS_FILE (string)
	      This  parameter  specifies  the  full  pathname  to a file which
	      inhibits non-root logins.  If this file exists and a user  other
	      than  root  attempts to log in, the contents of the file will be
	      displayed and the user will be disconnected.  If this  parameter
	      is not specified then this feature will be inhibited.

       NOLOGIN_STR (string)
	      XXX needs to be documented.

       OBSCURE_CHECKS_ENAB (boolean)
	      If yes, the passwd program will perform additional checks before
	      accepting a password change.  The checks	performed  are	fairly
	      simple,  and  their  use is recommended.	These obscurity checks
	      are bypassed if passwd is run by	root.	See  PASS_MIN_LEN  for
	      related information.

       PASS_ALWAYS_WARN (boolean)
	      XXX needs to be documented.

       PASS_CHANGE_TRIES (number)
	      XXX needs to be documented.

       PASS_MIN_DAYS (number)
	      The  minimum  number  of	days allowed between password changes.
	      Any  password  changes  attempted  sooner  than  this  will   be
	      rejected.  If not specified, a zero value will be assumed.

       PASS_MIN_LEN (number)
	      The  minimum number of characters in an acceptable password.  An
	      attempt to assign a  password  with  fewer  characters  will  be
	      rejected.   A  zero  value suppresses this check.  If not specified,
 a zero value will be assumed.

       PASS_MAX_DAYS (number)
	      The maximum number of days a password may be used.  If the password
  is	older  than this, then the account will be locked.  If
	      not specified, a large value will be assumed.

       PASS_MAX_LEN (number)
	      XXX needs to be documented.

       PASS_WARN_AGE (number)
	      The number of days warning given before a password  expires.   A
	      zero  means  warning is given only upon the day of expiration, a
	      negative value means no warning is given.  If not specified,  no
	      warning will be provided.

       PORTTIME_CHECKS_ENAB (boolean)
	      If  yes and an /etc/porttime file exists, that file will be consulted
 to ensure the user may login at this time	on  the  given
	      line.  c.f.  porttime(5)

       QMAIL_DIR (string)
	      For  Qmail  users,  this parameter specifies a directory where a
	      Maildir hierarchy is stored.  See  MAIL_CHECK_ENAB  for  related
	      information.

       QUOTAS_ENAB (boolean)
	      If yes , then the user's ``ulimit,'' ``umask,'' and ``niceness''
	      will be initialized to the values  if  specified	in  the  gecos
	      field of the passwd file.  c.f.  passwd(5).

       SU_NAME (string)
	      This parameter assigns a command name when ``su -'' is run.  For
	      example, if the parameter is defined as  ``su'',	then  a  ps(1)
	      listing  would  show  the  command  running as ``-su''.  If this
	      parameter is undefined, then a ps(1) listing would show the name
	      of the actual shell being run, e.g.  something like ``-sh''.

       SULOG_FILE (string)
	      This  parameter  specifies a full pathname of a file in which su
	      activity is logged.  If this parameter  is  not  specified,  the
	      logging  is suppressed.  Because the su command may be used when
	      attempting to authenticate a password, either  this  option,  or
	      syslog  should  be  used	to  note  su  activity.   See the SYSLOG_SU_ENAB
 option for related information.

       SU_WHEEL_ONLY (boolean)
	      XXX needs to be documented.

       SYSLOG_SG_ENAB (boolean)
	      XXX needs to be documented.

       SYSLOG_SU_ENAB (boolean)
	      If yes and login was compiled with syslog support, then  all  su
	      activity	will  be  noted  through  the  syslog  facility.   See
	      SULOG_FILE for related information.

       TTYGROUP (string or number)
	      The group ownership of the terminal is initialized to this group
	      name or number.  One well-known security attack involves forcing
	      terminal control sequences upon another  user's  terminal  line.
	      This problem can be averted by disabling permissions which allow
	      other users to access the terminal line, but this  unfortunately
	      prevents	programs  such as write from operating.  Another solution
 is to use a version of the write program which filters  out
	      potentially  dangerous  character  sequences,  make this program
	      ``setgid'' to a special group, assign  group  ownership  of  the
	      terminal	line  to this special group, and assign permissions of
	      0620 to the terminal line.  The  TTYGROUP  definition  has  been
	      provided	for just this situation.  If this item is not defined,
	      then the group ownership of the terminal is initialized  to  the
	      user's group number.  See TTYPERMS for related information.

       TTYPERM (number)
	      The  login  terminal  permissions are initialized to this value.
	      Typical values will be 0622 to permit others write access to the
	      line or 0600 to secure the line from other users.  If not specified,
 the terminal permissions will be initialized to 0622.  See
	      TTYGROUP for related information.

       TTYTYPE_FILE (string)
	      This  parameter specifies the full pathname to a file which maps
	      terminal lines to terminal types.  Each line of  the  file  contains
  a	terminal type and a terminal line, seperated by whitespace,
 for example:

		   vt100     tty01
		   wyse60    tty02
		     .	       .
		     .	       .
		     .	       .

	      This information is only used to initialize the TERM environment
	      parameter  when it does not already exist.  A line starting with
	      a ``#'' pound sign will  be  treated  as	a  comment.   If  this
	      paramter	is not specified, the file does not exist, or the terminal
 line is not found in the file, then the  TERM  environment
	      parameter will not be set.

       UID_MAX (number)
	      XXX needs to be documented.

       UID_MIN (number)
	      XXX needs to be documented.

       ULIMIT (long number)
	      The  file size limit is initialized to this value.  This is supported
 only on systems with a ulimit, e.g.  System  V.   If  not
	      specified, the file size limit will be initialized to some large
	      value.

       UMASK (number)
	      The permission mask is initialized to this value.  If not specified,
 the permission mask will be initialized to zero.

       USERDEL_CMD (string)
	      XXX needs to be documented.

CROSS REFERENCE    [Toc]    [Back]

       The  following cross reference shows which programs in the shadow login
       suite use which parameters.

       login	   CONSOLE DIALUPS_CHECK_ENAB ENV_HZ ENV_SUPATH ENV_TZ
		   ERASECHAR FAILLOG_ENAB FTMP_FILE HUSHLOGIN_FILE KILLCHAR
		   LASTLOG_ENAB LOG_UNKFAIL_ENAB MAIL_CHECK_ENAB MAIL_DIR
		   MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB QUOTAS_ENAB
		   TTYPERM TTYTYPE_FILE ULIMIT UMASK

       newusers    PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE UMASK

       passwd	   OBSCURE_CHECKS_ENAB PASS_MIN_LEN

       pwconv	   PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE

       su	   ENV_HZ ENV_SUPATH ENV_TZ HUSHLOGIN_FILE MAIL_CHECK_ENAB
		   MAIL_DIR MOTD_FILE NOLOGIN_STR QUOTAS_ENAB SULOG_FILE SYSLOG_SU_ENAB


       sulogin	   ENV_HZ ENV_SUPATH ENV_TZ MAIL_DIR QUOTAS_ENAB TTYPERM

BUGS    [Toc]    [Back]

       Some of the supported configuration parameters are  not	documented  in
       this manual page.

SEE ALSO    [Toc]    [Back]

      
      
       login(1), passwd(5), faillog(5), porttime(5), faillog(8)

AUTHORS    [Toc]    [Back]

       Julianne Frances Haugh (jfh@austin.ibm.com)
       Chip Rosenthal (chip@unicom.com)



								      LOGIN(5)
[ Back ]
 Similar pages
Name OS Title
login IRIX login configuration file
updateclogin IRIX update the graphical login configuration file
EZsetup IRIX login for basic system setup and user environment configuration
auth_hostok FreeBSD functions for checking login class based login restrictions
auth_timeok FreeBSD functions for checking login class based login restrictions
auth_ttyok FreeBSD functions for checking login class based login restrictions
login_ok FreeBSD functions for checking login class based login restrictions
parunlock HP-UX unlock the Stable Complex Configuration Data, Partition Configuration Data, Dynamic Complex Configuration Data
setlogin OpenBSD get/set login name
getlogin_r Tru64 Get or set the login name
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service