]>
Commit | Line | Data |
---|---|---|
846764b4 ER |
1 | # |
2 | # /etc/login.defs - Configuration control definitions for the login package. | |
3 | # | |
4 | # $Id$ | |
5 | # | |
6 | # Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. | |
7 | # If unspecified, some arbitrary (and possibly incorrect) value will | |
8 | # be assumed. All other items are optional - if not specified then | |
9 | # the described action or option will be inhibited. | |
10 | # | |
11 | # Comment lines (lines beginning with "#") and blank lines are ignored. | |
12 | # | |
13 | # Modified for Linux. --marekm | |
14 | ||
15 | # | |
16 | # Delay in seconds before being allowed another attempt after a login failure | |
17 | # | |
18 | FAIL_DELAY 3 | |
19 | ||
20 | # | |
21 | # Enable logging and display of /var/log/faillog login failure info. | |
22 | # | |
23 | FAILLOG_ENAB yes | |
24 | ||
25 | # | |
26 | # Enable display of unknown usernames when login failures are recorded. | |
27 | # | |
28 | LOG_UNKFAIL_ENAB no | |
29 | ||
30 | # | |
31 | # Enable logging of successful logins | |
32 | # | |
33 | LOG_OK_LOGINS no | |
34 | ||
35 | # | |
36 | # Enable logging and display of /var/log/lastlog login time info. | |
37 | # | |
38 | LASTLOG_ENAB yes | |
39 | ||
40 | # | |
41 | # Enable checking and display of mailbox status upon login. | |
42 | # | |
43 | # Disable if the shell startup files already check for mail | |
44 | # ("mailx -e" or equivalent). | |
45 | # | |
46 | MAIL_CHECK_ENAB yes | |
47 | ||
48 | # | |
49 | # Enable additional checks upon password changes. | |
50 | # | |
51 | OBSCURE_CHECKS_ENAB yes | |
52 | ||
53 | # | |
54 | # Enable checking of time restrictions specified in /etc/porttime. | |
55 | # | |
56 | PORTTIME_CHECKS_ENAB yes | |
57 | ||
58 | # | |
59 | # Enable setting of ulimit, umask, and niceness from passwd gecos field. | |
60 | # | |
61 | QUOTAS_ENAB yes | |
62 | ||
63 | # | |
64 | # Enable "syslog" logging of su activity - in addition to sulog file logging. | |
65 | # SYSLOG_SG_ENAB does the same for newgrp and sg. | |
66 | # | |
67 | SYSLOG_SU_ENAB yes | |
68 | SYSLOG_SG_ENAB yes | |
69 | ||
70 | # | |
71 | # If defined, either full pathname of a file containing device names or | |
72 | # a ":" delimited list of device names. Root logins will be allowed only | |
73 | # upon these devices. | |
74 | # | |
75 | CONSOLE /etc/securetty | |
76 | #CONSOLE console:tty01:tty02:tty03:tty04 | |
77 | ||
78 | # | |
79 | # If defined, all su activity is logged to this file. | |
80 | # | |
81 | #SULOG_FILE /var/log/sulog | |
82 | ||
83 | # | |
84 | # If defined, ":" delimited list of "message of the day" files to | |
85 | # be displayed upon login. | |
86 | # | |
87 | MOTD_FILE /etc/motd | |
88 | #MOTD_FILE /etc/motd:/usr/lib/news/news-motd | |
89 | ||
90 | # | |
91 | # If defined, this file will be output before each login prompt. | |
92 | # | |
93 | #ISSUE_FILE /etc/issue | |
94 | ||
95 | # | |
96 | # If defined, file which maps tty line to TERM environment parameter. | |
97 | # Each line of the file is in a format something like "vt100 tty01". | |
98 | # | |
99 | #TTYTYPE_FILE /etc/ttytype | |
100 | ||
101 | # | |
102 | # If defined, login failures will be logged here in a utmp format. | |
103 | # last, when invoked as lastb, will read /var/log/btmp, so... | |
104 | # | |
d57127bc | 105 | FTMP_FILE /var/log/btmpx |
846764b4 ER |
106 | |
107 | # | |
108 | # If defined, name of file whose presence which will inhibit non-root | |
109 | # logins. The contents of this file should be a message indicating | |
110 | # why logins are inhibited. | |
111 | # | |
112 | NOLOGINS_FILE /etc/nologin | |
113 | ||
114 | # | |
115 | # If defined, the command name to display when running "su -". For | |
116 | # example, if this is defined as "su" then a "ps" will display the | |
117 | # command is "-su". If not defined, then "ps" would display the | |
118 | # name of the shell actually being run, e.g. something like "-sh". | |
119 | # | |
120 | SU_NAME su | |
121 | ||
122 | # | |
d61ad957 AM |
123 | # *REQUIRED* |
124 | # Directory where mailboxes reside, _or_ name of file, relative to the | |
125 | # home directory. If you _do_ define both, MAIL_DIR takes precedence. | |
126 | # QMAIL_DIR is for Qmail | |
127 | # | |
128 | #QMAIL_DIR Maildir | |
d57127bc | 129 | MAIL_DIR /var/mail |
d61ad957 AM |
130 | #MAIL_FILE .mail |
131 | ||
846764b4 ER |
132 | # |
133 | # If defined, file which inhibits all the usual chatter during the login | |
134 | # sequence. If a full pathname, then hushed mode will be enabled if the | |
135 | # user's name or shell are found in the file. If not a full pathname, then | |
136 | # hushed mode will be enabled if the file exists in the user's home directory. | |
137 | # | |
138 | HUSHLOGIN_FILE .hushlogin | |
139 | #HUSHLOGIN_FILE /etc/hushlogins | |
140 | ||
141 | # | |
142 | # If defined, the presence of this value in an /etc/passwd "shell" field will | |
143 | # disable logins for that user, although "su" will still be allowed. | |
144 | # | |
145 | # XXX this does not seem to be implemented yet... --marekm | |
146 | # no, it was implemented but I ripped it out ;-) -- jfh | |
147 | NOLOGIN_STR NOLOGIN | |
148 | ||
149 | # | |
150 | # If defined, either a TZ environment parameter spec or the | |
151 | # fully-rooted pathname of a file containing such a spec. | |
152 | # | |
153 | #ENV_TZ TZ=CST6CDT | |
154 | #ENV_TZ /etc/tzname | |
155 | ||
156 | # | |
157 | # If defined, an HZ environment parameter spec. | |
158 | # | |
159 | # for Linux/x86 | |
160 | ENV_HZ HZ=100 | |
161 | # For Linux/Alpha... | |
162 | #ENV_HZ HZ=1024 | |
163 | ||
164 | # | |
165 | # *REQUIRED* The default PATH settings, for superuser and normal users. | |
166 | # | |
167 | # (they are minimal, add the rest in the shell startup files) | |
168 | ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin | |
169 | ENV_PATH PATH=/bin:/usr/bin | |
170 | ||
171 | # | |
172 | # Terminal permissions | |
173 | # | |
174 | # TTYGROUP Login tty will be assigned this group ownership. | |
175 | # TTYPERM Login tty will be set to this permission. | |
176 | # | |
177 | # If you have a "write" program which is "setgid" to a special group | |
178 | # which owns the terminals, define TTYGROUP to the group number and | |
179 | # TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign | |
180 | # TTYPERM to either 622 or 600. | |
181 | # | |
182 | TTYGROUP tty | |
183 | TTYPERM 0600 | |
184 | ||
185 | # | |
186 | # Login configuration initializations: | |
187 | # | |
188 | # ERASECHAR Terminal ERASE character ('\010' = backspace). | |
189 | # KILLCHAR Terminal KILL character ('\025' = CTRL/U). | |
190 | # UMASK Default "umask" value. | |
191 | # ULIMIT Default "ulimit" value. | |
192 | # | |
193 | # The ERASECHAR and KILLCHAR are used only on System V machines. | |
194 | # The ULIMIT is used only if the system supports it. | |
195 | # (now it works with setrlimit too; ulimit is in 512-byte units) | |
196 | # | |
197 | # Prefix these values with "0" to get octal, "0x" to get hexadecimal. | |
198 | # | |
a37c4e97 ER |
199 | #ERASECHAR 0177 |
200 | #KILLCHAR 025 | |
846764b4 ER |
201 | UMASK 022 |
202 | #ULIMIT 2097152 | |
203 | ||
204 | # | |
d61ad957 AM |
205 | # Password aging controls: |
206 | # | |
207 | # PASS_MAX_DAYS Maximum number of days a password may be used. | |
208 | # PASS_MIN_DAYS Minimum number of days allowed between password changes. | |
209 | # PASS_MIN_LEN Minimum acceptable password length. | |
210 | # PASS_WARN_AGE Number of days warning given before a password expires. | |
211 | # | |
212 | PASS_MAX_DAYS 99999 | |
213 | PASS_MIN_DAYS 0 | |
d57127bc ER |
214 | PASS_MIN_LEN 8 |
215 | PASS_WARN_AGE 5 | |
846764b4 ER |
216 | |
217 | # | |
218 | # If "yes", the user must be listed as a member of the first gid 0 group | |
219 | # in /etc/group (called "root" on most Linux systems) to be able to "su" | |
220 | # to uid 0 accounts. If the group doesn't exist or is empty, no one | |
221 | # will be able to "su" to uid 0. | |
222 | # | |
223 | SU_WHEEL_ONLY no | |
224 | ||
225 | # | |
226 | # If compiled with cracklib support, where are the dictionaries | |
227 | # | |
d57127bc | 228 | CRACKLIB_DICTPATH /usr/share/dict |
d61ad957 AM |
229 | |
230 | # | |
231 | # Min/max values for automatic uid selection in useradd | |
232 | # | |
d57127bc | 233 | UID_MIN 500 |
d61ad957 AM |
234 | UID_MAX 60000 |
235 | ||
236 | # | |
237 | # Min/max values for automatic gid selection in groupadd | |
238 | # | |
d57127bc | 239 | GID_MIN 500 |
d61ad957 AM |
240 | GID_MAX 60000 |
241 | ||
846764b4 ER |
242 | # |
243 | # Max number of login retries if password is bad | |
244 | # | |
245 | LOGIN_RETRIES 5 | |
246 | ||
247 | # | |
248 | # Max time in seconds for login | |
249 | # | |
250 | LOGIN_TIMEOUT 60 | |
251 | ||
252 | # | |
253 | # Maximum number of attempts to change password if rejected (too easy) | |
254 | # | |
255 | PASS_CHANGE_TRIES 5 | |
256 | ||
257 | # | |
258 | # Warn about weak passwords (but still allow them) if you are root. | |
259 | # | |
260 | PASS_ALWAYS_WARN yes | |
261 | ||
262 | # | |
263 | # Number of significant characters in the password for crypt(). | |
264 | # Default is 8, don't change unless your crypt() is better. | |
265 | # Ignored if MD5_CRYPT_ENAB set to "yes". | |
266 | # | |
267 | #PASS_MAX_LEN 8 | |
268 | ||
d61ad957 AM |
269 | # |
270 | # Require password before chfn/chsh can make any changes. | |
271 | # | |
272 | CHFN_AUTH yes | |
273 | ||
274 | # | |
846764b4 ER |
275 | # Which fields may be changed by regular users using chfn - use |
276 | # any combination of letters "frwh" (full name, room number, work | |
277 | # phone, home phone). If not defined, no changes are allowed. | |
278 | # For backward compatibility, "yes" = "rwh" and "no" = "frwh". | |
279 | # | |
d57127bc | 280 | CHFN_RESTRICT yes |
846764b4 ER |
281 | |
282 | # | |
283 | # Password prompt (%s will be replaced by user name). | |
284 | # | |
285 | # XXX - it doesn't work correctly yet, for now leave it commented out | |
286 | # to use the default which is just "Password: ". | |
287 | #LOGIN_STRING "%s's Password: " | |
288 | ||
289 | # | |
290 | # Only works if compiled with MD5_CRYPT defined: | |
291 | # If set to "yes", new passwords will be encrypted using the MD5-based | |
292 | # algorithm compatible with the one used by recent releases of FreeBSD. | |
293 | # It supports passwords of unlimited length and longer salt strings. | |
294 | # Set to "no" if you need to copy encrypted passwords to other systems | |
295 | # which don't understand the new algorithm. Default is "no". | |
d61ad957 | 296 | # |
d57127bc | 297 | MD5_CRYPT_ENAB yes |
846764b4 ER |
298 | |
299 | # | |
300 | # List of groups to add to the user's supplementary group set | |
301 | # when logging in on the console (as determined by the CONSOLE | |
302 | # setting). Default is none. | |
303 | # | |
304 | # Use with caution - it is possible for users to gain permanent | |
305 | # access to these groups, even when not logged in on the console. | |
306 | # How to do it is left as an exercise for the reader... | |
307 | # | |
308 | #CONSOLE_GROUPS floppy:audio:cdrom | |
309 | ||
310 | # | |
311 | # Should login be allowed if we can't cd to the home directory? | |
312 | # Default in no. | |
313 | # | |
314 | DEFAULT_HOME yes | |
315 | ||
316 | # | |
317 | # If this file exists and is readable, login environment will be | |
318 | # read from it. Every line should be in the form name=value. | |
319 | # | |
320 | ENVIRON_FILE /etc/environment | |
d61ad957 AM |
321 | |
322 | # | |
323 | # If defined, this command is run when removing a user. | |
324 | # It should remove any at/cron/print jobs etc. owned by | |
325 | # the user to be removed (passed as the first argument). | |
326 | # | |
327 | #USERDEL_CMD /usr/sbin/userdel_local | |
328 | ||
329 | # | |
846764b4 ER |
330 | # When prompting for password without echo, getpass() can optionally |
331 | # display a random number (in the range 1 to GETPASS_ASTERISKS) of '*' | |
332 | # characters for each character typed. This feature is designed to | |
333 | # confuse people looking over your shoulder when you enter a password :-). | |
334 | # Also, the new getpass() accepts both Backspace (8) and Delete (127) | |
335 | # keys to delete previous character (to cope with different terminal | |
336 | # types), Control-U to delete all characters, and beeps when there are | |
337 | # no more characters to delete, or too many characters entered. | |
338 | # | |
339 | # Setting GETPASS_ASTERISKS to 1 results in more traditional behaviour - | |
340 | # exactly one '*' displayed for each character typed. | |
341 | # | |
342 | # Setting GETPASS_ASTERISKS to 0 disables the '*' characters (Backspace, | |
343 | # Delete, Control-U and beep continue to work as described above). | |
d61ad957 | 344 | # |
846764b4 ER |
345 | # Setting GETPASS_ASTERISKS to -1 reverts to the traditional getpass() |
346 | # without any new features. This is the default. | |
347 | # | |
348 | #GETPASS_ASTERISKS 1 | |
d61ad957 | 349 | |
846764b4 ER |
350 | # |
351 | # Enable setting of the umask group bits to be the same as owner bits | |
352 | # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is | |
353 | # the same as gid, and username is the same as the primary group name. | |
354 | # | |
355 | # This also enables userdel to remove user groups if no members exist. | |
356 | # | |
d57127bc | 357 | #USERGROUPS_ENAB yes |
0e2613ba | 358 |