]>
Commit | Line | Data |
---|---|---|
846764b4 | 1 | # |
2960a6fe | 2 | # /etc/login.defs - Configuration control definitions for the shadow package. |
846764b4 | 3 | # |
2960a6fe | 4 | # $Id: login.defs 3189 2010-03-26 11:53:06Z nekral-guest $ |
846764b4 | 5 | # |
846764b4 ER |
6 | |
7 | # | |
8 | # Delay in seconds before being allowed another attempt after a login failure | |
2960a6fe JR |
9 | # Note: When PAM is used, some modules may enfore a minimal delay (e.g. |
10 | # pam_unix enforces a 2s delay) | |
846764b4 ER |
11 | # |
12 | FAIL_DELAY 3 | |
13 | ||
2960a6fe JR |
14 | # |
15 | # Enable logging and display of /var/log/faillog login failure info. | |
16 | # | |
17 | FAILLOG_ENAB yes | |
18 | ||
846764b4 ER |
19 | # |
20 | # Enable display of unknown usernames when login failures are recorded. | |
21 | # | |
22 | LOG_UNKFAIL_ENAB no | |
23 | ||
24 | # | |
25 | # Enable logging of successful logins | |
26 | # | |
27 | LOG_OK_LOGINS no | |
28 | ||
2960a6fe JR |
29 | # |
30 | # Enable logging and display of /var/log/lastlog login time info. | |
31 | # | |
32 | LASTLOG_ENAB yes | |
33 | ||
34 | # | |
35 | # Enable checking and display of mailbox status upon login. | |
36 | # | |
37 | # Disable if the shell startup files already check for mail | |
38 | # ("mailx -e" or equivalent). | |
39 | # | |
40 | MAIL_CHECK_ENAB yes | |
41 | ||
42 | # | |
43 | # Enable additional checks upon password changes. | |
44 | # | |
45 | OBSCURE_CHECKS_ENAB yes | |
46 | ||
47 | # | |
48 | # Enable checking of time restrictions specified in /etc/porttime. | |
49 | # | |
50 | PORTTIME_CHECKS_ENAB yes | |
51 | ||
52 | # | |
53 | # Enable setting of ulimit, umask, and niceness from passwd gecos field. | |
54 | # | |
55 | QUOTAS_ENAB yes | |
56 | ||
846764b4 ER |
57 | # |
58 | # Enable "syslog" logging of su activity - in addition to sulog file logging. | |
59 | # SYSLOG_SG_ENAB does the same for newgrp and sg. | |
60 | # | |
61 | SYSLOG_SU_ENAB yes | |
62 | SYSLOG_SG_ENAB yes | |
63 | ||
64 | # | |
65 | # If defined, either full pathname of a file containing device names or | |
66 | # a ":" delimited list of device names. Root logins will be allowed only | |
67 | # upon these devices. | |
68 | # | |
69 | CONSOLE /etc/securetty | |
70 | #CONSOLE console:tty01:tty02:tty03:tty04 | |
71 | ||
72 | # | |
73 | # If defined, all su activity is logged to this file. | |
74 | # | |
75 | #SULOG_FILE /var/log/sulog | |
76 | ||
2960a6fe JR |
77 | # |
78 | # If defined, ":" delimited list of "message of the day" files to | |
79 | # be displayed upon login. | |
80 | # | |
81 | MOTD_FILE /etc/motd | |
82 | #MOTD_FILE /etc/motd:/usr/lib/news/news-motd | |
83 | ||
84 | # | |
85 | # If defined, this file will be output before each login prompt. | |
86 | # | |
87 | #ISSUE_FILE /etc/issue | |
88 | ||
846764b4 ER |
89 | # |
90 | # If defined, file which maps tty line to TERM environment parameter. | |
91 | # Each line of the file is in a format something like "vt100 tty01". | |
92 | # | |
93 | #TTYTYPE_FILE /etc/ttytype | |
94 | ||
2960a6fe JR |
95 | # |
96 | # If defined, login failures will be logged here in a utmp format. | |
97 | # last, when invoked as lastb, will read /var/log/btmp, so... | |
98 | # | |
99 | FTMP_FILE /var/log/btmp | |
100 | ||
101 | # | |
102 | # If defined, name of file whose presence which will inhibit non-root | |
103 | # logins. The contents of this file should be a message indicating | |
104 | # why logins are inhibited. | |
105 | # | |
106 | NOLOGINS_FILE /etc/nologin | |
107 | ||
846764b4 ER |
108 | # |
109 | # If defined, the command name to display when running "su -". For | |
110 | # example, if this is defined as "su" then a "ps" will display the | |
111 | # command is "-su". If not defined, then "ps" would display the | |
112 | # name of the shell actually being run, e.g. something like "-sh". | |
113 | # | |
114 | SU_NAME su | |
115 | ||
116 | # | |
d61ad957 AM |
117 | # *REQUIRED* |
118 | # Directory where mailboxes reside, _or_ name of file, relative to the | |
119 | # home directory. If you _do_ define both, MAIL_DIR takes precedence. | |
d61ad957 | 120 | # |
d57127bc | 121 | MAIL_DIR /var/mail |
d61ad957 AM |
122 | #MAIL_FILE .mail |
123 | ||
846764b4 ER |
124 | # |
125 | # If defined, file which inhibits all the usual chatter during the login | |
126 | # sequence. If a full pathname, then hushed mode will be enabled if the | |
127 | # user's name or shell are found in the file. If not a full pathname, then | |
128 | # hushed mode will be enabled if the file exists in the user's home directory. | |
129 | # | |
130 | HUSHLOGIN_FILE .hushlogin | |
131 | #HUSHLOGIN_FILE /etc/hushlogins | |
132 | ||
2960a6fe JR |
133 | # |
134 | # If defined, either a TZ environment parameter spec or the | |
135 | # fully-rooted pathname of a file containing such a spec. | |
136 | # | |
137 | #ENV_TZ TZ=CST6CDT | |
138 | #ENV_TZ /etc/tzname | |
139 | ||
140 | # | |
141 | # If defined, an HZ environment parameter spec. | |
142 | # | |
143 | # for Linux/x86 | |
144 | ENV_HZ HZ=100 | |
145 | # For Linux/Alpha... | |
146 | #ENV_HZ HZ=1024 | |
147 | ||
846764b4 ER |
148 | # |
149 | # *REQUIRED* The default PATH settings, for superuser and normal users. | |
150 | # | |
151 | # (they are minimal, add the rest in the shell startup files) | |
152 | ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin | |
153 | ENV_PATH PATH=/bin:/usr/bin | |
154 | ||
155 | # | |
156 | # Terminal permissions | |
157 | # | |
158 | # TTYGROUP Login tty will be assigned this group ownership. | |
159 | # TTYPERM Login tty will be set to this permission. | |
160 | # | |
161 | # If you have a "write" program which is "setgid" to a special group | |
162 | # which owns the terminals, define TTYGROUP to the group number and | |
163 | # TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign | |
164 | # TTYPERM to either 622 or 600. | |
165 | # | |
166 | TTYGROUP tty | |
167 | TTYPERM 0600 | |
168 | ||
169 | # | |
170 | # Login configuration initializations: | |
171 | # | |
172 | # ERASECHAR Terminal ERASE character ('\010' = backspace). | |
173 | # KILLCHAR Terminal KILL character ('\025' = CTRL/U). | |
2960a6fe | 174 | # ULIMIT Default "ulimit" value. |
846764b4 ER |
175 | # |
176 | # The ERASECHAR and KILLCHAR are used only on System V machines. | |
2960a6fe JR |
177 | # The ULIMIT is used only if the system supports it. |
178 | # (now it works with setrlimit too; ulimit is in 512-byte units) | |
846764b4 ER |
179 | # |
180 | # Prefix these values with "0" to get octal, "0x" to get hexadecimal. | |
181 | # | |
2960a6fe JR |
182 | ERASECHAR 0177 |
183 | KILLCHAR 025 | |
184 | #ULIMIT 2097152 | |
185 | ||
186 | # Default initial "umask" value used by login on non-PAM enabled systems. | |
187 | # Default "umask" value for pam_umask on PAM enabled systems. | |
188 | # UMASK is also used by useradd and newusers to set the mode of new home | |
189 | # directories. | |
190 | # 022 is the default value, but 027, or even 077, could be considered | |
191 | # better for privacy. There is no One True Answer here: each sysadmin | |
192 | # must make up her mind. | |
846764b4 | 193 | UMASK 022 |
d61ad957 | 194 | |
2960a6fe JR |
195 | # |
196 | # Password aging controls: | |
197 | # | |
198 | # PASS_MAX_DAYS Maximum number of days a password may be used. | |
199 | # PASS_MIN_DAYS Minimum number of days allowed between password changes. | |
200 | # PASS_MIN_LEN Minimum acceptable password length. | |
201 | # PASS_WARN_AGE Number of days warning given before a password expires. | |
202 | # | |
203 | PASS_MAX_DAYS 99999 | |
204 | PASS_MIN_DAYS 0 | |
205 | PASS_MIN_LEN 5 | |
206 | PASS_WARN_AGE 7 | |
207 | ||
208 | # | |
209 | # If "yes", the user must be listed as a member of the first gid 0 group | |
210 | # in /etc/group (called "root" on most Linux systems) to be able to "su" | |
211 | # to uid 0 accounts. If the group doesn't exist or is empty, no one | |
212 | # will be able to "su" to uid 0. | |
213 | # | |
214 | SU_WHEEL_ONLY no | |
215 | ||
216 | # | |
217 | # If compiled with cracklib support, where are the dictionaries | |
218 | # | |
219 | CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict | |
220 | ||
d61ad957 AM |
221 | # |
222 | # Min/max values for automatic uid selection in useradd | |
223 | # | |
8f308d84 | 224 | UID_MIN 1000 |
d61ad957 | 225 | UID_MAX 60000 |
2960a6fe JR |
226 | # System accounts |
227 | SYS_UID_MIN 1 | |
228 | SYS_UID_MAX 999 | |
d61ad957 AM |
229 | |
230 | # | |
231 | # Min/max values for automatic gid selection in groupadd | |
232 | # | |
8f308d84 | 233 | GID_MIN 1000 |
d61ad957 | 234 | GID_MAX 60000 |
2960a6fe JR |
235 | # System accounts |
236 | SYS_GID_MIN 10 | |
237 | SYS_GID_MAX 999 | |
d61ad957 | 238 | |
846764b4 ER |
239 | # |
240 | # Max number of login retries if password is bad | |
241 | # | |
242 | LOGIN_RETRIES 5 | |
243 | ||
244 | # | |
245 | # Max time in seconds for login | |
246 | # | |
247 | LOGIN_TIMEOUT 60 | |
248 | ||
2960a6fe JR |
249 | # |
250 | # Maximum number of attempts to change password if rejected (too easy) | |
251 | # | |
252 | PASS_CHANGE_TRIES 5 | |
253 | ||
254 | # | |
255 | # Warn about weak passwords (but still allow them) if you are root. | |
256 | # | |
257 | PASS_ALWAYS_WARN yes | |
258 | ||
259 | # | |
260 | # Number of significant characters in the password for crypt(). | |
261 | # Default is 8, don't change unless your crypt() is better. | |
262 | # Ignored if MD5_CRYPT_ENAB set to "yes". | |
263 | # | |
264 | #PASS_MAX_LEN 8 | |
265 | ||
266 | # | |
267 | # Require password before chfn/chsh can make any changes. | |
268 | # | |
269 | CHFN_AUTH yes | |
270 | ||
d61ad957 | 271 | # |
846764b4 ER |
272 | # Which fields may be changed by regular users using chfn - use |
273 | # any combination of letters "frwh" (full name, room number, work | |
274 | # phone, home phone). If not defined, no changes are allowed. | |
275 | # For backward compatibility, "yes" = "rwh" and "no" = "frwh". | |
276 | # | |
2960a6fe JR |
277 | CHFN_RESTRICT rwh |
278 | ||
279 | # | |
280 | # Password prompt (%s will be replaced by user name). | |
281 | # | |
282 | # XXX - it doesn't work correctly yet, for now leave it commented out | |
283 | # to use the default which is just "Password: ". | |
284 | #LOGIN_STRING "%s's Password: " | |
285 | ||
286 | # | |
287 | # Only works if compiled with MD5_CRYPT defined: | |
288 | # If set to "yes", new passwords will be encrypted using the MD5-based | |
289 | # algorithm compatible with the one used by recent releases of FreeBSD. | |
290 | # It supports passwords of unlimited length and longer salt strings. | |
291 | # Set to "no" if you need to copy encrypted passwords to other systems | |
292 | # which don't understand the new algorithm. Default is "no". | |
293 | # | |
294 | # Note: If you use PAM, it is recommended to use a value consistent with | |
295 | # the PAM modules configuration. | |
296 | # | |
297 | # This variable is deprecated. You should use ENCRYPT_METHOD. | |
298 | # | |
299 | #MD5_CRYPT_ENAB no | |
300 | ||
301 | # | |
302 | # Only works if compiled with ENCRYPTMETHOD_SELECT defined: | |
303 | # If set to MD5 , MD5-based algorithm will be used for encrypting password | |
304 | # If set to SHA256, SHA256-based algorithm will be used for encrypting password | |
305 | # If set to SHA512, SHA512-based algorithm will be used for encrypting password | |
306 | # If set to DES, DES-based algorithm will be used for encrypting password (default) | |
307 | # Overrides the MD5_CRYPT_ENAB option | |
308 | # | |
309 | # Note: If you use PAM, it is recommended to use a value consistent with | |
310 | # the PAM modules configuration. | |
311 | # | |
312 | #ENCRYPT_METHOD DES | |
313 | ||
314 | # | |
315 | # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. | |
316 | # | |
317 | # Define the number of SHA rounds. | |
318 | # With a lot of rounds, it is more difficult to brute forcing the password. | |
319 | # But note also that it more CPU resources will be needed to authenticate | |
320 | # users. | |
321 | # | |
322 | # If not specified, the libc will choose the default number of rounds (5000). | |
323 | # The values must be inside the 1000-999999999 range. | |
324 | # If only one of the MIN or MAX values is set, then this value will be used. | |
325 | # If MIN > MAX, the highest value will be used. | |
326 | # | |
327 | # SHA_CRYPT_MIN_ROUNDS 5000 | |
328 | # SHA_CRYPT_MAX_ROUNDS 5000 | |
846764b4 | 329 | |
846764b4 ER |
330 | # |
331 | # List of groups to add to the user's supplementary group set | |
332 | # when logging in on the console (as determined by the CONSOLE | |
333 | # setting). Default is none. | |
334 | # | |
335 | # Use with caution - it is possible for users to gain permanent | |
336 | # access to these groups, even when not logged in on the console. | |
337 | # How to do it is left as an exercise for the reader... | |
338 | # | |
339 | #CONSOLE_GROUPS floppy:audio:cdrom | |
340 | ||
341 | # | |
342 | # Should login be allowed if we can't cd to the home directory? | |
343 | # Default in no. | |
344 | # | |
345 | DEFAULT_HOME yes | |
346 | ||
2960a6fe JR |
347 | # |
348 | # If this file exists and is readable, login environment will be | |
349 | # read from it. Every line should be in the form name=value. | |
350 | # | |
351 | ENVIRON_FILE /etc/environment | |
352 | ||
d61ad957 AM |
353 | # |
354 | # If defined, this command is run when removing a user. | |
355 | # It should remove any at/cron/print jobs etc. owned by | |
356 | # the user to be removed (passed as the first argument). | |
357 | # | |
358 | #USERDEL_CMD /usr/sbin/userdel_local | |
359 | ||
846764b4 ER |
360 | # |
361 | # Enable setting of the umask group bits to be the same as owner bits | |
362 | # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is | |
363 | # the same as gid, and username is the same as the primary group name. | |
364 | # | |
365 | # This also enables userdel to remove user groups if no members exist. | |
366 | # | |
d57127bc | 367 | #USERGROUPS_ENAB yes |
0e2613ba | 368 | |
2960a6fe JR |
369 | # |
370 | # If set to a non-nul number, the shadow utilities will make sure that | |
371 | # groups never have more than this number of users on one line. | |
372 | # This permit to support split groups (groups split into multiple lines, | |
373 | # with the same group ID, to avoid limitation of the line length in the | |
374 | # group file). | |
375 | # | |
376 | # 0 is the default value and disables this feature. | |
377 | # | |
378 | #MAX_MEMBERS_PER_GROUP 0 | |
379 | ||
380 | # | |
381 | # If useradd should create home directories for users by default (non | |
382 | # system users only) | |
383 | # This option is overridden with the -M or -m flags on the useradd command | |
384 | # line. | |
385 | # | |
386 | #CREATE_HOME yes | |
387 |