MAN page from OpenSuSE pwdutils-3.2.5-2.4.1.x86_64.rpm
Section: File Formats (5)Index
/etc/login.defs - Login configuration
file defines the site-specific configuration for the shadow loginsuite. This file is required. Absence of this file will not preventsystem operation, but will probably result in undesirable operation.
This file is a readable text file, each line of the file describingone configuration parameter. The lines consist of a configurationname and value, seperated by whitespace. Blank lines and commentlines are ignored. Comments are introduced with a `#' pound sign andthe pound sign must be the first non-white character of the line.
Parameter values may be of four types: strings, booleans, numbers,and long numbers. A string is comprised of any printable characters.A boolean should be either the value ``yes'' or ``no''. An undefinedboolean parameter or one with a value other than these will be givena ``no'' value. Numbers (both regular and long) may be either decimalvalues, octal values (precede the value with ``0'') or hexadecimalvalues (precede the value with ``0x''). The maximum value of theregular and long numeric parameters is machine-dependant.
The following configuration items are provided:
- CHARACTER_CLASS (string)
- User accounts and Group names have to match the regex expressionof this variable.
- CHFN_AUTH (boolean)
- Ifyes,thechfnandchshprograms will ask for password before making any changes, unlessrun by the superuser.
- CHFN_RESTRICT (string)
- This parameter specifies which values in thegecosfield of thepasswdfile may be changed by regular users using thechfnprogram. It can be any combination of lettersf,r,w,h,for Full name, Room number, Work phone, and Home phone, respectively.If not specified, only the superuser can make any changes.
- DEFAULT_HOME (boolean)
- If the home directory of a user is not reachable, should theuse be allowed to login ?
- ENV_PATH (string)
- This parameter must be defined as the search path for regular users.When a login with UID other than zero occurs, the PATH environmentparameter is initialized to this value.
- ENV_ROOTPATH (string)
- This parameter must be defined as the search path for root.
- FAIL_DELAY (number)
- Delay time in seconds after each failed login attempt.
- GID_MAX (number)
- GID_MIN (number)
- Range of group IDs to choose from for thegroupaddprogram.
- HUSHLOGIN_FILE (string)
- This parameter is used to establish ``hushlogin'' conditions. Thereare two possible ways to establish these conditions. First, if thevalue of this parameter is a filename and that file exists in theuser's home directory then ``hushlogin'' conditions will be in effect.The contents of this file are ignored; its mere presence triggers``hushlogin'' conditions. Second, if the value of this parameter isa full pathname and either the user's login name or the user's shellis found in this file, then ``hushlogin'' conditions will be in effect.In this case, the file should be in a format similar to:
demo /usr/lib/uucp/uucico . . .If this parameter is not defined, then ``hushlogin'' conditions willnever occur. When ``hushlogin'' conditions are established, themessage of the day, last successful and unsuccessful login display,mail status display, and password aging checks are suppressed. Notethat allowing hushlogin files in user home directories allows the userto disable password aging checks. See MOTD_FILE andLASTLOG_ENAB for related information. Futures enabled through PAMmodules are not affected by this. pam_mail will show if there isnew mail or not.
- LASTLOG_ENAB (boolean)
- Ifyes,and if the/var/log/lastlogfile exists, then a successful user login will be recorded to thisfile. Furthermore, if this option is enabled then the times of themost recent successful and unsuccessful logins will be displayed tothe user upon login. If ``hushlogin'' conditions are ineffect, then both the successful and unsuccessful login informationwill be suppressed.
- LOG_UNKFAIL_ENAB (boolean)
- Ifyesthen unknown usernames will be included when a login failure isrecorded. Note that this is a potential security risk; a common loginfailure mode is transposition of the user name and password, thus thismode will often cause passwords to accumulate in the failure logs.If this option is disabled then unknown usernames will be suppressedin login failure messages.
- LOGIN_RETRIES (number)
- Number of login attempts allowed before theloginprogram exits.
- LOGIN_TIMEOUT (number)
- Time in seconds after theloginprogram exits if the user doesn't type his password.
- MOTD_FILE (string)
- This parameter specifies a colon-delimited list of pathnames to ``messageof the day'' files.If a specified file exists, then its contents are displayed to the userupon login.If this parameter is not defined or ``hushlogin'' login conditions arein effect, this information will be suppressed.
- PASS_MIN_DAYS (number)
- The minimum number of days allowed between password changes. Any passwordchanges attempted sooner than this will be rejected. If not specified, azero value will be assumed.
- PASS_MAX_DAYS (number)
- The maximum number of days a password may be used. If the password isolder than this, then the account will be locked. If not specified,a large value will be assumed.
- PASS_WARN_AGE (number)
- The number of days warning given before a password expires. A zero meanswarning is given only upon the day of expiration, a negative value meansno warning is given. If not specified, no warning will be provided.
- SYSTEM_GID_MAX (number)
- Max group ID value used by automatic gid selection in groupadd for system groups
- SYSTEM_GID_MIN (number)
- Min group ID value used by automatic gid selection in groupadd for system groups
- SYSTEM_UID_MAX (number)
- Max user ID value used by automatic uid selection in useradd for system accounts
- SYSTEM_UID_MIN (number)
- Min user ID value used by automatic uid selection in useradd for system accounts
- TTYGROUP (string or number)
- The group ownership of the terminal is initialized to this groupname or number. One well-known security attack involves forcing terminalcontrol sequences upon another user's terminal line. This problemcan be averted by disabling permissions which allow other users toaccess the terminal line, but this unfortunately prevents programssuch aswritefrom operating. Another solution is to use a version of thewriteprogram which filters out potentially dangerous character sequences,make this program ``setgid'' to a special group, assign group ownershipof the terminal line to this special group, and assign permissions of0620 to the terminal line. The TTYGROUP definition has beenprovided for just this situation. If this item is not defined, thenthe group ownership of the terminal is initialized to the user's groupnumber. See TTYPERMS for related information.
- TTYPERM (number)
- The login terminal permissions are initialized to this value. Typicalvalues will be 0622 to permit others write access to the lineor 0600 to secure the line from other users. If not specified,the terminal permissions will be initialized to 0622. SeeTTYGROUP for related information.
- TTYTYPE_FILE (string)
- This parameter specifies the full pathname to a file which maps terminallines to terminal types. Each line of the file contains a terminaltype and a terminal line, seperated by whitespace, for example:
vt100 tty01 wyse60 tty02 . . . . . .This information is only used to initialize the TERM environment parameterwhen it does not already exist.A line starting with a ``#'' pound sign will be treated as a comment.If this paramter is not specified, the file does not exist, or the terminalline is not found in the file, then the TERM environment parameter will notbe set.
- UID_MAX (number)
- Max user ID value for automatic uid selection in useradd
- UID_MIN (number)
- Min user ID value for automatic uid selection in useradd
- UMASK (number)
- The permission mask is initialized to this value. It is used byuseradd and newusers for creating new home directories. If not specified,the permission mask will be initialized to 0077.
- USERADD_CMD (string)
- If defined, this command is run after adding a user with useradd.It can, for example, rebuild the NIS maps in this script.
- USERDEL_PRECMD (string)
- If defined, this command is run before removing a user with userdel.It should remove any at/cron/print jobs etc. owned by the user to beremoved (passed as the first argument).
- USERDEL_POSTCMD (string)
- If defined, this command is run after removing a user with userdel.It can, for example, rebuild any NIS database etc. to remove the account from it.
The following cross reference shows which programs in the shadow loginsuite use which parameters.
- DEFAULT_HOME ENV_PATH ENV_ROOTPATH FAIL_DELAYHUSHLOGIN_FILE LASTLOG_ENAB LOG_UNKFAIL_ENAB LOGIN_RETRIES LOGIN_TIMEOUTMOTD_FILE TTYPERM TTYTYPE_FILE
- PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE UMASK
- OBSCURE_CHECKS_ENAB PASS_MAX_LEN PASS_MIN_LEN PASS_ALWAYS_WARNCRACKLIB_DICTPATH PASS_CHANGE_TRIES
- PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
Some of the supported configuration parameters are not documented in thismanual page.
Julianne Frances Haugh (jockgrrlAATTix.netcom.com)
Thorsten Kukuk (kukukAATTthkukuk.de)
- CROSS REFERENCE
- SEE ALSO
This document was created byman2html,using the manual pages.