3 .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
4 .\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
6 .\" Manual: Filformat och konversioner
7 .\" Source: Filformat och konversioner
10 .TH "LOGIN\&.DEFS" "5" "16-02-2011" "Filformat och konversioner" "Filformat och konversioner"
11 .\" -----------------------------------------------------------------
12 .\" * Define some portability stuff
13 .\" -----------------------------------------------------------------
14 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
15 .\" http://bugs.debian.org/507673
16 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
17 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
20 .\" -----------------------------------------------------------------
21 .\" * set default formatting
22 .\" -----------------------------------------------------------------
23 .\" disable hyphenation
25 .\" disable justification (adjust text to left margin only)
27 .\" -----------------------------------------------------------------
28 .\" * MAIN CONTENT STARTS HERE *
29 .\" -----------------------------------------------------------------
31 login.defs \- shadow password suite configuration
36 file defines the site\-specific configuration for the shadow password suite\&. This file is required\&. Absence of this file will not prevent system operation, but will probably result in undesirable operation\&.
38 This file is a readable text file, each line of the file describing one configuration parameter\&. The lines consist of a configuration name and value, separated by whitespace\&. Blank lines and comment lines are ignored\&. Comments are introduced with a "#" pound sign and the pound sign must be the first non\-white character of the line\&.
40 Parameter values may be of four types: strings, booleans, numbers, and long numbers\&. A string is comprised of any printable characters\&. A boolean should be either the value
43 \fIno\fR\&. An undefined boolean parameter or one with a value other than these will be given a
45 value\&. Numbers (both regular and long) may be either decimal values, octal values (precede the value with
46 \fI0\fR) or hexadecimal values (precede the value with
47 \fI0x\fR)\&. The maximum value of the regular and long numeric parameters is machine\-dependent\&.
49 F\(:oljande konfigurationsposter tillhandah\(oalls:
51 \fBCHFN_AUTH\fR (boolean)
56 program will require authentication before making any changes, unless run by the superuser\&.
59 \fBCHFN_RESTRICT\fR (string)
61 This parameter specifies which values in the
65 file may be changed by regular users using the
67 program\&. It can be any combination of letters
71 \fIh\fR, for Full name, Room number, Work phone, and Home phone, respectively\&. For backward compatibility,
78 \fIfrwh\fR\&. If not specified, only the superuser can make any changes\&. The most restrictive setting is better achieved by not installing
83 \fBCHSH_AUTH\fR (boolean)
88 program will require authentication before making any changes, unless run by the superuser\&.
91 \fBCONSOLE\fR (string)
93 If defined, either full pathname of a file containing device names (one per line) or a ":" delimited list of device names\&. Root logins will be allowed only upon these devices\&.
95 If not defined, root will be allowed on any device\&.
97 The device should be specified without the /dev/ prefix\&.
100 \fBCONSOLE_GROUPS\fR (string)
102 List of groups to add to the user\*(Aqs supplementary groups set when logging in on the console (as determined by the CONSOLE setting)\&. Default is none\&.
104 Use with caution \- it is possible for users to gain permanent access to these groups, even when not logged in on the console\&.
107 \fBCREATE_HOME\fR (boolean)
109 Indicate if a home directory should be created by default for new users\&.
111 This setting does not apply to system users, and can be overriden on the command line\&.
114 \fBDEFAULT_HOME\fR (boolean)
116 Indicate if login is allowed if we can\*(Aqt cd to the home directory\&. Default in no\&.
119 \fIyes\fR, the user will login in the root (/) directory if it is not possible to cd to her home directory\&.
122 \fBENCRYPT_METHOD\fR (string)
124 This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line)\&.
126 It can take one of these values:
173 Note: this parameter overrides the
178 \fBENV_HZ\fR (string)
180 If set, it will be used to define the HZ environment variable when a user login\&. The value must be preceded by
181 \fIHZ=\fR\&. A common value on Linux is
185 \fBENV_PATH\fR (string)
187 If set, it will be used to define the PATH environment variable when a regular user login\&. The value can be preceded by
188 \fIPATH=\fR, or a colon separated list of paths (for example
189 \fI/bin:/usr/bin\fR)\&. The default value is
190 \fIPATH=/bin:/usr/bin\fR\&.
193 \fBENV_SUPATH\fR (string)
195 If set, it will be used to define the PATH environment variable when the superuser login\&. The value can be preceded by
196 \fIPATH=\fR, or a colon separated list of paths (for example
197 \fI/sbin:/bin:/usr/sbin:/usr/bin\fR)\&. The default value is
198 \fIPATH=/bin:/usr/bin\fR\&.
201 \fBENV_TZ\fR (string)
203 If set, it will be used to define the TZ environment variable when a user login\&. The value can be the name of a timezone preceded by
206 \fITZ=CST6CDT\fR), or the full path to the file containing the timezone specification (for example
209 If a full path is specified but the file does not exist or cannot be read, the default is to use
213 \fBENVIRON_FILE\fR (string)
215 If this file exists and is readable, login environment will be read from it\&. Every line should be in the form name=value\&.
217 Lines starting with a # are treated as comment lines and ignored\&.
220 \fBERASECHAR\fR (number)
222 Terminal ERASE character (\fI010\fR
227 The value can be prefixed "0" for an octal value, or "0x" for an hexadecimal value\&.
230 \fBFAIL_DELAY\fR (number)
232 Delay in seconds before being allowed another attempt after a login failure\&.
235 \fBFAILLOG_ENAB\fR (boolean)
237 Enable logging and display of
239 login failure info\&.
242 \fBFAKE_SHELL\fR (string)
246 will execute this shell instead of the users\*(Aq shell specified in
250 \fBFTMP_FILE\fR (string)
252 If defined, login failures will be logged in this file in a utmp format\&.
255 \fBGID_MAX\fR (number), \fBGID_MIN\fR (number)
257 Range of group IDs used for the creation of regular groups by
263 \fBHUSHLOGIN_FILE\fR (string)
265 If defined, this file can inhibit all the usual chatter during the login sequence\&. If a full pathname is specified, then hushed mode will be enabled if the user\*(Aqs name or shell are found in the file\&. If not a full pathname, then hushed mode will be enabled if the file exists in the user\*(Aqs home directory\&.
268 \fBISSUE_FILE\fR (string)
270 If defined, this file will be displayed before each login prompt\&.
273 \fBKILLCHAR\fR (number)
275 Terminal KILL character (\fI025\fR
278 The value can be prefixed "0" for an octal value, or "0x" for an hexadecimal value\&.
281 \fBLASTLOG_ENAB\fR (boolean)
283 Enable logging and display of /var/log/lastlog login time info\&.
286 \fBLOG_OK_LOGINS\fR (boolean)
288 Enable logging of successful logins\&.
291 \fBLOG_UNKFAIL_ENAB\fR (boolean)
293 Enable display of unknown usernames when login failures are recorded\&.
295 Note: logging unknown usernames may be a security issue if an user enter her password instead of her login name\&.
298 \fBLOGIN_RETRIES\fR (number)
300 Maximum number of login retries in case of bad password\&.
303 \fBLOGIN_STRING\fR (string)
305 The string used for prompting a password\&. The default is to use "Password: ", or a translation of that string\&. If you set this variable, the prompt will no be translated\&.
307 If the string contains
308 \fI%s\fR, this will be replaced by the user\*(Aqs name\&.
311 \fBLOGIN_TIMEOUT\fR (number)
313 Max time in seconds for login\&.
316 \fBMAIL_CHECK_ENAB\fR (boolean)
318 Enable checking and display of mailbox status upon login\&.
320 You should disable it if the shell startup files already check for mail ("mailx \-e" or equivalent)\&.
323 \fBMAIL_DIR\fR (string)
325 The mail spool directory\&. This is needed to manipulate the mailbox when its corresponding user account is modified or deleted\&. If not specified, a compile\-time default is used\&.
328 \fBMAIL_FILE\fR (string)
330 Defines the location of the users mail spool files relatively to their home directory\&.
337 variables are used by
341 to create, move, or delete the user\*(Aqs mail spool\&.
344 \fBMAIL_CHECK_ENAB\fR
346 \fIyes\fR, they are also used to define the
348 environment variable\&.
350 \fBMAX_MEMBERS_PER_GROUP\fR (number)
352 Maximum members per group entry\&. When the maximum is reached, a new group entry (line) is started in
354 (with the same name, same password, and same GID)\&.
356 The default value is 0, meaning that there are no limits in the number of members in a group\&.
358 This feature (split group) permits to limit the length of lines in the group file\&. This is useful to make sure that lines for NIS groups are not larger than 1024 characters\&.
360 If you need to enforce such limit, you can use 25\&.
362 Note: split groups may not be supported by all tools (even in the Shadow toolsuite)\&. You should not use this variable unless you really need it\&.
365 \fBMD5_CRYPT_ENAB\fR (boolean)
367 Indicate if passwords must be encrypted using the MD5\-based algorithm\&. If set to
368 \fIyes\fR, new passwords will be encrypted using the MD5\-based algorithm compatible with the one used by recent releases of FreeBSD\&. It supports passwords of unlimited length and longer salt strings\&. Set to
370 if you need to copy encrypted passwords to other systems which don\*(Aqt understand the new algorithm\&. Default is
373 This variable is superceded by the
375 variable or by any command line option used to configure the encryption algorithm\&.
377 This variable is deprecated\&. You should use
378 \fBENCRYPT_METHOD\fR\&.
381 \fBMOTD_FILE\fR (string)
383 If defined, ":" delimited list of "message of the day" files to be displayed upon login\&.
386 \fBNOLOGINS_FILE\fR (string)
388 If defined, name of file whose presence will inhibit non\-root logins\&. The contents of this file should be a message indicating why logins are inhibited\&.
391 \fBOBSCURE_CHECKS_ENAB\fR (boolean)
393 Enable additional checks upon password changes\&.
396 \fBPASS_ALWAYS_WARN\fR (boolean)
398 Warn about weak passwords (but still allow them) if you are root\&.
401 \fBPASS_CHANGE_TRIES\fR (number)
403 Maximum number of attempts to change password if rejected (too easy)\&.
406 \fBPASS_MAX_DAYS\fR (number)
408 The maximum number of days a password may be used\&. If the password is older than this, a password change will be forced\&. If not specified, \-1 will be assumed (which disables the restriction)\&.
411 \fBPASS_MIN_DAYS\fR (number)
413 The minimum number of days allowed between password changes\&. Any password changes attempted sooner than this will be rejected\&. If not specified, \-1 will be assumed (which disables the restriction)\&.
416 \fBPASS_WARN_AGE\fR (number)
418 The number of days warning given before a password expires\&. A zero means warning is given only upon the day of expiration, a negative value means no warning is given\&. If not specified, no warning will be provided\&.
426 are only used at the time of account creation\&. Any changes to these settings won\*(Aqt affect existing accounts\&.
428 \fBPASS_MAX_LEN\fR (number), \fBPASS_MIN_LEN\fR (number)
430 Number of significant characters in the password for crypt()\&.
432 is 8 by default\&. Don\*(Aqt change unless your crypt() is better\&. This is ignored if
438 \fBPORTTIME_CHECKS_ENAB\fR (boolean)
440 Enable checking of time restrictions specified in /etc/porttime\&.
443 \fBQUOTAS_ENAB\fR (boolean)
445 Enable setting of ulimit, umask, and niceness from passwd gecos field\&.
448 \fBSHA_CRYPT_MIN_ROUNDS\fR (number), \fBSHA_CRYPT_MAX_ROUNDS\fR (number)
455 \fISHA512\fR, this defines the number of SHA rounds used by the encryption algorithm by default (when the number of rounds is not specified on the command line)\&.
457 With a lot of rounds, it is more difficult to brute forcing the password\&. But note also that more CPU resources will be needed to authenticate users\&.
459 If not specified, the libc will choose the default number of rounds (5000)\&.
461 The values must be inside the 1000\-999999999 range\&.
464 \fBSHA_CRYPT_MIN_ROUNDS\fR
466 \fBSHA_CRYPT_MAX_ROUNDS\fR
467 values is set, then this value will be used\&.
470 \fBSHA_CRYPT_MIN_ROUNDS\fR
472 \fBSHA_CRYPT_MAX_ROUNDS\fR, the highest value will be used\&.
475 \fBSULOG_FILE\fR (string)
477 If defined, all su activity is logged to this file\&.
480 \fBSU_NAME\fR (string)
482 If defined, the command name to display when running "su \-"\&. For example, if this is defined as "su" then a "ps" will display the command is "\-su"\&. If not defined, then "ps" would display the name of the shell actually being run, e\&.g\&. something like "\-sh"\&.
485 \fBSU_WHEEL_ONLY\fR (boolean)
488 \fIyes\fR, the user must be listed as a member of the first gid 0 group in
492 on most Linux systems) to be able to
494 to uid 0 accounts\&. If the group doesn\*(Aqt exist or is empty, no one will be able to
499 \fBSYS_GID_MAX\fR (number), \fBSYS_GID_MIN\fR (number)
501 Range of group IDs used for the creation of system groups by
507 \fBSYS_UID_MAX\fR (number), \fBSYS_UID_MIN\fR (number)
509 Range of user IDs used for the creation of system users by
515 \fBSYSLOG_SG_ENAB\fR (boolean)
517 Enable "syslog" logging of
522 \fBSYSLOG_SU_ENAB\fR (boolean)
524 Enable "syslog" logging of
526 activity \- in addition to sulog file logging\&.
529 \fBTTYGROUP\fR (string), \fBTTYPERM\fR (string)
531 The terminal permissions: the login tty will be owned by the
533 group, and the permissions will be set to
536 By default, the ownership of the terminal is set to the user\*(Aqs primary group and the permissions are set to
541 can be either the name of a group or a numeric group identifier\&.
545 program which is "setgid" to a special group which owns the terminals, define TTYGROUP to the group number and TTYPERM to 0620\&. Otherwise leave TTYGROUP commented out and assign TTYPERM to either 622 or 600\&.
548 \fBTTYTYPE_FILE\fR (string)
550 If defined, file which maps tty line to TERM environment parameter\&. Each line of the file is in a format something like "vt100 tty01"\&.
553 \fBUID_MAX\fR (number), \fBUID_MIN\fR (number)
555 Range of user IDs used for the creation of regular users by
561 \fBULIMIT\fR (number)
570 The file mode creation mask is initialized to this value\&. If not specified, the mask will be initialized to 022\&.
576 use this mask to set the mode of the home directory they create
580 to define users\*(Aq initial umask\&. Note that this mask can be overriden by the user\*(Aqs GECOS line (if
582 is set) or by the specification of a limit with the
588 \fBUSERDEL_CMD\fR (string)
590 If defined, this command is run when removing a user\&. It should remove any at/cron/print jobs etc\&. owned by the user to be removed (passed as the first argument)\&.
592 The return code of the script is not taken into account\&.
594 Here is an example script, which removes the user\*(Aqs cron, at and print jobs:
602 # Check for the required argument\&.
604 echo "Usage: $0 username"
608 # Remove cron jobs\&.
612 # Note that it will remove any jobs owned by the same UID,
613 # even if it was shared by a different username\&.
614 AT_SPOOL_DIR=/var/spool/cron/atjobs
615 find $AT_SPOOL_DIR \-name "[^\&.]*" \-type f \-user $1 \-delete \e;
617 # Remove print jobs\&.
630 \fBUSERGROUPS_ENAB\fR (boolean)
632 Enable setting of the umask group bits to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007) for non\-root users, if the uid is the same as gid, and username is the same as the primary group name\&.
637 will remove the user\*(Aqs group if it contains no more members, and
639 will create by default a group with the name of the user\&.
641 .SH "CROSS REFERENCES"
643 The following cross references show which programs in the shadow password suite use which parameters\&.
655 ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
656 SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
661 ENCRYPT_METHOD MD5_CRYPT_ENAB
662 SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
667 CHSH_AUTH LOGIN_STRING
672 ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
673 SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
678 GID_MAX GID_MIN MAX_MEMBERS_PER_GROUP SYS_GID_MAX SYS_GID_MIN
683 MAX_MEMBERS_PER_GROUP
688 MAX_MEMBERS_PER_GROUP
693 MAX_MEMBERS_PER_GROUP
698 MAX_MEMBERS_PER_GROUP
703 MAX_MEMBERS_PER_GROUP
708 MAX_MEMBERS_PER_GROUP
715 CONSOLE_GROUPS DEFAULT_HOME
716 ENV_HZ ENV_PATH ENV_SUPATH ENV_TZ ENVIRON_FILE
727 LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
728 MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB QUOTAS_ENAB
729 TTYGROUP TTYPERM TTYTYPE_FILE
741 ENCRYPT_METHOD GID_MAX GID_MIN MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
742 SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
743 SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK
748 ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
749 SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
754 PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
759 PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
766 CONSOLE_GROUPS DEFAULT_HOME
769 ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE QUOTAS_ENAB
784 CREATE_HOME GID_MAX GID_MIN MAIL_DIR MAX_MEMBERS_PER_GROUP PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK
789 MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP USERDEL_CMD USERGROUPS_ENAB
794 MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP