]>
Commit | Line | Data |
---|---|---|
da314725 MT |
1 | # |
2 | # /etc/login.defs - Configuration control definitions for the shadow package. | |
3 | # | |
4 | # $Id$ | |
5 | # | |
6 | ||
7 | # | |
8 | # Delay in seconds before being allowed another attempt after a login failure | |
9 | # Note: When PAM is used, some modules may enforce a minimum delay (e.g. | |
10 | # pam_unix(8) enforces a 2s delay) | |
11 | # | |
12 | FAIL_DELAY 3 | |
13 | ||
14 | # | |
15 | # Enable logging and display of /var/log/faillog login(1) failure info. | |
16 | # | |
17 | FAILLOG_ENAB yes | |
18 | ||
19 | # | |
20 | # Enable display of unknown usernames when login(1) failures are recorded. | |
21 | # | |
22 | LOG_UNKFAIL_ENAB no | |
23 | ||
24 | # | |
25 | # Enable logging of successful logins | |
26 | # | |
27 | LOG_OK_LOGINS no | |
28 | ||
29 | # | |
30 | # Enable logging and display of /var/log/lastlog login(1) time info. | |
31 | # | |
32 | LASTLOG_ENAB yes | |
33 | ||
34 | # | |
35 | # Enable checking and display of mailbox status upon login. | |
36 | # | |
37 | # Disable if the shell startup files already check for mail | |
38 | # ("mailx -e" or equivalent). | |
39 | # | |
40 | MAIL_CHECK_ENAB yes | |
41 | ||
42 | # | |
43 | # Enable additional checks upon password changes. | |
44 | # | |
45 | OBSCURE_CHECKS_ENAB yes | |
46 | ||
47 | # | |
48 | # Enable checking of time restrictions specified in /etc/porttime. | |
49 | # | |
50 | PORTTIME_CHECKS_ENAB yes | |
51 | ||
52 | # | |
53 | # Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. | |
54 | # | |
55 | QUOTAS_ENAB yes | |
56 | ||
57 | # | |
58 | # Enable "syslog" logging of su(1) activity - in addition to sulog file logging. | |
59 | # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). | |
60 | # | |
61 | SYSLOG_SU_ENAB yes | |
62 | SYSLOG_SG_ENAB yes | |
63 | ||
64 | # | |
65 | # If defined, either full pathname of a file containing device names or | |
66 | # a ":" delimited list of device names. Root logins will be allowed only | |
67 | # from these devices. | |
68 | # | |
69 | CONSOLE /etc/securetty | |
70 | ||
71 | # | |
72 | # If defined, all su(1) activity is logged to this file. | |
73 | # | |
74 | #SULOG_FILE /var/log/sulog | |
75 | ||
76 | # | |
77 | # If defined, ":" delimited list of "message of the day" files to | |
78 | # be displayed upon login. | |
79 | # | |
80 | MOTD_FILE /etc/motd | |
81 | ||
82 | # | |
83 | # If defined, login(1) failures will be logged here in a utmp format. | |
84 | # last(1), when invoked as lastb(1), will read /var/log/btmp, so... | |
85 | # | |
86 | FTMP_FILE /var/log/btmp | |
87 | ||
88 | # | |
89 | # If defined, name of file whose presence will inhibit non-root | |
90 | # logins. The content of this file should be a message indicating | |
91 | # why logins are inhibited. | |
92 | # | |
93 | NOLOGINS_FILE /etc/nologin | |
94 | ||
95 | # | |
96 | # If defined, the command name to display when running "su -". For | |
97 | # example, if this is defined as "su" then ps(1) will display the | |
98 | # command as "-su". If not defined, then ps(1) will display the | |
99 | # name of the shell actually being run, e.g. something like "-sh". | |
100 | # | |
101 | SU_NAME su | |
102 | ||
103 | # | |
104 | # *REQUIRED* | |
105 | # Directory where mailboxes reside, _or_ name of file, relative to the | |
106 | # home directory. If you _do_ define both, MAIL_DIR takes precedence. | |
107 | # | |
108 | MAIL_DIR /var/mail | |
109 | ||
110 | # | |
111 | # *REQUIRED* The default PATH settings, for superuser and normal users. | |
112 | # | |
113 | # (they are minimal, add the rest in the shell startup files) | |
114 | ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin | |
115 | ENV_PATH PATH=/bin:/usr/bin | |
116 | ||
117 | # | |
118 | # Terminal permissions | |
119 | # | |
120 | # TTYGROUP Login tty will be assigned this group ownership. | |
121 | # TTYPERM Login tty will be set to this permission. | |
122 | # | |
123 | # If you have a write(1) program which is "setgid" to a special group | |
124 | # which owns the terminals, define TTYGROUP as the number of such group | |
125 | # and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and | |
126 | # set TTYPERM to either 622 or 600. | |
127 | # | |
128 | TTYGROUP tty | |
129 | TTYPERM 0600 | |
130 | ||
131 | # | |
132 | # Login configuration initializations: | |
133 | # | |
134 | # ERASECHAR Terminal ERASE character ('\010' = backspace). | |
135 | # KILLCHAR Terminal KILL character ('\025' = CTRL/U). | |
136 | # ULIMIT Default "ulimit" value. | |
137 | # | |
138 | # The ERASECHAR and KILLCHAR are used only on System V machines. | |
139 | # The ULIMIT is used only if the system supports it. | |
140 | # (now it works with setrlimit too; ulimit is in 512-byte units) | |
141 | # | |
142 | # Prefix these values with "0" to get octal, "0x" to get hexadecimal. | |
143 | # | |
144 | ERASECHAR 0177 | |
145 | KILLCHAR 025 | |
146 | #ULIMIT 2097152 | |
147 | ||
148 | # Default initial "umask" value used by login(1) on non-PAM enabled systems. | |
149 | # Default "umask" value for pam_umask(8) on PAM enabled systems. | |
150 | # UMASK is also used by useradd(8) and newusers(8) to set the mode for new | |
151 | # home directories. | |
152 | # 022 is the default value, but 027, or even 077, could be considered | |
153 | # for increased privacy. There is no One True Answer here: each sysadmin | |
154 | # must make up his/her mind. | |
155 | UMASK 022 | |
156 | ||
157 | # | |
158 | # Password aging controls: | |
159 | # | |
160 | # PASS_MAX_DAYS Maximum number of days a password may be used. | |
161 | # PASS_MIN_DAYS Minimum number of days allowed between password changes. | |
162 | # PASS_MIN_LEN Minimum acceptable password length. | |
163 | # PASS_WARN_AGE Number of days warning given before a password expires. | |
164 | # | |
165 | PASS_MAX_DAYS 99999 | |
166 | PASS_MIN_DAYS 0 | |
167 | PASS_MIN_LEN 5 | |
168 | PASS_WARN_AGE 7 | |
169 | ||
170 | # | |
171 | # If "yes", the user must be listed as a member of the first gid 0 group | |
172 | # in /etc/group (called "root" on most Linux systems) to be able to "su" | |
173 | # to uid 0 accounts. If the group doesn't exist or is empty, no one | |
174 | # will be able to "su" to uid 0. | |
175 | # | |
176 | SU_WHEEL_ONLY no | |
177 | ||
178 | # | |
179 | # If compiled with cracklib support, sets the path to the dictionaries | |
180 | # | |
181 | CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict | |
182 | ||
183 | # | |
184 | # Min/max values for automatic uid selection in useradd(8) | |
185 | # | |
186 | UID_MIN 1000 | |
187 | UID_MAX 60000 | |
188 | # System accounts | |
189 | SYS_UID_MIN 101 | |
190 | SYS_UID_MAX 999 | |
191 | # Extra per user uids | |
192 | SUB_UID_MIN 100000 | |
193 | SUB_UID_MAX 600100000 | |
194 | SUB_UID_COUNT 65536 | |
195 | ||
196 | # | |
197 | # Min/max values for automatic gid selection in groupadd(8) | |
198 | # | |
199 | GID_MIN 1000 | |
200 | GID_MAX 60000 | |
201 | # System accounts | |
202 | SYS_GID_MIN 101 | |
203 | SYS_GID_MAX 999 | |
204 | # Extra per user group ids | |
205 | SUB_GID_MIN 100000 | |
206 | SUB_GID_MAX 600100000 | |
207 | SUB_GID_COUNT 65536 | |
208 | ||
209 | # | |
210 | # Max number of login(1) retries if password is bad | |
211 | # | |
212 | LOGIN_RETRIES 5 | |
213 | ||
214 | # | |
215 | # Max time in seconds for login(1) | |
216 | # | |
217 | LOGIN_TIMEOUT 60 | |
218 | ||
219 | # | |
220 | # Maximum number of attempts to change password if rejected (too easy) | |
221 | # | |
222 | PASS_CHANGE_TRIES 5 | |
223 | ||
224 | # | |
225 | # Warn about weak passwords (but still allow them) if you are root. | |
226 | # | |
227 | PASS_ALWAYS_WARN yes | |
228 | ||
229 | # | |
230 | # Require password before chfn(1)/chsh(1) can make any changes. | |
231 | # | |
232 | CHFN_AUTH yes | |
233 | ||
234 | # | |
235 | # Which fields may be changed by regular users using chfn(1) - use | |
236 | # any combination of letters "frwh" (full name, room number, work | |
237 | # phone, home phone). If not defined, no changes are allowed. | |
238 | # For backward compatibility, "yes" = "rwh" and "no" = "frwh". | |
239 | # | |
240 | CHFN_RESTRICT rwh | |
241 | ||
242 | # | |
243 | # Password prompt (%s will be replaced by user name). | |
244 | # | |
245 | # XXX - it doesn't work correctly yet, for now leave it commented out | |
246 | # to use the default which is just "Password: ". | |
247 | #LOGIN_STRING "%s's Password: " | |
248 | ||
249 | # | |
250 | # Only works if compiled with ENCRYPTMETHOD_SELECT defined: | |
251 | # If set to MD5, MD5-based algorithm will be used for encrypting password | |
252 | # If set to SHA256, SHA256-based algorithm will be used for encrypting password | |
253 | # If set to SHA512, SHA512-based algorithm will be used for encrypting password | |
254 | # If set to DES, DES-based algorithm will be used for encrypting password (default) | |
255 | # Overrides the MD5_CRYPT_ENAB option | |
256 | # | |
257 | # Note: If you use PAM, it is recommended to use a value consistent with | |
258 | # the PAM modules configuration. | |
259 | # | |
260 | ENCRYPT_METHOD SHA512 | |
261 | ||
262 | # | |
263 | # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. | |
264 | # | |
265 | # Define the number of SHA rounds. | |
266 | # With a lot of rounds, it is more difficult to brute-force the password. | |
267 | # However, more CPU resources will be needed to authenticate users if | |
268 | # this value is increased. | |
269 | # | |
270 | # If not specified, the libc will choose the default number of rounds (5000). | |
271 | # The values must be within the 1000-999999999 range. | |
272 | # If only one of the MIN or MAX values is set, then this value will be used. | |
273 | # If MIN > MAX, the highest value will be used. | |
274 | # | |
275 | # SHA_CRYPT_MIN_ROUNDS 5000 | |
276 | # SHA_CRYPT_MAX_ROUNDS 5000 | |
277 | ||
278 | # | |
279 | # Should login be allowed if we can't cd to the home directory? | |
280 | # Default is no. | |
281 | # | |
282 | DEFAULT_HOME yes | |
283 | ||
284 | # | |
285 | # If this file exists and is readable, login environment will be | |
286 | # read from it. Every line should be in the form name=value. | |
287 | # | |
288 | ENVIRON_FILE /etc/environment | |
289 | ||
290 | # | |
291 | # Enable setting of the umask group bits to be the same as owner bits | |
292 | # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is | |
293 | # the same as gid, and username is the same as the primary group name. | |
294 | # | |
295 | # This also enables userdel(8) to remove user groups if no members exist. | |
296 | # | |
297 | USERGROUPS_ENAB yes | |
298 | ||
299 | # | |
300 | # If set to a non-zero number, the shadow utilities will make sure that | |
301 | # groups never have more than this number of users on one line. | |
302 | # This permits to support split groups (groups split into multiple lines, | |
303 | # with the same group ID, to avoid limitation of the line length in the | |
304 | # group file). | |
305 | # | |
306 | # 0 is the default value and disables this feature. | |
307 | # | |
308 | #MAX_MEMBERS_PER_GROUP 0 | |
309 | ||
310 | # | |
311 | # If useradd(8) should create home directories for users by default (non | |
312 | # system users only). | |
313 | # This option is overridden with the -M or -m flags on the useradd(8) | |
314 | # command-line. | |
315 | # | |
316 | #CREATE_HOME yes |