2 # /etc/login.defs - Configuration control definitions for the shadow package.
8 # Delay in seconds before being allowed another attempt after a login failure
9 # Note: When PAM is used, some modules may enforce a minimum delay (e.g.
10 # pam_unix(8) enforces a 2s delay)
15 # Enable logging and display of /var/log/faillog login(1) failure info.
20 # Enable display of unknown usernames when login(1) failures are recorded.
25 # Enable logging of successful logins
30 # Enable logging and display of /var/log/lastlog login(1) time info.
35 # Enable checking and display of mailbox status upon login.
37 # Disable if the shell startup files already check for mail
38 # ("mailx -e" or equivalent).
43 # Enable additional checks upon password changes.
45 OBSCURE_CHECKS_ENAB yes
48 # Enable checking of time restrictions specified in /etc/porttime.
50 PORTTIME_CHECKS_ENAB yes
53 # Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
58 # Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
59 # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
65 # If defined, either full pathname of a file containing device names or
66 # a ":" delimited list of device names. Root logins will be allowed only
69 CONSOLE /etc/securetty
72 # If defined, all su(1) activity is logged to this file.
74 #SULOG_FILE /var/log/sulog
77 # If defined, ":" delimited list of "message of the day" files to
78 # be displayed upon login.
83 # If defined, login(1) failures will be logged here in a utmp format.
84 # last(1), when invoked as lastb(1), will read /var/log/btmp, so...
86 FTMP_FILE /var/log/btmp
89 # If defined, name of file whose presence will inhibit non-root
90 # logins. The content of this file should be a message indicating
91 # why logins are inhibited.
93 NOLOGINS_FILE /etc/nologin
96 # If defined, the command name to display when running "su -". For
97 # example, if this is defined as "su" then ps(1) will display the
98 # command as "-su". If not defined, then ps(1) will display the
99 # name of the shell actually being run, e.g. something like "-sh".
105 # Directory where mailboxes reside, _or_ name of file, relative to the
106 # home directory. If you _do_ define both, MAIL_DIR takes precedence.
111 # *REQUIRED* The default PATH settings, for superuser and normal users.
113 # (they are minimal, add the rest in the shell startup files)
114 ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
115 ENV_PATH PATH=/bin:/usr/bin
118 # Terminal permissions
120 # TTYGROUP Login tty will be assigned this group ownership.
121 # TTYPERM Login tty will be set to this permission.
123 # If you have a write(1) program which is "setgid" to a special group
124 # which owns the terminals, define TTYGROUP as the number of such group
125 # and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
126 # set TTYPERM to either 622 or 600.
132 # Login configuration initializations:
134 # ERASECHAR Terminal ERASE character ('\010' = backspace).
135 # KILLCHAR Terminal KILL character ('\025' = CTRL/U).
136 # ULIMIT Default "ulimit" value.
138 # The ERASECHAR and KILLCHAR are used only on System V machines.
139 # The ULIMIT is used only if the system supports it.
140 # (now it works with setrlimit too; ulimit is in 512-byte units)
142 # Prefix these values with "0" to get octal, "0x" to get hexadecimal.
148 # Default initial "umask" value used by login(1) on non-PAM enabled systems.
149 # Default "umask" value for pam_umask(8) on PAM enabled systems.
150 # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
152 # 022 is the default value, but 027, or even 077, could be considered
153 # for increased privacy. There is no One True Answer here: each sysadmin
154 # must make up his/her mind.
158 # Password aging controls:
160 # PASS_MAX_DAYS Maximum number of days a password may be used.
161 # PASS_MIN_DAYS Minimum number of days allowed between password changes.
162 # PASS_MIN_LEN Minimum acceptable password length.
163 # PASS_WARN_AGE Number of days warning given before a password expires.
171 # If "yes", the user must be listed as a member of the first gid 0 group
172 # in /etc/group (called "root" on most Linux systems) to be able to "su"
173 # to uid 0 accounts. If the group doesn't exist or is empty, no one
174 # will be able to "su" to uid 0.
179 # If compiled with cracklib support, sets the path to the dictionaries
181 CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
184 # Min/max values for automatic uid selection in useradd(8)
191 # Extra per user uids
193 SUB_UID_MAX 600100000
197 # Min/max values for automatic gid selection in groupadd(8)
204 # Extra per user group ids
206 SUB_GID_MAX 600100000
210 # Max number of login(1) retries if password is bad
215 # Max time in seconds for login(1)
220 # Maximum number of attempts to change password if rejected (too easy)
225 # Warn about weak passwords (but still allow them) if you are root.
230 # Require password before chfn(1)/chsh(1) can make any changes.
235 # Which fields may be changed by regular users using chfn(1) - use
236 # any combination of letters "frwh" (full name, room number, work
237 # phone, home phone). If not defined, no changes are allowed.
238 # For backward compatibility, "yes" = "rwh" and "no" = "frwh".
243 # Password prompt (%s will be replaced by user name).
245 # XXX - it doesn't work correctly yet, for now leave it commented out
246 # to use the default which is just "Password: ".
247 #LOGIN_STRING "%s's Password: "
250 # Only works if compiled with ENCRYPTMETHOD_SELECT defined:
251 # If set to MD5, MD5-based algorithm will be used for encrypting password
252 # If set to SHA256, SHA256-based algorithm will be used for encrypting password
253 # If set to SHA512, SHA512-based algorithm will be used for encrypting password
254 # If set to DES, DES-based algorithm will be used for encrypting password (default)
255 # Overrides the MD5_CRYPT_ENAB option
257 # Note: If you use PAM, it is recommended to use a value consistent with
258 # the PAM modules configuration.
260 ENCRYPT_METHOD SHA512
263 # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
265 # Define the number of SHA rounds.
266 # With a lot of rounds, it is more difficult to brute-force the password.
267 # However, more CPU resources will be needed to authenticate users if
268 # this value is increased.
270 # If not specified, the libc will choose the default number of rounds (5000).
271 # The values must be within the 1000-999999999 range.
272 # If only one of the MIN or MAX values is set, then this value will be used.
273 # If MIN > MAX, the highest value will be used.
275 # SHA_CRYPT_MIN_ROUNDS 5000
276 # SHA_CRYPT_MAX_ROUNDS 5000
279 # Should login be allowed if we can't cd to the home directory?
285 # If this file exists and is readable, login environment will be
286 # read from it. Every line should be in the form name=value.
288 ENVIRON_FILE /etc/environment
291 # Enable setting of the umask group bits to be the same as owner bits
292 # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
293 # the same as gid, and username is the same as the primary group name.
295 # This also enables userdel(8) to remove user groups if no members exist.
300 # If set to a non-zero number, the shadow utilities will make sure that
301 # groups never have more than this number of users on one line.
302 # This permits to support split groups (groups split into multiple lines,
303 # with the same group ID, to avoid limitation of the line length in the
306 # 0 is the default value and disables this feature.
308 #MAX_MEMBERS_PER_GROUP 0
311 # If useradd(8) should create home directories for users by default (non
312 # system users only).
313 # This option is overridden with the -M or -m flags on the useradd(8)