]> git.ipfire.org Git - ipfire-2.x.git/blob - config/shadow/login.defs
core126: Ship recently updated packages
[ipfire-2.x.git] / config / shadow / login.defs
1 #
2 # /etc/login.defs - Configuration control definitions for the shadow package.
3 #
4 # $Id$
5 #
6
7 #
8 # Delay in seconds before being allowed another attempt after a login failure
9 # Note: When PAM is used, some modules may enforce a minimum delay (e.g.
10 # pam_unix(8) enforces a 2s delay)
11 #
12 FAIL_DELAY 3
13
14 #
15 # Enable logging and display of /var/log/faillog login(1) failure info.
16 #
17 FAILLOG_ENAB yes
18
19 #
20 # Enable display of unknown usernames when login(1) failures are recorded.
21 #
22 LOG_UNKFAIL_ENAB no
23
24 #
25 # Enable logging of successful logins
26 #
27 LOG_OK_LOGINS no
28
29 #
30 # Enable logging and display of /var/log/lastlog login(1) time info.
31 #
32 LASTLOG_ENAB yes
33
34 #
35 # Enable checking and display of mailbox status upon login.
36 #
37 # Disable if the shell startup files already check for mail
38 # ("mailx -e" or equivalent).
39 #
40 MAIL_CHECK_ENAB yes
41
42 #
43 # Enable additional checks upon password changes.
44 #
45 OBSCURE_CHECKS_ENAB yes
46
47 #
48 # Enable checking of time restrictions specified in /etc/porttime.
49 #
50 PORTTIME_CHECKS_ENAB yes
51
52 #
53 # Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
54 #
55 QUOTAS_ENAB yes
56
57 #
58 # Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
59 # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
60 #
61 SYSLOG_SU_ENAB yes
62 SYSLOG_SG_ENAB yes
63
64 #
65 # If defined, either full pathname of a file containing device names or
66 # a ":" delimited list of device names. Root logins will be allowed only
67 # from these devices.
68 #
69 CONSOLE /etc/securetty
70
71 #
72 # If defined, all su(1) activity is logged to this file.
73 #
74 #SULOG_FILE /var/log/sulog
75
76 #
77 # If defined, ":" delimited list of "message of the day" files to
78 # be displayed upon login.
79 #
80 MOTD_FILE /etc/motd
81
82 #
83 # If defined, login(1) failures will be logged here in a utmp format.
84 # last(1), when invoked as lastb(1), will read /var/log/btmp, so...
85 #
86 FTMP_FILE /var/log/btmp
87
88 #
89 # If defined, name of file whose presence will inhibit non-root
90 # logins. The content of this file should be a message indicating
91 # why logins are inhibited.
92 #
93 NOLOGINS_FILE /etc/nologin
94
95 #
96 # If defined, the command name to display when running "su -". For
97 # example, if this is defined as "su" then ps(1) will display the
98 # command as "-su". If not defined, then ps(1) will display the
99 # name of the shell actually being run, e.g. something like "-sh".
100 #
101 SU_NAME su
102
103 #
104 # *REQUIRED*
105 # Directory where mailboxes reside, _or_ name of file, relative to the
106 # home directory. If you _do_ define both, MAIL_DIR takes precedence.
107 #
108 MAIL_DIR /var/mail
109
110 #
111 # *REQUIRED* The default PATH settings, for superuser and normal users.
112 #
113 # (they are minimal, add the rest in the shell startup files)
114 ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
115 ENV_PATH PATH=/bin:/usr/bin
116
117 #
118 # Terminal permissions
119 #
120 # TTYGROUP Login tty will be assigned this group ownership.
121 # TTYPERM Login tty will be set to this permission.
122 #
123 # If you have a write(1) program which is "setgid" to a special group
124 # which owns the terminals, define TTYGROUP as the number of such group
125 # and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
126 # set TTYPERM to either 622 or 600.
127 #
128 TTYGROUP tty
129 TTYPERM 0600
130
131 #
132 # Login configuration initializations:
133 #
134 # ERASECHAR Terminal ERASE character ('\010' = backspace).
135 # KILLCHAR Terminal KILL character ('\025' = CTRL/U).
136 # ULIMIT Default "ulimit" value.
137 #
138 # The ERASECHAR and KILLCHAR are used only on System V machines.
139 # The ULIMIT is used only if the system supports it.
140 # (now it works with setrlimit too; ulimit is in 512-byte units)
141 #
142 # Prefix these values with "0" to get octal, "0x" to get hexadecimal.
143 #
144 ERASECHAR 0177
145 KILLCHAR 025
146 #ULIMIT 2097152
147
148 # Default initial "umask" value used by login(1) on non-PAM enabled systems.
149 # Default "umask" value for pam_umask(8) on PAM enabled systems.
150 # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
151 # home directories.
152 # 022 is the default value, but 027, or even 077, could be considered
153 # for increased privacy. There is no One True Answer here: each sysadmin
154 # must make up his/her mind.
155 UMASK 022
156
157 #
158 # Password aging controls:
159 #
160 # PASS_MAX_DAYS Maximum number of days a password may be used.
161 # PASS_MIN_DAYS Minimum number of days allowed between password changes.
162 # PASS_MIN_LEN Minimum acceptable password length.
163 # PASS_WARN_AGE Number of days warning given before a password expires.
164 #
165 PASS_MAX_DAYS 99999
166 PASS_MIN_DAYS 0
167 PASS_MIN_LEN 5
168 PASS_WARN_AGE 7
169
170 #
171 # If "yes", the user must be listed as a member of the first gid 0 group
172 # in /etc/group (called "root" on most Linux systems) to be able to "su"
173 # to uid 0 accounts. If the group doesn't exist or is empty, no one
174 # will be able to "su" to uid 0.
175 #
176 SU_WHEEL_ONLY no
177
178 #
179 # If compiled with cracklib support, sets the path to the dictionaries
180 #
181 CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
182
183 #
184 # Min/max values for automatic uid selection in useradd(8)
185 #
186 UID_MIN 1000
187 UID_MAX 60000
188 # System accounts
189 SYS_UID_MIN 101
190 SYS_UID_MAX 999
191 # Extra per user uids
192 SUB_UID_MIN 100000
193 SUB_UID_MAX 600100000
194 SUB_UID_COUNT 65536
195
196 #
197 # Min/max values for automatic gid selection in groupadd(8)
198 #
199 GID_MIN 1000
200 GID_MAX 60000
201 # System accounts
202 SYS_GID_MIN 101
203 SYS_GID_MAX 999
204 # Extra per user group ids
205 SUB_GID_MIN 100000
206 SUB_GID_MAX 600100000
207 SUB_GID_COUNT 65536
208
209 #
210 # Max number of login(1) retries if password is bad
211 #
212 LOGIN_RETRIES 5
213
214 #
215 # Max time in seconds for login(1)
216 #
217 LOGIN_TIMEOUT 60
218
219 #
220 # Maximum number of attempts to change password if rejected (too easy)
221 #
222 PASS_CHANGE_TRIES 5
223
224 #
225 # Warn about weak passwords (but still allow them) if you are root.
226 #
227 PASS_ALWAYS_WARN yes
228
229 #
230 # Require password before chfn(1)/chsh(1) can make any changes.
231 #
232 CHFN_AUTH yes
233
234 #
235 # Which fields may be changed by regular users using chfn(1) - use
236 # any combination of letters "frwh" (full name, room number, work
237 # phone, home phone). If not defined, no changes are allowed.
238 # For backward compatibility, "yes" = "rwh" and "no" = "frwh".
239 #
240 CHFN_RESTRICT rwh
241
242 #
243 # Password prompt (%s will be replaced by user name).
244 #
245 # XXX - it doesn't work correctly yet, for now leave it commented out
246 # to use the default which is just "Password: ".
247 #LOGIN_STRING "%s's Password: "
248
249 #
250 # Only works if compiled with ENCRYPTMETHOD_SELECT defined:
251 # If set to MD5, MD5-based algorithm will be used for encrypting password
252 # If set to SHA256, SHA256-based algorithm will be used for encrypting password
253 # If set to SHA512, SHA512-based algorithm will be used for encrypting password
254 # If set to DES, DES-based algorithm will be used for encrypting password (default)
255 # Overrides the MD5_CRYPT_ENAB option
256 #
257 # Note: If you use PAM, it is recommended to use a value consistent with
258 # the PAM modules configuration.
259 #
260 ENCRYPT_METHOD SHA512
261
262 #
263 # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
264 #
265 # Define the number of SHA rounds.
266 # With a lot of rounds, it is more difficult to brute-force the password.
267 # However, more CPU resources will be needed to authenticate users if
268 # this value is increased.
269 #
270 # If not specified, the libc will choose the default number of rounds (5000).
271 # The values must be within the 1000-999999999 range.
272 # If only one of the MIN or MAX values is set, then this value will be used.
273 # If MIN > MAX, the highest value will be used.
274 #
275 # SHA_CRYPT_MIN_ROUNDS 5000
276 # SHA_CRYPT_MAX_ROUNDS 5000
277
278 #
279 # Should login be allowed if we can't cd to the home directory?
280 # Default is no.
281 #
282 DEFAULT_HOME yes
283
284 #
285 # If this file exists and is readable, login environment will be
286 # read from it. Every line should be in the form name=value.
287 #
288 ENVIRON_FILE /etc/environment
289
290 #
291 # Enable setting of the umask group bits to be the same as owner bits
292 # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
293 # the same as gid, and username is the same as the primary group name.
294 #
295 # This also enables userdel(8) to remove user groups if no members exist.
296 #
297 USERGROUPS_ENAB yes
298
299 #
300 # If set to a non-zero number, the shadow utilities will make sure that
301 # groups never have more than this number of users on one line.
302 # This permits to support split groups (groups split into multiple lines,
303 # with the same group ID, to avoid limitation of the line length in the
304 # group file).
305 #
306 # 0 is the default value and disables this feature.
307 #
308 #MAX_MEMBERS_PER_GROUP 0
309
310 #
311 # If useradd(8) should create home directories for users by default (non
312 # system users only).
313 # This option is overridden with the -M or -m flags on the useradd(8)
314 # command-line.
315 #
316 #CREATE_HOME yes