projects / people / pmueller / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| da314725 MT |
1 | # |
| 2 | # /etc/login.defs - Configuration control definitions for the shadow package. | |
| 3 | # | |
| 4 | # $Id$ | |
| 5 | # | |
| 6 | ||
| 7 | # | |
| 8 | # Delay in seconds before being allowed another attempt after a login failure | |
| 9 | # Note: When PAM is used, some modules may enforce a minimum delay (e.g. | |
| 10 | # pam_unix(8) enforces a 2s delay) | |
| 11 | # | |
| 12 | FAIL_DELAY 3 | |
| 13 | ||
| 14 | # | |
| 15 | # Enable logging and display of /var/log/faillog login(1) failure info. | |
| 16 | # | |
| 17 | FAILLOG_ENAB yes | |
| 18 | ||
| 19 | # | |
| 20 | # Enable display of unknown usernames when login(1) failures are recorded. | |
| 21 | # | |
| 22 | LOG_UNKFAIL_ENAB no | |
| 23 | ||
| 24 | # | |
| 25 | # Enable logging of successful logins | |
| 26 | # | |
| 27 | LOG_OK_LOGINS no | |
| 28 | ||
| 29 | # | |
| 30 | # Enable logging and display of /var/log/lastlog login(1) time info. | |
| 31 | # | |
| 32 | LASTLOG_ENAB yes | |
| 33 | ||
| 34 | # | |
| 35 | # Enable checking and display of mailbox status upon login. | |
| 36 | # | |
| 37 | # Disable if the shell startup files already check for mail | |
| 38 | # ("mailx -e" or equivalent). | |
| 39 | # | |
| 40 | MAIL_CHECK_ENAB yes | |
| 41 | ||
| 42 | # | |
| 43 | # Enable additional checks upon password changes. | |
| 44 | # | |
| 45 | OBSCURE_CHECKS_ENAB yes | |
| 46 | ||
| 47 | # | |
| 48 | # Enable checking of time restrictions specified in /etc/porttime. | |
| 49 | # | |
| 50 | PORTTIME_CHECKS_ENAB yes | |
| 51 | ||
| 52 | # | |
| 53 | # Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. | |
| 54 | # | |
| 55 | QUOTAS_ENAB yes | |
| 56 | ||
| 57 | # | |
| 58 | # Enable "syslog" logging of su(1) activity - in addition to sulog file logging. | |
| 59 | # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). | |
| 60 | # | |
| 61 | SYSLOG_SU_ENAB yes | |
| 62 | SYSLOG_SG_ENAB yes | |
| 63 | ||
| 64 | # | |
| 65 | # If defined, either full pathname of a file containing device names or | |
| 66 | # a ":" delimited list of device names. Root logins will be allowed only | |
| 67 | # from these devices. | |
| 68 | # | |
| 69 | CONSOLE /etc/securetty | |
| 70 | ||
| 71 | # | |
| 72 | # If defined, all su(1) activity is logged to this file. | |
| 73 | # | |
| 74 | #SULOG_FILE /var/log/sulog | |
| 75 | ||
| 76 | # | |
| 77 | # If defined, ":" delimited list of "message of the day" files to | |
| 78 | # be displayed upon login. | |
| 79 | # | |
| 80 | MOTD_FILE /etc/motd | |
| 81 | ||
| 82 | # | |
| 83 | # If defined, login(1) failures will be logged here in a utmp format. | |
| 84 | # last(1), when invoked as lastb(1), will read /var/log/btmp, so... | |
| 85 | # | |
| 86 | FTMP_FILE /var/log/btmp | |
| 87 | ||
| 88 | # | |
| 89 | # If defined, name of file whose presence will inhibit non-root | |
| 90 | # logins. The content of this file should be a message indicating | |
| 91 | # why logins are inhibited. | |
| 92 | # | |
| 93 | NOLOGINS_FILE /etc/nologin | |
| 94 | ||
| 95 | # | |
| 96 | # If defined, the command name to display when running "su -". For | |
| 97 | # example, if this is defined as "su" then ps(1) will display the | |
| 98 | # command as "-su". If not defined, then ps(1) will display the | |
| 99 | # name of the shell actually being run, e.g. something like "-sh". | |
| 100 | # | |
| 101 | SU_NAME su | |
| 102 | ||
| 103 | # | |
| 104 | # *REQUIRED* | |
| 105 | # Directory where mailboxes reside, _or_ name of file, relative to the | |
| 106 | # home directory. If you _do_ define both, MAIL_DIR takes precedence. | |
| 107 | # | |
| 108 | MAIL_DIR /var/mail | |
| 109 | ||
| 110 | # | |
| 111 | # *REQUIRED* The default PATH settings, for superuser and normal users. | |
| 112 | # | |
| 113 | # (they are minimal, add the rest in the shell startup files) | |
| 114 | ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin | |
| 115 | ENV_PATH PATH=/bin:/usr/bin | |
| 116 | ||
| 117 | # | |
| 118 | # Terminal permissions | |
| 119 | # | |
| 120 | # TTYGROUP Login tty will be assigned this group ownership. | |
| 121 | # TTYPERM Login tty will be set to this permission. | |
| 122 | # | |
| 123 | # If you have a write(1) program which is "setgid" to a special group | |
| 124 | # which owns the terminals, define TTYGROUP as the number of such group | |
| 125 | # and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and | |
| 126 | # set TTYPERM to either 622 or 600. | |
| 127 | # | |
| 128 | TTYGROUP tty | |
| 129 | TTYPERM 0600 | |
| 130 | ||
| 131 | # | |
| 132 | # Login configuration initializations: | |
| 133 | # | |
| 134 | # ERASECHAR Terminal ERASE character ('\010' = backspace). | |
| 135 | # KILLCHAR Terminal KILL character ('\025' = CTRL/U). | |
| 136 | # ULIMIT Default "ulimit" value. | |
| 137 | # | |
| 138 | # The ERASECHAR and KILLCHAR are used only on System V machines. | |
| 139 | # The ULIMIT is used only if the system supports it. | |
| 140 | # (now it works with setrlimit too; ulimit is in 512-byte units) | |
| 141 | # | |
| 142 | # Prefix these values with "0" to get octal, "0x" to get hexadecimal. | |
| 143 | # | |
| 144 | ERASECHAR 0177 | |
| 145 | KILLCHAR 025 | |
| 146 | #ULIMIT 2097152 | |
| 147 | ||
| 148 | # Default initial "umask" value used by login(1) on non-PAM enabled systems. | |
| 149 | # Default "umask" value for pam_umask(8) on PAM enabled systems. | |
| 150 | # UMASK is also used by useradd(8) and newusers(8) to set the mode for new | |
| 151 | # home directories. | |
| 152 | # 022 is the default value, but 027, or even 077, could be considered | |
| 153 | # for increased privacy. There is no One True Answer here: each sysadmin | |
| 154 | # must make up his/her mind. | |
| 155 | UMASK 022 | |
| 156 | ||
| 157 | # | |
| 158 | # Password aging controls: | |
| 159 | # | |
| 160 | # PASS_MAX_DAYS Maximum number of days a password may be used. | |
| 161 | # PASS_MIN_DAYS Minimum number of days allowed between password changes. | |
| 162 | # PASS_MIN_LEN Minimum acceptable password length. | |
| 163 | # PASS_WARN_AGE Number of days warning given before a password expires. | |
| 164 | # | |
| 165 | PASS_MAX_DAYS 99999 | |
| 166 | PASS_MIN_DAYS 0 | |
| 167 | PASS_MIN_LEN 5 | |
| 168 | PASS_WARN_AGE 7 | |
| 169 | ||
| 170 | # | |
| 171 | # If "yes", the user must be listed as a member of the first gid 0 group | |
| 172 | # in /etc/group (called "root" on most Linux systems) to be able to "su" | |
| 173 | # to uid 0 accounts. If the group doesn't exist or is empty, no one | |
| 174 | # will be able to "su" to uid 0. | |
| 175 | # | |
| 176 | SU_WHEEL_ONLY no | |
| 177 | ||
| da314725 MT |
178 | # |
| 179 | # Min/max values for automatic uid selection in useradd(8) | |
| 180 | # | |
| 181 | UID_MIN 1000 | |
| 182 | UID_MAX 60000 | |
| 183 | # System accounts | |
| 184 | SYS_UID_MIN 101 | |
| 185 | SYS_UID_MAX 999 | |
| 186 | # Extra per user uids | |
| 187 | SUB_UID_MIN 100000 | |
| 188 | SUB_UID_MAX 600100000 | |
| 189 | SUB_UID_COUNT 65536 | |
| 190 | ||
| 191 | # | |
| 192 | # Min/max values for automatic gid selection in groupadd(8) | |
| 193 | # | |
| 194 | GID_MIN 1000 | |
| 195 | GID_MAX 60000 | |
| 196 | # System accounts | |
| 197 | SYS_GID_MIN 101 | |
| 198 | SYS_GID_MAX 999 | |
| 199 | # Extra per user group ids | |
| 200 | SUB_GID_MIN 100000 | |
| 201 | SUB_GID_MAX 600100000 | |
| 202 | SUB_GID_COUNT 65536 | |
| 203 | ||
| 204 | # | |
| 205 | # Max number of login(1) retries if password is bad | |
| 206 | # | |
| 207 | LOGIN_RETRIES 5 | |
| 208 | ||
| 209 | # | |
| 210 | # Max time in seconds for login(1) | |
| 211 | # | |
| 212 | LOGIN_TIMEOUT 60 | |
| 213 | ||
| 214 | # | |
| 215 | # Maximum number of attempts to change password if rejected (too easy) | |
| 216 | # | |
| 217 | PASS_CHANGE_TRIES 5 | |
| 218 | ||
| 219 | # | |
| 220 | # Warn about weak passwords (but still allow them) if you are root. | |
| 221 | # | |
| 222 | PASS_ALWAYS_WARN yes | |
| 223 | ||
| 224 | # | |
| 225 | # Require password before chfn(1)/chsh(1) can make any changes. | |
| 226 | # | |
| 227 | CHFN_AUTH yes | |
| 228 | ||
| 229 | # | |
| 230 | # Which fields may be changed by regular users using chfn(1) - use | |
| 231 | # any combination of letters "frwh" (full name, room number, work | |
| 232 | # phone, home phone). If not defined, no changes are allowed. | |
| 233 | # For backward compatibility, "yes" = "rwh" and "no" = "frwh". | |
| 234 | # | |
| 235 | CHFN_RESTRICT rwh | |
| 236 | ||
| 237 | # | |
| 238 | # Password prompt (%s will be replaced by user name). | |
| 239 | # | |
| 240 | # XXX - it doesn't work correctly yet, for now leave it commented out | |
| 241 | # to use the default which is just "Password: ". | |
| 242 | #LOGIN_STRING "%s's Password: " | |
| 243 | ||
| 244 | # | |
| 245 | # Only works if compiled with ENCRYPTMETHOD_SELECT defined: | |
| 246 | # If set to MD5, MD5-based algorithm will be used for encrypting password | |
| 247 | # If set to SHA256, SHA256-based algorithm will be used for encrypting password | |
| 248 | # If set to SHA512, SHA512-based algorithm will be used for encrypting password | |
| 5b28df47 AB |
249 | # If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password |
| 250 | # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password | |
| da314725 | 251 | # If set to DES, DES-based algorithm will be used for encrypting password (default) |
| 5b28df47 | 252 | # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. |
| da314725 MT |
253 | # Overrides the MD5_CRYPT_ENAB option |
| 254 | # | |
| 255 | # Note: If you use PAM, it is recommended to use a value consistent with | |
| 256 | # the PAM modules configuration. | |
| 257 | # | |
| 5b28df47 | 258 | ENCRYPT_METHOD YESCRYPT |
| da314725 MT |
259 | |
| 260 | # | |
| 261 | # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. | |
| 262 | # | |
| 263 | # Define the number of SHA rounds. | |
| 264 | # With a lot of rounds, it is more difficult to brute-force the password. | |
| 265 | # However, more CPU resources will be needed to authenticate users if | |
| 266 | # this value is increased. | |
| 267 | # | |
| 268 | # If not specified, the libc will choose the default number of rounds (5000). | |
| 269 | # The values must be within the 1000-999999999 range. | |
| 270 | # If only one of the MIN or MAX values is set, then this value will be used. | |
| 271 | # If MIN > MAX, the highest value will be used. | |
| 272 | # | |
| 273 | # SHA_CRYPT_MIN_ROUNDS 5000 | |
| 274 | # SHA_CRYPT_MAX_ROUNDS 5000 | |
| 275 | ||
| 276 | # | |
| 277 | # Should login be allowed if we can't cd to the home directory? | |
| 278 | # Default is no. | |
| 279 | # | |
| 280 | DEFAULT_HOME yes | |
| 281 | ||
| 282 | # | |
| 283 | # If this file exists and is readable, login environment will be | |
| 284 | # read from it. Every line should be in the form name=value. | |
| 285 | # | |
| 286 | ENVIRON_FILE /etc/environment | |
| 287 | ||
| 288 | # | |
| 289 | # Enable setting of the umask group bits to be the same as owner bits | |
| 290 | # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is | |
| 291 | # the same as gid, and username is the same as the primary group name. | |
| 292 | # | |
| 293 | # This also enables userdel(8) to remove user groups if no members exist. | |
| 294 | # | |
| 295 | USERGROUPS_ENAB yes | |
| 296 | ||
| 297 | # | |
| 298 | # If set to a non-zero number, the shadow utilities will make sure that | |
| 299 | # groups never have more than this number of users on one line. | |
| 300 | # This permits to support split groups (groups split into multiple lines, | |
| 301 | # with the same group ID, to avoid limitation of the line length in the | |
| 302 | # group file). | |
| 303 | # | |
| 304 | # 0 is the default value and disables this feature. | |
| 305 | # | |
| 306 | #MAX_MEMBERS_PER_GROUP 0 | |
| 307 | ||
| 308 | # | |
| 309 | # If useradd(8) should create home directories for users by default (non | |
| 310 | # system users only). | |
| 311 | # This option is overridden with the -M or -m flags on the useradd(8) | |
| 312 | # command-line. | |
| 313 | # | |
| 314 | #CREATE_HOME yes |