Section 5: login.defs
This page was been converted automatically, from Debian GNU/Linux
man pages.
LOGIN(5) LOGIN(5)
NAME
/etc/login.defs - Login configuration
DESCRIPTION
The /etc/login.defs file defines the site-specific config-
uration for the shadow login suite. This file is
required. Absence of this file will not prevent system
operation, but will probably result in undesirable opera-
tion.
This file is a readable text file, each line of the file
describing one configuration parameter. The lines consist
of a configuration name and value, seperated by whites-
pace. Blank lines and comment lines are ignored. Com-
ments are introduced with a `#' pound sign and the pound
sign must be the first non-white character of the line.
Parameter values may be of four types: strings, booleans,
numbers, and long numbers. A string is comprised of any
printable characters. A boolean should be either the
value ``yes'' or ``no''. An undefined boolean parameter
or one with a value other than these will be given a
``no'' value. Numbers (both regular and long) may be
either decimal values, octal values (precede the value
with ``0'') or hexadecimal values (precede the value with
``0x''). The maximum value of the regular and long
numeric parameters is machine-dependant.
The following configuration items are provided:
CHFN_AUTH (boolean)
If yes, the chfn and chsh programs will ask for
password before making any changes, unless run by
the superuser.
CHFN_RESTRICT (string)
This parameter specifies which values in the gecos
field of the passwd file may be changed by regular
users using the chfn program. It can be any combi-
nation of letters f, r, w, h, for Full name, Room
number, Work phone, and Home phone, respectively.
If not specified, only the superuser can make any
changes.
CLOSE_SESSIONS (boolean)
Enable pam_close_session() calling. When using nor-
mal (pam_unix.so) session handling modules, this is
not needed. However with modules (such as kerberos
or other persistent session models), login needs to
fork and wait for the shell to exit, so that ses-
sions can be cleaned up.
CONSOLE (string)
If specified, this definition provides for a
1
LOGIN(5) LOGIN(5)
restricted set of lines on which root logins will
be allowed. An attempted root login which does not
meet the criteria established here will be
rejected. The value of this field may be one of
two forms, either a fully-rooted pathname such as
CONSOLE /etc/consoles
or a colon-delimited list of terminal lines such
as:
CONSOLE console:tty01:tty02:tty03:tty04
If a pathname is given, each line of the file
should specify one terminal line. If this parame-
ter is not defined or the specified file does not
exist, then root logins will be allowed from any
terminal line. Because the removal of this file,
or its truncation, could result in unauthorized
root logins, this file must be protected. Where
security is critical, the colon-separated form
should be used to prevent this potential method of
attack.
CONSOLE_GROUPS (string)
XXX needs to be documented.
CRACKLIB_DICTPATH (string)
XXX needs to be documented.
DEFAULT_HOME (boolean)
XXX needs to be documented.
DIALUPS_CHECK_ENAB (boolean)
If yes and an /etc/dialups file exists, then sec-
ondary passwords are enabled upon the dialup lines
specified in this file. This file should contain a
list of dialups, one per line, for example:
ttyfm01
ttyfm02
.
.
.
ENVIRON_FILE (string)
File containing a list of environment variables
(one per line) to set when logging in or su'ing.
ENV_HZ (string)
This parameter specifies a value for an HZ environ-
ment parameter. Example usage is:
2
LOGIN(5) LOGIN(5)
ENV_HZ HZ=50
If this parameter is not defined then no HZ value
will be established.
ENV_PATH (string)
This parameter must be defined as the search path
for regular users. When a login with UID other
than zero occurs, the PATH environment parameter is
initialized to this value. This parameter is
required; if undefined a possibly incorrect default
value will be provided.
ENV_SUPATH (string)
This parameter must be defined as the search path
for the superuser. When a login with UID zero
occurs, the PATH environment parameter is initial-
ized to this value. This parameter is required; if
undefined a possibly incorrect default value will
be provided.
ENV_TZ (string)
This parameter specifies information for generating
a TZ environment parameter. The value must either
be the desired contents of TZ, or the full pathname
of a file which contains this information. Example
usage is:
ENV_TZ TZ=CST6CDT
or
ENV_TZ /etc/tzname
If a nonexistent file is named, then TZ will be
initialized to some default value. If this parame-
ter is not defined then no TZ value will be estab-
lished.
ERASECHAR (number)
The terminal erase character is initialized to this
value. This is supported only on systems with the
termio interface, e.g. System V. If not specified,
the erase character will be initialized to a
backspace. See KILLCHAR for related information.
FAILLOG_ENAB (boolean)
If yes then login failures will be accumulated in
/var/log/faillog in a faillog(8) format.
FAIL_DELAY (number)
Delay time in seconds after each failed login
attempt.
3
LOGIN(5) LOGIN(5)
FAKE_SHELL (string)
Instead of the real user shell, the program speci-
fied by this parameter will be launched, although
its visible name (argv[0]) will be the shell's. The
program may do whatever it wants (logging, addi-
tional authentification, banner, ...) before run-
ning the actual shell.
FTMP_FILE (string)
This parameter specifies the full pathname to a
file to which login failures are recorded. When a
login failure occurs, a utmp format record will be
appended to this file. Note that this differs from
the /var/log/faillog failure logging in that this
facility logs every failure whereas the ``faillog''
facility accumulates failure information per user.
If this parameter is not specified then logging
will be inhibited. See FAILLOG_ENAB and LOG_UNK-
FAIL_ENAB for related information.
GID_MAX (number)
GID_MIN (number)
Range of group IDs to choose from for the groupadd
program.
HUSHLOGIN_FILE (string)
This parameter is used to establish ``hushlogin''
conditions. There are two possible ways to estab-
lish these conditions. First, if the value of this
parameter is a filename and that file exists in the
user's home directory then ``hushlogin'' conditions
will be in effect. The contents of this file are
ignored; its mere presence triggers ``hushlogin''
conditions. Second, if the value of this parameter
is a full pathname and either the user's login name
or the user's shell is found in this file, then
``hushlogin'' conditions will be in effect. In
this case, the file should be in a format similar
to:
demo
/usr/lib/uucp/uucico
.
.
.
If this parameter is not defined, then ``hushlo-
gin'' conditions will never occur. When ``hushlo-
gin'' conditions are established, the message of
the day, last successful and unsuccessful login
display, mail status display, and password aging
checks are suppressed. Note that allowing hushlo-
gin files in user home directories allows the user
4
LOGIN(5) LOGIN(5)
to disable password aging checks. See MOTD_FILE,
FAILLOG_ENAB, LASTLOG_ENAB, and MAIL_CHECK_ENAB for
related information.
ISSUE_FILE (string)
Full pathname of the file to display before each
login prompt.
KILLCHAR (number)
The terminal kill character is initialized to this
value. This is supported only on systems with the
termio interface, e.g. System V. If not specified,
the kill character will be initialized to a CTRL/U.
See ERASECHAR for related information.
LASTLOG_ENAB (boolean)
If yes, and if the /var/log/lastlog file exists,
then a successful user login will be recorded to
this file. Furthermore, if this option is enabled
then the times of the most recent successful and
unsuccessful logins will be displayed to the user
upon login. The unsuccessful login display will be
suppressed if FAILLOG_ENAB is not enabled. If
``hushlogin'' conditions are in effect, then both
the successful and unsuccessful login information
will be suppressed.
LOGIN_RETRIES (number)
Number of login attempts allowed before the login
program exits.
LOGIN_STRING (string)
XXX needs to be documented.
LOGIN_TIMEOUT (number)
XXX needs to be documented.
LOG_OK_LOGINS (boolean)
XXX needs to be documented.
LOG_UNKFAIL_ENAB (boolean)
If yes then unknown usernames will be included when
a login failure is recorded. Note that this is a
potential security risk; a common login failure
mode is transposition of the user name and pass-
word, thus this mode will often cause passwords to
accumulate in the failure logs. If this option is
disabled then unknown usernames will be suppressed
in login failure messages.
MAIL_CHECK_ENAB (boolean)
If yes, the user will be notified of his or her
mailbox status upon login. See MAIL_DIR for
related information.
5
LOGIN(5) LOGIN(5)
MAIL_DIR (string)
This parameter specifies the full pathname to the
directory which contains the user mailbox files.
The user's login name is appended to this path to
form the MAIL environment parameter - the path to
the user's mailbox. Either this parameter or
MAIL_FILE must be defined; if undefined some possi-
bly incorrect default value will be assumed. See
MAIL_CHECK_ENAB for related information.
MAIL_FILE (string)
This parameter specifies the name of the user's
mailbox file. This name is appended to the name of
the user's home directory to form the MAIL environ-
ment parameter - the path to the user's mailbox.
Either this parameter or MAIL_DIR must be defined;
if undefined some possibly incorrect default value
will be assumed. See MAIL_CHECK_ENAB for related
information.
MD5_CRYPT_ENAB (boolean)
If yes, the passwd program will encrypt newly
changed passwords using a new MD5-based crypt(3)
password hashing algorithm, which originally
appeared in FreeBSD, and is also supported by
libc-5.4.38 and glibc-2.0 (or higher) on Linux.
This algorithm allows passwords longer than 8 char-
acters (limited by getpass(3) to 127 characters),
but is incompatible with traditional crypt(3)
implementations.
MOTD_FILE (string)
This parameter specifies a colon-delimited list of
pathnames to ``message of the day'' files. If a
specified file exists, then its contents are dis-
played to the user upon login. If this parameter
is not defined or ``hushlogin'' login conditions
are in effect, this information will be suppressed.
NOLOGINS_FILE (string)
This parameter specifies the full pathname to a
file which inhibits non-root logins. If this file
exists and a user other than root attempts to log
in, the contents of the file will be displayed and
the user will be disconnected. If this parameter
is not specified then this feature will be inhib-
ited.
NOLOGIN_STR (string)
XXX needs to be documented.
OBSCURE_CHECKS_ENAB (boolean)
If yes, the passwd program will perform additional
checks before accepting a password change. The
6
LOGIN(5) LOGIN(5)
checks performed are fairly simple, and their use
is recommended. These obscurity checks are
bypassed if passwd is run by root. See
PASS_MIN_LEN for related information.
PASS_ALWAYS_WARN (boolean)
XXX needs to be documented.
PASS_CHANGE_TRIES (number)
XXX needs to be documented.
PASS_MIN_DAYS (number)
The minimum number of days allowed between password
changes. Any password changes attempted sooner
than this will be rejected. If not specified, a
zero value will be assumed.
PASS_MIN_LEN (number)
The minimum number of characters in an acceptable
password. An attempt to assign a password with
fewer characters will be rejected. A zero value
suppresses this check. If not specified, a zero
value will be assumed.
PASS_MAX_DAYS (number)
The maximum number of days a password may be used.
If the password is older than this, then the
account will be locked. If not specified, a large
value will be assumed.
PASS_MAX_LEN (number)
XXX needs to be documented.
PASS_WARN_AGE (number)
The number of days warning given before a password
expires. A zero means warning is given only upon
the day of expiration, a negative value means no
warning is given. If not specified, no warning
will be provided.
PORTTIME_CHECKS_ENAB (boolean)
If yes and an /etc/porttime file exists, that file
will be consulted to ensure the user may login at
this time on the given line. c.f. porttime(5)
QMAIL_DIR (string)
For Qmail users, this parameter specifies a direc-
tory where a Maildir hierarchy is stored. See
MAIL_CHECK_ENAB for related information.
QUOTAS_ENAB (boolean)
If yes , then the user's ``ulimit,'' ``umask,'' and
``niceness'' will be initialized to the values if
specified in the gecos field of the passwd file.
7
LOGIN(5) LOGIN(5)
c.f. passwd(5).
SU_NAME (string)
This parameter assigns a command name when ``su -''
is run. For example, if the parameter is defined
as ``su'', then a ps(1) listing would show the com-
mand running as ``-su''. If this parameter is
undefined, then a ps(1) listing would show the name
of the actual shell being run, e.g. something like
``-sh''.
SULOG_FILE (string)
This parameter specifies a full pathname of a file
in which su activity is logged. If this parameter
is not specified, the logging is suppressed.
Because the su command may be used when attempting
to authenticate a password, either this option, or
syslog should be used to note su activity. See the
SYSLOG_SU_ENAB option for related information.
SU_WHEEL_ONLY (boolean)
XXX needs to be documented.
SYSLOG_SG_ENAB (boolean)
XXX needs to be documented.
SYSLOG_SU_ENAB (boolean)
If yes and login was compiled with syslog support,
then all su activity will be noted through the sys-
log facility. See SULOG_FILE for related informa-
tion.
TTYGROUP (string or number)
The group ownership of the terminal is initialized
to this group name or number. One well-known secu-
rity attack involves forcing terminal control
sequences upon another user's terminal line. This
problem can be averted by disabling permissions
which allow other users to access the terminal
line, but this unfortunately prevents programs such
as write from operating. Another solution is to
use a version of the write program which filters
out potentially dangerous character sequences, make
this program ``setgid'' to a special group, assign
group ownership of the terminal line to this spe-
cial group, and assign permissions of 0620 to the
terminal line. The TTYGROUP definition has been
provided for just this situation. If this item is
not defined, then the group ownership of the termi-
nal is initialized to the user's group number. See
TTYPERMS for related information.
TTYPERM (number)
The login terminal permissions are initialized to
8
LOGIN(5) LOGIN(5)
this value. Typical values will be 0622 to permit
others write access to the line or 0600 to secure
the line from other users. If not specified, the
terminal permissions will be initialized to 0622.
See TTYGROUP for related information.
TTYTYPE_FILE (string)
This parameter specifies the full pathname to a
file which maps terminal lines to terminal types.
Each line of the file contains a terminal type and
a terminal line, seperated by whitespace, for exam-
ple:
vt100 tty01
wyse60 tty02
. .
. .
. .
This information is only used to initialize the
TERM environment parameter when it does not already
exist. A line starting with a ``#'' pound sign
will be treated as a comment. If this paramter is
not specified, the file does not exist, or the ter-
minal line is not found in the file, then the TERM
environment parameter will not be set.
UID_MAX (number)
XXX needs to be documented.
UID_MIN (number)
XXX needs to be documented.
ULIMIT (long number)
The file size limit is initialized to this value.
This is supported only on systems with a ulimit,
e.g. System V. If not specified, the file size
limit will be initialized to some large value.
UMASK (number)
The permission mask is initialized to this value.
If not specified, the permission mask will be ini-
tialized to zero.
USERDEL_CMD (string)
XXX needs to be documented.
CROSS REFERENCE
The following cross reference shows which programs in the
shadow login suite use which parameters.
login CONSOLE DIALUPS_CHECK_ENAB ENV_HZ ENV_SUPATH
ENV_TZ ERASECHAR FAILLOG_ENAB FTMP_FILE
HUSHLOGIN_FILE KILLCHAR LASTLOG_ENAB
9
LOGIN(5) LOGIN(5)
LOG_UNKFAIL_ENAB MAIL_CHECK_ENAB MAIL_DIR
MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
QUOTAS_ENAB TTYPERM TTYTYPE_FILE ULIMIT UMASK
newusers PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
UMASK
passwd OBSCURE_CHECKS_ENAB PASS_MIN_LEN
pwconv PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
su ENV_HZ ENV_SUPATH ENV_TZ HUSHLOGIN_FILE
MAIL_CHECK_ENAB MAIL_DIR MOTD_FILE NOLOGIN_STR
QUOTAS_ENAB SULOG_FILE SYSLOG_SU_ENAB
sulogin ENV_HZ ENV_SUPATH ENV_TZ MAIL_DIR QUOTAS_ENAB
TTYPERM
BUGS
Some of the supported configuration parameters are not
documented in this manual page.
SEE ALSO
login(1), passwd(5), faillog(5), porttime(5), faillog(8)
AUTHORS
Julianne Frances Haugh (jfh@bga.com)
Chip Rosenthal (chip@unicom.com)
10