1#
2# /etc/login.defs - Configuration control definitions for the shadow package.
3#
4#	$Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $
5#
6
7#
8# Delay in seconds before being allowed another attempt after a login failure
9# Note: When PAM is used, some modules may enfore a minimal delay (e.g.
10#       pam_unix enforces a 2s delay)
11#
12FAIL_DELAY		3
13
14#
15# Enable logging and display of /var/log/faillog login failure info.
16#
17#FAILLOG_ENAB		yes
18
19#
20# Enable display of unknown usernames when login failures are recorded.
21#
22LOG_UNKFAIL_ENAB	no
23
24#
25# Enable logging of successful logins
26#
27LOG_OK_LOGINS		no
28
29#
30# Enable logging and display of /var/log/lastlog login time info.
31#
32#LASTLOG_ENAB		yes
33
34#
35# Enable checking and display of mailbox status upon login.
36#
37# Disable if the shell startup files already check for mail
38# ("mailx -e" or equivalent).
39#
40##MAIL_CHECK_ENAB		yes
41
42#
43# Enable additional checks upon password changes.
44#
45#OBSCURE_CHECKS_ENAB	yes
46
47#
48# Enable checking of time restrictions specified in /etc/porttime.
49#
50#PORTTIME_CHECKS_ENAB	yes
51
52#
53# Enable setting of ulimit, umask, and niceness from passwd gecos field.
54#
55#QUOTAS_ENAB		yes
56
57#
58# Enable "syslog" logging of su activity - in addition to sulog file logging.
59# SYSLOG_SG_ENAB does the same for newgrp and sg.
60#
61SYSLOG_SU_ENAB		yes
62SYSLOG_SG_ENAB		yes
63
64#
65# If defined, either full pathname of a file containing device names or
66# a ":" delimited list of device names.  Root logins will be allowed only
67# upon these devices.
68#
69CONSOLE		/etc/securetty
70#CONSOLE	console:tty01:tty02:tty03:tty04
71
72#
73# If defined, all su activity is logged to this file.
74#
75#SULOG_FILE	/var/log/sulog
76
77#
78# If defined, ":" delimited list of "message of the day" files to
79# be displayed upon login.
80#
81#MOTD_FILE	/etc/motd
82#MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
83
84#
85# If defined, this file will be output before each login prompt.
86#
87#ISSUE_FILE	/etc/issue
88
89#
90# If defined, file which maps tty line to TERM environment parameter.
91# Each line of the file is in a format something like "vt100  tty01".
92#
93#TTYTYPE_FILE	/etc/ttytype
94
95#
96# If defined, login failures will be logged here in a utmp format.
97# last, when invoked as lastb, will read /var/log/btmp, so...
98#
99#FTMP_FILE	/var/log/btmp
100
101#
102# If defined, name of file whose presence which will inhibit non-root
103# logins.  The contents of this file should be a message indicating
104# why logins are inhibited.
105#
106#NOLOGINS_FILE	/etc/nologin
107
108#
109# If defined, the command name to display when running "su -".  For
110# example, if this is defined as "su" then a "ps" will display the
111# command is "-su".  If not defined, then "ps" would display the
112# name of the shell actually being run, e.g. something like "-sh".
113#
114SU_NAME		su
115
116#
117# *REQUIRED*
118#   Directory where mailboxes reside, _or_ name of file, relative to the
119#   home directory.  If you _do_ define both, #MAIL_DIR takes precedence.
120#
121#MAIL_DIR	/var/spool/mail
122MAIL_FILE	.mail
123
124#
125# If defined, file which inhibits all the usual chatter during the login
126# sequence.  If a full pathname, then hushed mode will be enabled if the
127# user's name or shell are found in the file.  If not a full pathname, then
128# hushed mode will be enabled if the file exists in the user's home directory.
129#
130HUSHLOGIN_FILE	.hushlogin
131#HUSHLOGIN_FILE	/etc/hushlogins
132
133#
134# If defined, either a TZ environment parameter spec or the
135# fully-rooted pathname of a file containing such a spec.
136#
137#ENV_TZ		TZ=CST6CDT
138#ENV_TZ		/etc/tzname
139
140#
141# If defined, an HZ environment parameter spec.
142#
143# for Linux/x86
144#ENV_HZ		HZ=100
145# For Linux/Alpha...
146#ENV_HZ		HZ=1024
147
148#
149# *REQUIRED*  The default PATH settings, for superuser and normal users.
150#
151# (they are minimal, add the rest in the shell startup files)
152ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
153ENV_PATH	PATH=/bin:/usr/bin
154
155#
156# Terminal permissions
157#
158#	TTYGROUP	Login tty will be assigned this group ownership.
159#	TTYPERM		Login tty will be set to this permission.
160#
161# If you have a "write" program which is "setgid" to a special group
162# which owns the terminals, define TTYGROUP to the group number and
163# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
164# TTYPERM to either 622 or 600.
165#
166TTYGROUP	tty
167TTYPERM		0600
168
169#
170# Login configuration initializations:
171#
172#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
173#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
174#	ULIMIT		Default "ulimit" value.
175#
176# The ERASECHAR and KILLCHAR are used only on System V machines.
177# The ULIMIT is used only if the system supports it.
178# (now it works with setrlimit too; ulimit is in 512-byte units)
179#
180# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
181#
182ERASECHAR	0177
183KILLCHAR	025
184#ULIMIT		2097152
185
186# Default initial "umask" value for non-PAM enabled systems.
187# UMASK is also used by useradd and newusers to set the mode of new home
188# directories.
189# 022 is the default value, but 027, or even 077, could be considered
190# better for privacy. There is no One True Answer here: each sysadmin
191# must make up her mind.
192UMASK		022
193
194#
195# Password aging controls:
196#
197#	PASS_MAX_DAYS	Maximum number of days a password may be used.
198#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
199#	PASS_MIN_LEN	Minimum acceptable password length.
200#	PASS_WARN_AGE	Number of days warning given before a password expires.
201#
202PASS_MAX_DAYS	99999
203PASS_MIN_DAYS	0
204#PASS_MIN_LEN	5
205PASS_WARN_AGE	7
206
207#
208# If "yes", the user must be listed as a member of the first gid 0 group
209# in /etc/group (called "root" on most Linux systems) to be able to "su"
210# to uid 0 accounts.  If the group doesn't exist or is empty, no one
211# will be able to "su" to uid 0.
212#
213#SU_WHEEL_ONLY	no
214
215#
216# If compiled with cracklib support, where are the dictionaries
217#
218#CRACKLIB_DICTPATH	/var/cache/cracklib/cracklib_dict
219
220#
221# Min/max values for automatic uid selection in useradd
222#
223UID_MIN			 1000
224UID_MAX			60000
225# System accounts
226SYS_UID_MIN		  101
227SYS_UID_MAX		  999
228
229#
230# Min/max values for automatic gid selection in groupadd
231#
232GID_MIN			 1000
233GID_MAX			60000
234# System accounts
235SYS_GID_MIN		  101
236SYS_GID_MAX		  999
237
238#
239# Max number of login retries if password is bad
240#
241LOGIN_RETRIES		5
242
243#
244# Max time in seconds for login
245#
246LOGIN_TIMEOUT		60
247
248#
249# Maximum number of attempts to change password if rejected (too easy)
250#
251#PASS_CHANGE_TRIES	5
252
253#
254# Warn about weak passwords (but still allow them) if you are root.
255#
256#PASS_ALWAYS_WARN	yes
257
258#
259# Number of significant characters in the password for crypt().
260# Default is 8, don't change unless your crypt() is better.
261# Ignored if MD5_CRYPT_ENAB set to "yes".
262#
263#PASS_MAX_LEN		8
264
265#
266# Require password before chfn/chsh can make any changes.
267#
268#CHFN_AUTH		yes
269
270#
271# Which fields may be changed by regular users using chfn - use
272# any combination of letters "frwh" (full name, room number, work
273# phone, home phone).  If not defined, no changes are allowed.
274# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
275#
276CHFN_RESTRICT		rwh
277
278#
279# Password prompt (%s will be replaced by user name).
280#
281# XXX - it doesn't work correctly yet, for now leave it commented out
282# to use the default which is just "Password: ".
283#LOGIN_STRING		"%s's Password: "
284
285#
286# Only works if compiled with MD5_CRYPT defined:
287# If set to "yes", new passwords will be encrypted using the MD5-based
288# algorithm compatible with the one used by recent releases of FreeBSD.
289# It supports passwords of unlimited length and longer salt strings.
290# Set to "no" if you need to copy encrypted passwords to other systems
291# which don't understand the new algorithm.  Default is "no".
292#
293# Note: If you use PAM, it is recommended to use a value consistent with
294# the PAM modules configuration.
295#
296# This variable is deprecated. You should use ENCRYPT_METHOD.
297#
298#MD5_CRYPT_ENAB	no
299
300#
301# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
302# If set to MD5 , MD5-based algorithm will be used for encrypting password
303# If set to SHA256, SHA256-based algorithm will be used for encrypting password
304# If set to SHA512, SHA512-based algorithm will be used for encrypting password
305# If set to DES, DES-based algorithm will be used for encrypting password (default)
306# Overrides the MD5_CRYPT_ENAB option
307#
308# Note: If you use PAM, it is recommended to use a value consistent with
309# the PAM modules configuration.
310#
311#ENCRYPT_METHOD DES
312
313#
314# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
315#
316# Define the number of SHA rounds.
317# With a lot of rounds, it is more difficult to brute forcing the password.
318# But note also that it more CPU resources will be needed to authenticate
319# users.
320#
321# If not specified, the libc will choose the default number of rounds (5000).
322# The values must be inside the 1000-999999999 range.
323# If only one of the MIN or MAX values is set, then this value will be used.
324# If MIN > MAX, the highest value will be used.
325#
326# SHA_CRYPT_MIN_ROUNDS 5000
327# SHA_CRYPT_MAX_ROUNDS 5000
328
329#
330# List of groups to add to the user's supplementary group set
331# when logging in on the console (as determined by the CONSOLE
332# setting).  Default is none.
333#
334# Use with caution - it is possible for users to gain permanent
335# access to these groups, even when not logged in on the console.
336# How to do it is left as an exercise for the reader...
337#
338#CONSOLE_GROUPS		floppy:audio:cdrom
339
340#
341# Should login be allowed if we can't cd to the home directory?
342# Default in no.
343#
344DEFAULT_HOME	yes
345
346#
347# If this file exists and is readable, login environment will be
348# read from it.  Every line should be in the form name=value.
349#
350#ENVIRON_FILE	/etc/environment
351
352#
353# If defined, this command is run when removing a user.
354# It should remove any at/cron/print jobs etc. owned by
355# the user to be removed (passed as the first argument).
356#
357#USERDEL_CMD	/usr/sbin/userdel_local
358
359#
360# Enable setting of the umask group bits to be the same as owner bits
361# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
362# the same as gid, and username is the same as the primary group name.
363#
364# This also enables userdel to remove user groups if no members exist.
365#
366USERGROUPS_ENAB yes
367
368#
369# If set to a non-nul number, the shadow utilities will make sure that
370# groups never have more than this number of users on one line.
371# This permit to support split groups (groups split into multiple lines,
372# with the same group ID, to avoid limitation of the line length in the
373# group file).
374#
375# 0 is the default value and disables this feature.
376#
377#MAX_MEMBERS_PER_GROUP	0
378
379#
380# If useradd should create home directories for users by default (non
381# system users only)
382# This option is overridden with the -M or -m flags on the useradd command
383# line.
384#
385CREATE_HOME     yes
386
387