1# 2# /etc/login.defs - Configuration control definitions for the shadow package. 3# 4# $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $ 5# 6 7# 8# Delay in seconds before being allowed another attempt after a login failure 9# Note: When PAM is used, some modules may enfore a minimal delay (e.g. 10# pam_unix enforces a 2s delay) 11# 12FAIL_DELAY 3 13 14# 15# Enable logging and display of /var/log/faillog login failure info. 16# 17#FAILLOG_ENAB yes 18 19# 20# Enable display of unknown usernames when login failures are recorded. 21# 22LOG_UNKFAIL_ENAB no 23 24# 25# Enable logging of successful logins 26# 27LOG_OK_LOGINS no 28 29# 30# Enable logging and display of /var/log/lastlog login time info. 31# 32#LASTLOG_ENAB yes 33 34# 35# Enable checking and display of mailbox status upon login. 36# 37# Disable if the shell startup files already check for mail 38# ("mailx -e" or equivalent). 39# 40##MAIL_CHECK_ENAB yes 41 42# 43# Enable additional checks upon password changes. 44# 45#OBSCURE_CHECKS_ENAB yes 46 47# 48# Enable checking of time restrictions specified in /etc/porttime. 49# 50#PORTTIME_CHECKS_ENAB yes 51 52# 53# Enable setting of ulimit, umask, and niceness from passwd gecos field. 54# 55#QUOTAS_ENAB yes 56 57# 58# Enable "syslog" logging of su activity - in addition to sulog file logging. 59# SYSLOG_SG_ENAB does the same for newgrp and sg. 60# 61SYSLOG_SU_ENAB yes 62SYSLOG_SG_ENAB yes 63 64# 65# If defined, either full pathname of a file containing device names or 66# a ":" delimited list of device names. Root logins will be allowed only 67# upon these devices. 68# 69CONSOLE /etc/securetty 70#CONSOLE console:tty01:tty02:tty03:tty04 71 72# 73# If defined, all su activity is logged to this file. 74# 75#SULOG_FILE /var/log/sulog 76 77# 78# If defined, ":" delimited list of "message of the day" files to 79# be displayed upon login. 80# 81#MOTD_FILE /etc/motd 82#MOTD_FILE /etc/motd:/usr/lib/news/news-motd 83 84# 85# If defined, this file will be output before each login prompt. 86# 87#ISSUE_FILE /etc/issue 88 89# 90# If defined, file which maps tty line to TERM environment parameter. 91# Each line of the file is in a format something like "vt100 tty01". 92# 93#TTYTYPE_FILE /etc/ttytype 94 95# 96# If defined, login failures will be logged here in a utmp format. 97# last, when invoked as lastb, will read /var/log/btmp, so... 98# 99#FTMP_FILE /var/log/btmp 100 101# 102# If defined, name of file whose presence which will inhibit non-root 103# logins. The contents of this file should be a message indicating 104# why logins are inhibited. 105# 106#NOLOGINS_FILE /etc/nologin 107 108# 109# If defined, the command name to display when running "su -". For 110# example, if this is defined as "su" then a "ps" will display the 111# command is "-su". If not defined, then "ps" would display the 112# name of the shell actually being run, e.g. something like "-sh". 113# 114SU_NAME su 115 116# 117# *REQUIRED* 118# Directory where mailboxes reside, _or_ name of file, relative to the 119# home directory. If you _do_ define both, #MAIL_DIR takes precedence. 120# 121#MAIL_DIR /var/spool/mail 122MAIL_FILE .mail 123 124# 125# If defined, file which inhibits all the usual chatter during the login 126# sequence. If a full pathname, then hushed mode will be enabled if the 127# user's name or shell are found in the file. If not a full pathname, then 128# hushed mode will be enabled if the file exists in the user's home directory. 129# 130HUSHLOGIN_FILE .hushlogin 131#HUSHLOGIN_FILE /etc/hushlogins 132 133# 134# If defined, either a TZ environment parameter spec or the 135# fully-rooted pathname of a file containing such a spec. 136# 137#ENV_TZ TZ=CST6CDT 138#ENV_TZ /etc/tzname 139 140# 141# If defined, an HZ environment parameter spec. 142# 143# for Linux/x86 144#ENV_HZ HZ=100 145# For Linux/Alpha... 146#ENV_HZ HZ=1024 147 148# 149# *REQUIRED* The default PATH settings, for superuser and normal users. 150# 151# (they are minimal, add the rest in the shell startup files) 152ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin 153ENV_PATH PATH=/bin:/usr/bin 154 155# 156# Terminal permissions 157# 158# TTYGROUP Login tty will be assigned this group ownership. 159# TTYPERM Login tty will be set to this permission. 160# 161# If you have a "write" program which is "setgid" to a special group 162# which owns the terminals, define TTYGROUP to the group number and 163# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign 164# TTYPERM to either 622 or 600. 165# 166TTYGROUP tty 167TTYPERM 0600 168 169# 170# Login configuration initializations: 171# 172# ERASECHAR Terminal ERASE character ('\010' = backspace). 173# KILLCHAR Terminal KILL character ('\025' = CTRL/U). 174# ULIMIT Default "ulimit" value. 175# 176# The ERASECHAR and KILLCHAR are used only on System V machines. 177# The ULIMIT is used only if the system supports it. 178# (now it works with setrlimit too; ulimit is in 512-byte units) 179# 180# Prefix these values with "0" to get octal, "0x" to get hexadecimal. 181# 182ERASECHAR 0177 183KILLCHAR 025 184#ULIMIT 2097152 185 186# Default initial "umask" value for non-PAM enabled systems. 187# UMASK is also used by useradd and newusers to set the mode of new home 188# directories. 189# 022 is the default value, but 027, or even 077, could be considered 190# better for privacy. There is no One True Answer here: each sysadmin 191# must make up her mind. 192UMASK 022 193 194# 195# Password aging controls: 196# 197# PASS_MAX_DAYS Maximum number of days a password may be used. 198# PASS_MIN_DAYS Minimum number of days allowed between password changes. 199# PASS_MIN_LEN Minimum acceptable password length. 200# PASS_WARN_AGE Number of days warning given before a password expires. 201# 202PASS_MAX_DAYS 99999 203PASS_MIN_DAYS 0 204#PASS_MIN_LEN 5 205PASS_WARN_AGE 7 206 207# 208# If "yes", the user must be listed as a member of the first gid 0 group 209# in /etc/group (called "root" on most Linux systems) to be able to "su" 210# to uid 0 accounts. If the group doesn't exist or is empty, no one 211# will be able to "su" to uid 0. 212# 213#SU_WHEEL_ONLY no 214 215# 216# If compiled with cracklib support, where are the dictionaries 217# 218#CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict 219 220# 221# Min/max values for automatic uid selection in useradd 222# 223UID_MIN 1000 224UID_MAX 60000 225# System accounts 226SYS_UID_MIN 101 227SYS_UID_MAX 999 228 229# 230# Min/max values for automatic gid selection in groupadd 231# 232GID_MIN 1000 233GID_MAX 60000 234# System accounts 235SYS_GID_MIN 101 236SYS_GID_MAX 999 237 238# 239# Max number of login retries if password is bad 240# 241LOGIN_RETRIES 5 242 243# 244# Max time in seconds for login 245# 246LOGIN_TIMEOUT 60 247 248# 249# Maximum number of attempts to change password if rejected (too easy) 250# 251#PASS_CHANGE_TRIES 5 252 253# 254# Warn about weak passwords (but still allow them) if you are root. 255# 256#PASS_ALWAYS_WARN yes 257 258# 259# Number of significant characters in the password for crypt(). 260# Default is 8, don't change unless your crypt() is better. 261# Ignored if MD5_CRYPT_ENAB set to "yes". 262# 263#PASS_MAX_LEN 8 264 265# 266# Require password before chfn/chsh can make any changes. 267# 268#CHFN_AUTH yes 269 270# 271# Which fields may be changed by regular users using chfn - use 272# any combination of letters "frwh" (full name, room number, work 273# phone, home phone). If not defined, no changes are allowed. 274# For backward compatibility, "yes" = "rwh" and "no" = "frwh". 275# 276CHFN_RESTRICT rwh 277 278# 279# Password prompt (%s will be replaced by user name). 280# 281# XXX - it doesn't work correctly yet, for now leave it commented out 282# to use the default which is just "Password: ". 283#LOGIN_STRING "%s's Password: " 284 285# 286# Only works if compiled with MD5_CRYPT defined: 287# If set to "yes", new passwords will be encrypted using the MD5-based 288# algorithm compatible with the one used by recent releases of FreeBSD. 289# It supports passwords of unlimited length and longer salt strings. 290# Set to "no" if you need to copy encrypted passwords to other systems 291# which don't understand the new algorithm. Default is "no". 292# 293# Note: If you use PAM, it is recommended to use a value consistent with 294# the PAM modules configuration. 295# 296# This variable is deprecated. You should use ENCRYPT_METHOD. 297# 298#MD5_CRYPT_ENAB no 299 300# 301# Only works if compiled with ENCRYPTMETHOD_SELECT defined: 302# If set to MD5 , MD5-based algorithm will be used for encrypting password 303# If set to SHA256, SHA256-based algorithm will be used for encrypting password 304# If set to SHA512, SHA512-based algorithm will be used for encrypting password 305# If set to DES, DES-based algorithm will be used for encrypting password (default) 306# Overrides the MD5_CRYPT_ENAB option 307# 308# Note: If you use PAM, it is recommended to use a value consistent with 309# the PAM modules configuration. 310# 311#ENCRYPT_METHOD DES 312 313# 314# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. 315# 316# Define the number of SHA rounds. 317# With a lot of rounds, it is more difficult to brute forcing the password. 318# But note also that it more CPU resources will be needed to authenticate 319# users. 320# 321# If not specified, the libc will choose the default number of rounds (5000). 322# The values must be inside the 1000-999999999 range. 323# If only one of the MIN or MAX values is set, then this value will be used. 324# If MIN > MAX, the highest value will be used. 325# 326# SHA_CRYPT_MIN_ROUNDS 5000 327# SHA_CRYPT_MAX_ROUNDS 5000 328 329# 330# List of groups to add to the user's supplementary group set 331# when logging in on the console (as determined by the CONSOLE 332# setting). Default is none. 333# 334# Use with caution - it is possible for users to gain permanent 335# access to these groups, even when not logged in on the console. 336# How to do it is left as an exercise for the reader... 337# 338#CONSOLE_GROUPS floppy:audio:cdrom 339 340# 341# Should login be allowed if we can't cd to the home directory? 342# Default in no. 343# 344DEFAULT_HOME yes 345 346# 347# If this file exists and is readable, login environment will be 348# read from it. Every line should be in the form name=value. 349# 350#ENVIRON_FILE /etc/environment 351 352# 353# If defined, this command is run when removing a user. 354# It should remove any at/cron/print jobs etc. owned by 355# the user to be removed (passed as the first argument). 356# 357#USERDEL_CMD /usr/sbin/userdel_local 358 359# 360# Enable setting of the umask group bits to be the same as owner bits 361# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is 362# the same as gid, and username is the same as the primary group name. 363# 364# This also enables userdel to remove user groups if no members exist. 365# 366USERGROUPS_ENAB yes 367 368# 369# If set to a non-nul number, the shadow utilities will make sure that 370# groups never have more than this number of users on one line. 371# This permit to support split groups (groups split into multiple lines, 372# with the same group ID, to avoid limitation of the line length in the 373# group file). 374# 375# 0 is the default value and disables this feature. 376# 377#MAX_MEMBERS_PER_GROUP 0 378 379# 380# If useradd should create home directories for users by default (non 381# system users only) 382# This option is overridden with the -M or -m flags on the useradd command 383# line. 384# 385CREATE_HOME yes 386 387