1LOGIN.DEFS(5) File Formats and Conversions LOGIN.DEFS(5)
2
6 login.defs - shadow password suite configuration
7
9 The /etc/login.defs file defines the site-specific configuration for
10 the shadow password suite. This file is required. Absence of this file
11 will not prevent system operation, but will probably result in
12 undesirable operation.
13 This file is a readable text file, each line of the file describing one
15 configuration parameter. The lines consist of a configuration name and
16 value, separated by whitespace. Blank lines and comment lines are
17 ignored. Comments are introduced with a "#" pound sign and the pound
18 sign must be the first non-white character of the line.
19 Parameter values may be of four types: strings, booleans, numbers, and
21 long numbers. A string is comprised of any printable characters. A
22 boolean should be either the value yes or no. An undefined boolean
23 parameter or one with a value other than these will be given a no
24 value. Numbers (both regular and long) may be either decimal values,
25 octal values (precede the value with 0) or hexadecimal values (precede
26 the value with 0x). The maximum value of the regular and long numeric
27 parameters is machine-dependent.
28 Please note that the parameters in this configuration file control the
30 behavior of the tools from the shadow-utils component. None of these
31 tools uses the PAM mechanism, and the utilities that use PAM (such as
32 the passwd command) should be configured elsewhere. The only values
33 that affect PAM modules are FAIL_DELAY for pam_faildelay module, and
34 UMASK for pam_umask module. Refer to pam(8) for more information.
35 The following configuration items are provided:
37 CHFN_AUTH (boolean)
39 If yes, the chfn program will require authentication before making
40 any changes, unless run by the superuser.
41 CHFN_RESTRICT (string)
43 This parameter specifies which values in the gecos field of the
44 /etc/passwd file may be changed by regular users using the chfn
45 program. It can be any combination of letters f, r, w, h, for Full
46 name, Room number, Work phone, and Home phone, respectively. For
47 backward compatibility, yes is equivalent to rwh and no is
48 equivalent to frwh. If not specified, only the superuser can make
49 any changes. The most restrictive setting is better achieved by not
50 installing chfn SUID.
51 CHSH_AUTH (boolean)
53 If yes, the chsh program will require authentication before making
54 any changes, unless run by the superuser.
55 CONSOLE (string)
57 If defined, either full pathname of a file containing device names
58 (one per line) or a ":" delimited list of device names. Root logins
59 will be allowed only upon these devices.
60 If not defined, root will be allowed on any device.
62 The device should be specified without the /dev/ prefix.
64 CONSOLE_GROUPS (string)
66 List of groups to add to the user´s supplementary groups set when
67 logging in on the console (as determined by the CONSOLE setting).
68 Default is none.
69 Use with caution - it is possible for users to gain permanent
71 access to these groups, even when not logged in on the console.
72 CREATE_HOME (boolean)
74 Indicate if a home directory should be created by default for new
75 users.
76 This setting does not apply to system users, and can be overridden
78 on the command line.
79 DEFAULT_HOME (boolean)
81 Indicate if login is allowed if we can´t cd to the home directory.
82 Default is no.
83 If set to yes, the user will login in the root (/) directory if it
85 is not possible to cd to her home directory.
86 ENCRYPT_METHOD (string)
88 This defines the system default encryption algorithm for encrypting
89 passwords (if no algorithm are specified on the command line).
90 It can take one of these values: DES (default), MD5, SHA256,
92 SHA512.
93 Note: this parameter overrides the MD5_CRYPT_ENAB variable.
95 ENV_HZ (string)
97 If set, it will be used to define the HZ environment variable when
98 a user login. The value must be preceded by HZ=. A common value on
99 Linux is HZ=100.
100 ENV_PATH (string)
102 If set, it will be used to define the PATH environment variable
103 when a regular user login. The value is a colon separated list of
104 paths (for example /bin:/usr/bin) and can be preceded by PATH=. The
105 default value is PATH=/bin:/usr/bin.
106 ENV_SUPATH (string)
108 If set, it will be used to define the PATH environment variable
109 when the superuser login. The value is a colon separated list of
110 paths (for example /sbin:/bin:/usr/sbin:/usr/bin) and can be
111 preceded by PATH=. The default value is
112 PATH=/sbin:/bin:/usr/sbin:/usr/bin.
113 ENV_TZ (string)
115 If set, it will be used to define the TZ environment variable when
116 a user login. The value can be the name of a timezone preceded by
117 TZ= (for example TZ=CST6CDT), or the full path to the file
118 containing the timezone specification (for example /etc/tzname).
119 If a full path is specified but the file does not exist or cannot
121 be read, the default is to use TZ=CST6CDT.
122 ENVIRON_FILE (string)
124 If this file exists and is readable, login environment will be read
125 from it. Every line should be in the form name=value.
126 Lines starting with a # are treated as comment lines and ignored.
128 ERASECHAR (number)
130 Terminal ERASE character (010 = backspace, 0177 = DEL).
131 The value can be prefixed "0" for an octal value, or "0x" for an
133 hexadecimal value.
134 FAIL_DELAY (number)
136 Delay in seconds before being allowed another attempt after a login
137 failure.
138 FAILLOG_ENAB (boolean)
140 Enable logging and display of /var/log/faillog login failure info.
141 FAKE_SHELL (string)
143 If set, login will execute this shell instead of the users´ shell
144 specified in /etc/passwd.
145 FTMP_FILE (string)
147 If defined, login failures will be logged in this file in a utmp
148 format.
149 GID_MAX (number), GID_MIN (number)
151 Range of group IDs used for the creation of regular groups by
152 useradd, groupadd, or newusers.
153 The default value for GID_MIN (resp. GID_MAX) is 500 (resp.
155 60000).
156 HUSHLOGIN_FILE (string)
158 If defined, this file can inhibit all the usual chatter during the
159 login sequence. If a full pathname is specified, then hushed mode
160 will be enabled if the user´s name or shell are found in the file.
161 If not a full pathname, then hushed mode will be enabled if the
162 file exists in the user´s home directory.
163 ISSUE_FILE (string)
165 If defined, this file will be displayed before each login prompt.
166 KILLCHAR (number)
168 Terminal KILL character (025 = CTRL/U).
169 The value can be prefixed "0" for an octal value, or "0x" for an
171 hexadecimal value.
172 LASTLOG_ENAB (boolean)
174 Enable logging and display of /var/log/lastlog login time info.
175 LOG_OK_LOGINS (boolean)
177 Enable logging of successful logins.
178 LOG_UNKFAIL_ENAB (boolean)
180 Enable display of unknown usernames when login failures are
181 recorded.
182 Note: logging unknown usernames may be a security issue if an user
184 enter her password instead of her login name.
185 LOGIN_RETRIES (number)
187 Maximum number of login retries in case of bad password.
188 LOGIN_STRING (string)
190 The string used for prompting a password. The default is to use
191 "Password: ", or a translation of that string. If you set this
192 variable, the prompt will not be translated.
193 If the string contains %s, this will be replaced by the user´s
195 name.
196 LOGIN_TIMEOUT (number)
198 Max time in seconds for login.
199 MAIL_CHECK_ENAB (boolean)
201 Enable checking and display of mailbox status upon login.
202 You should disable it if the shell startup files already check for
204 mail ("mailx -e" or equivalent).
205 MAIL_DIR (string)
207 The mail spool directory. This is needed to manipulate the mailbox
208 when its corresponding user account is modified or deleted. If not
209 specified, a compile-time default is used.
210 MAIL_FILE (string)
212 Defines the location of the users mail spool files relatively to
213 their home directory.
214 The MAIL_DIR and MAIL_FILE variables are used by useradd, usermod, and
216 userdel to create, move, or delete the user´s mail spool.
217 If MAIL_CHECK_ENAB is set to yes, they are also used to define the MAIL
219 environment variable.
220 MAX_MEMBERS_PER_GROUP (number)
222 Maximum members per group entry. When the maximum is reached, a new
223 group entry (line) is started in /etc/group (with the same name,
224 same password, and same GID).
225 The default value is 0, meaning that there are no limits in the
227 number of members in a group.
228 This feature (split group) permits to limit the length of lines in
230 the group file. This is useful to make sure that lines for NIS
231 groups are not larger than 1024 characters.
232 If you need to enforce such limit, you can use 25.
234 Note: split groups may not be supported by all tools (even in the
236 Shadow toolsuite). You should not use this variable unless you
237 really need it.
238 MD5_CRYPT_ENAB (boolean)
240 Indicate if passwords must be encrypted using the MD5-based
241 algorithm. If set to yes, new passwords will be encrypted using the
242 MD5-based algorithm compatible with the one used by recent releases
243 of FreeBSD. It supports passwords of unlimited length and longer
244 salt strings. Set to no if you need to copy encrypted passwords to
245 other systems which don´t understand the new algorithm. Default is
246 no.
247 This variable is superseded by the ENCRYPT_METHOD variable or by
249 any command line option used to configure the encryption algorithm.
250 This variable is deprecated. You should use ENCRYPT_METHOD.
252 MOTD_FILE (string)
254 If defined, ":" delimited list of "message of the day" files to be
255 displayed upon login.
256 NOLOGINS_FILE (string)
258 If defined, name of file whose presence will inhibit non-root
259 logins. The contents of this file should be a message indicating
260 why logins are inhibited.
261 OBSCURE_CHECKS_ENAB (boolean)
263 Enable additional checks upon password changes.
264 PASS_ALWAYS_WARN (boolean)
266 Warn about weak passwords (but still allow them) if you are root.
267 PASS_CHANGE_TRIES (number)
269 Maximum number of attempts to change password if rejected (too
270 easy).
271 PASS_MAX_DAYS (number)
273 The maximum number of days a password may be used. If the password
274 is older than this, a password change will be forced. If not
275 specified, -1 will be assumed (which disables the restriction).
276 PASS_MIN_DAYS (number)
278 The minimum number of days allowed between password changes. Any
279 password changes attempted sooner than this will be rejected. If
280 not specified, -1 will be assumed (which disables the restriction).
281 PASS_WARN_AGE (number)
283 The number of days warning given before a password expires. A zero
284 means warning is given only upon the day of expiration, a negative
285 value means no warning is given. If not specified, no warning will
286 be provided.
287 PASS_MAX_DAYS, PASS_MIN_DAYS and PASS_WARN_AGE are only used at the
289 time of account creation. Any changes to these settings won´t affect
290 existing accounts.
291 PASS_MAX_LEN (number), PASS_MIN_LEN (number)
293 Number of significant characters in the password for crypt().
294 PASS_MAX_LEN is 8 by default. Don´t change unless your crypt() is
295 better. This is ignored if MD5_CRYPT_ENAB set to yes.
296 PORTTIME_CHECKS_ENAB (boolean)
298 Enable checking of time restrictions specified in /etc/porttime.
299 QUOTAS_ENAB (boolean)
301 Enable setting of resource limits from /etc/limits and ulimit,
302 umask, and niceness from the user´s passwd gecos field.
303 SHA_CRYPT_MIN_ROUNDS (number), SHA_CRYPT_MAX_ROUNDS (number)
305 When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines the
306 number of SHA rounds used by the encryption algorithm by default
307 (when the number of rounds is not specified on the command line).
308 With a lot of rounds, it is more difficult to brute forcing the
310 password. But note also that more CPU resources will be needed to
311 authenticate users.
312 If not specified, the libc will choose the default number of rounds
314 (5000).
315 The values must be inside the 1000-999,999,999 range.
317 If only one of the SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS
319 values is set, then this value will be used.
320 If SHA_CRYPT_MIN_ROUNDS > SHA_CRYPT_MAX_ROUNDS, the highest value
322 will be used.
323 SULOG_FILE (string)
325 If defined, all su activity is logged to this file.
326 SU_NAME (string)
328 If defined, the command name to display when running "su -". For
329 example, if this is defined as "su" then a "ps" will display the
330 command is "-su". If not defined, then "ps" would display the name
331 of the shell actually being run, e.g. something like "-sh".
332 SU_WHEEL_ONLY (boolean)
334 If yes, the user must be listed as a member of the first gid 0
335 group in /etc/group (called root on most Linux systems) to be able
336 to su to uid 0 accounts. If the group doesn´t exist or is empty, no
337 one will be able to su to uid 0.
338 SYS_GID_MAX (number), SYS_GID_MIN (number)
340 Range of group IDs used for the creation of system groups by
341 useradd, groupadd, or newusers.
342 The default value for SYS_GID_MIN (resp. SYS_GID_MAX) is 201
344 (resp. GID_MIN-1).
345 SYS_UID_MAX (number), SYS_UID_MIN (number)
347 Range of user IDs used for the creation of system users by useradd
348 or newusers.
349 The default value for SYS_UID_MIN (resp. SYS_UID_MAX) is 201
351 (resp. UID_MIN-1).
352 SYSLOG_SG_ENAB (boolean)
354 Enable "syslog" logging of sg activity.
355 SYSLOG_SU_ENAB (boolean)
357 Enable "syslog" logging of su activity - in addition to sulog file
358 logging.
359 TTYGROUP (string), TTYPERM (string)
361 The terminal permissions: the login tty will be owned by the
362 TTYGROUP group, and the permissions will be set to TTYPERM.
363 By default, the ownership of the terminal is set to the user´s
365 primary group and the permissions are set to 0600.
366 TTYGROUP can be either the name of a group or a numeric group
369 identifier.
370 If you have a write program which is "setgid" to a special group
372 which owns the terminals, define TTYGROUP to the group number and
373 TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
374 TTYPERM to either 622 or 600.
375 TTYTYPE_FILE (string)
377 If defined, file which maps tty line to TERM environment parameter.
378 Each line of the file is in a format something like "vt100 tty01".
379 UID_MAX (number), UID_MIN (number)
381 Range of user IDs used for the creation of regular users by useradd
382 or newusers.
383 The default value for UID_MIN (resp. UID_MAX) is 500 (resp.
385 60000).
386 ULIMIT (number)
388 Default ulimit value.
389 UMASK (number)
391 The file mode creation mask is initialized to this value. If not
392 specified, the mask will be initialized to 022.
393 useradd and newusers use this mask to set the mode of the home
396 directory they create
397 It is also used by login to define users´ initial umask. Note that
399 this mask can be overridden by the user´s GECOS line (if
400 QUOTAS_ENAB is set) or by the specification of a limit with the K
401 identifier in limits(5).
402 USERDEL_CMD (string)
404 If defined, this command is run when removing a user. It should
405 remove any at/cron/print jobs etc. owned by the user to be removed
406 (passed as the first argument).
407 The return code of the script is not taken into account.
409 Here is an example script, which removes the user´s cron, at and
411 print jobs:
412 #! /bin/sh
414 # Check for the required argument.
416 if [ $# != 1 ]; then
417 echo "Usage: $0 username"
418 exit 1
419 fi
420 # Remove cron jobs.
422 crontab -r -u $1
423 # Remove at jobs.
425 # Note that it will remove any jobs owned by the same UID,
426 # even if it was shared by a different username.
427 AT_SPOOL_DIR=/var/spool/cron/atjobs
428 find $AT_SPOOL_DIR -name "[^.]*" -type f -user $1 -delete \;
429 # Remove print jobs.
431 lprm $1
432 # All done.
434 exit 0
435 USERGROUPS_ENAB (boolean)
439 Enable setting of the umask group bits to be the same as owner bits
440 (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid
441 is the same as gid, and username is the same as the primary group
442 name.
443 If set to yes, userdel will remove the user´s group if it contains
445 no more members, and useradd will create by default a group with
446 the name of the user.
447
449 The following cross references show which programs in the shadow
450 password suite use which parameters.
451 chpasswd
453 ENCRYPT_METHOD MD5_CRYPT_ENAB SHA_CRYPT_MAX_ROUNDS
455 SHA_CRYPT_MIN_ROUNDS
456 gpasswd
458 ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
459 SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
460 groupadd
462 GID_MAX GID_MIN MAX_MEMBERS_PER_GROUP SYS_GID_MAX SYS_GID_MIN
463 groupdel
465 MAX_MEMBERS_PER_GROUP
466 groupmems
468 MAX_MEMBERS_PER_GROUP
469 groupmod
471 MAX_MEMBERS_PER_GROUP
472 grpck
474 MAX_MEMBERS_PER_GROUP
475 grpconv
477 MAX_MEMBERS_PER_GROUP
478 grpunconv
480 MAX_MEMBERS_PER_GROUP
481 newgrp / sg
483 SYSLOG_SG_ENAB
484 newusers
486 ENCRYPT_METHOD GID_MAX GID_MIN MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
487 PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE SHA_CRYPT_MAX_ROUNDS
488 SHA_CRYPT_MIN_ROUNDS SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX
489 SYS_UID_MIN UID_MAX UID_MIN UMASK
490 pwck
492 PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
493 pwconv
495 PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
496 useradd
498 CREATE_HOME GID_MAX GID_MIN MAIL_DIR MAX_MEMBERS_PER_GROUP
499 PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE SYS_GID_MAX SYS_GID_MIN
500 SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK
501 userdel
503 MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP USERDEL_CMD
504 USERGROUPS_ENAB
505 usermod
507 MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP
508
510 login(1), passwd(1), su(1), passwd(5), shadow(5), pam(8).
511shadow-utils 4.1.5.1 05/10/2016 LOGIN.DEFS(5)