1LOGIN.DEFS(5) File Formats and Conversions LOGIN.DEFS(5)
2
6 login.defs - shadow password suite configuration
7
9 The /etc/login.defs file defines the site-specific configuration for
10 the shadow password suite. This file is required. Absence of this file
11 will not prevent system operation, but will probably result in
12 undesirable operation.
13 This file is a readable text file, each line of the file describing one
15 configuration parameter. The lines consist of a configuration name and
16 value, separated by whitespace. Blank lines and comment lines are
17 ignored. Comments are introduced with a "#" pound sign and the pound
18 sign must be the first non-white character of the line.
19 Parameter values may be of four types: strings, booleans, numbers, and
21 long numbers. A string is comprised of any printable characters. A
22 boolean should be either the value yes or no. An undefined boolean
23 parameter or one with a value other than these will be given a no
24 value. Numbers (both regular and long) may be either decimal values,
25 octal values (precede the value with 0) or hexadecimal values (precede
26 the value with 0x). The maximum value of the regular and long numeric
27 parameters is machine-dependent.
28 The following configuration items are provided:
30 CHFN_AUTH (boolean)
32 If yes, the chfn program will require authentication before making
33 any changes, unless run by the superuser.
34 CHFN_RESTRICT (string)
36 This parameter specifies which values in the gecos field of the
37 /etc/passwd file may be changed by regular users using the chfn
38 program. It can be any combination of letters f, r, w, h, for Full
39 name, Room number, Work phone, and Home phone, respectively. For
40 backward compatibility, yes is equivalent to rwh and no is
41 equivalent to frwh. If not specified, only the superuser can make
42 any changes. The most restrictive setting is better achieved by not
43 installing chfn SUID.
44 CHSH_AUTH (boolean)
46 If yes, the chsh program will require authentication before making
47 any changes, unless run by the superuser.
48 CONSOLE (string)
50 If defined, either full pathname of a file containing device names
51 (one per line) or a ":" delimited list of device names. Root logins
52 will be allowed only upon these devices.
53 If not defined, root will be allowed on any device.
55 The device should be specified without the /dev/ prefix.
57 CONSOLE_GROUPS (string)
59 List of groups to add to the user´s supplementary groups set when
60 logging in on the console (as determined by the CONSOLE setting).
61 Default is none.
62 Use with caution - it is possible for users to gain permanent
64 access to these groups, even when not logged in on the console.
65 CREATE_HOME (boolean)
67 Indicate if a home directory should be created by default for new
68 users.
69 This setting does not apply to system users, and can be overriden
71 on the command line.
72 DEFAULT_HOME (boolean)
74 Indicate if login is allowed if we can´t cd to the home directory.
75 Default in no.
76 If set to yes, the user will login in the root (/) directory if it
78 is not possible to cd to her home directory.
79 ENCRYPT_METHOD (string)
81 This defines the system default encryption algorithm for encrypting
82 passwords (if no algorithm are specified on the command line).
83 It can take one of these values:
85 · DES (default)
87 · MD5
89 · SHA256
91 · SHA512
93 Note: this parameter overrides the MD5_CRYPT_ENAB variable.
95 ENV_HZ (string)
97 If set, it will be used to define the HZ environment variable
98 when a user login. The value must be preceded by HZ=. A common
99 value on Linux is HZ=100.
100 ENV_PATH (string)
102 If set, it will be used to define the PATH environment variable
103 when a regular user login. The value can be preceded by PATH=,
104 or a colon separated list of paths (for example /bin:/usr/bin).
105 The default value is PATH=/bin:/usr/bin.
106 ENV_SUPATH (string)
108 If set, it will be used to define the PATH environment variable
109 when the superuser login. The value can be preceded by PATH=,
110 or a colon separated list of paths (for example
111 /sbin:/bin:/usr/sbin:/usr/bin). The default value is
112 PATH=/bin:/usr/bin.
113 ENV_TZ (string)
115 If set, it will be used to define the TZ environment variable
116 when a user login. The value can be the name of a timezone
117 preceded by TZ= (for example TZ=CST6CDT), or the full path to
118 the file containing the timezone specification (for example
119 /etc/tzname).
120 If a full path is specified but the file does not exist or
122 cannot be read, the default is to use TZ=CST6CDT.
123 ENVIRON_FILE (string)
125 If this file exists and is readable, login environment will be
126 read from it. Every line should be in the form name=value.
127 Lines starting with a # are treated as comment lines and
129 ignored.
130 ERASECHAR (number)
132 Terminal ERASE character (010 = backspace, 0177 = DEL).
133 The value can be prefixed "0" for an octal value, or "0x" for
135 an hexadecimal value.
136 FAIL_DELAY (number)
138 Delay in seconds before being allowed another attempt after a
139 login failure.
140 FAILLOG_ENAB (boolean)
142 Enable logging and display of /var/log/faillog login failure
143 info.
144 FAKE_SHELL (string)
146 If set, login will execute this shell instead of the users´
147 shell specified in /etc/passwd.
148 FTMP_FILE (string)
150 If defined, login failures will be logged in this file in a
151 utmp format.
152 GID_MAX (number), GID_MIN (number)
154 Range of group IDs used for the creation of regular groups by
155 useradd, groupadd, or newusers.
156 HUSHLOGIN_FILE (string)
158 If defined, this file can inhibit all the usual chatter during
159 the login sequence. If a full pathname is specified, then
160 hushed mode will be enabled if the user´s name or shell are
161 found in the file. If not a full pathname, then hushed mode
162 will be enabled if the file exists in the user´s home
163 directory.
164 ISSUE_FILE (string)
166 If defined, this file will be displayed before each login
167 prompt.
168 KILLCHAR (number)
170 Terminal KILL character (025 = CTRL/U).
171 The value can be prefixed "0" for an octal value, or "0x" for
173 an hexadecimal value.
174 LASTLOG_ENAB (boolean)
176 Enable logging and display of /var/log/lastlog login time info.
177 LOG_OK_LOGINS (boolean)
179 Enable logging of successful logins.
180 LOG_UNKFAIL_ENAB (boolean)
182 Enable display of unknown usernames when login failures are
183 recorded.
184 Note: logging unknown usernames may be a security issue if an
186 user enter her password instead of her login name.
187 LOGIN_RETRIES (number)
189 Maximum number of login retries in case of bad password.
190 LOGIN_STRING (string)
192 The string used for prompting a password. The default is to use
193 "Password: ", or a translation of that string. If you set this
194 variable, the prompt will no be translated.
195 If the string contains %s, this will be replaced by the user´s
197 name.
198 LOGIN_TIMEOUT (number)
200 Max time in seconds for login.
201 MAIL_CHECK_ENAB (boolean)
203 Enable checking and display of mailbox status upon login.
204 You should disable it if the shell startup files already check
206 for mail ("mailx -e" or equivalent).
207 MAIL_DIR (string)
209 The mail spool directory. This is needed to manipulate the
210 mailbox when its corresponding user account is modified or
211 deleted. If not specified, a compile-time default is used.
212 MAIL_FILE (string)
214 Defines the location of the users mail spool files relatively
215 to their home directory.
216 The MAIL_DIR and MAIL_FILE variables are used by useradd, usermod,
218 and userdel to create, move, or delete the user´s mail spool.
219 If MAIL_CHECK_ENAB is set to yes, they are also used to define the
221 MAIL environment variable.
222 MAX_MEMBERS_PER_GROUP (number)
224 Maximum members per group entry. When the maximum is reached, a
225 new group entry (line) is started in /etc/group (with the same
226 name, same password, and same GID).
227 The default value is 0, meaning that there are no limits in the
229 number of members in a group.
230 This feature (split group) permits to limit the length of lines
232 in the group file. This is useful to make sure that lines for
233 NIS groups are not larger than 1024 characters.
234 If you need to enforce such limit, you can use 25.
236 Note: split groups may not be supported by all tools (even in
238 the Shadow toolsuite). You should not use this variable unless
239 you really need it.
240 MD5_CRYPT_ENAB (boolean)
242 Indicate if passwords must be encrypted using the MD5-based
243 algorithm. If set to yes, new passwords will be encrypted using
244 the MD5-based algorithm compatible with the one used by recent
245 releases of FreeBSD. It supports passwords of unlimited length
246 and longer salt strings. Set to no if you need to copy
247 encrypted passwords to other systems which don´t understand the
248 new algorithm. Default is no.
249 This variable is superceded by the ENCRYPT_METHOD variable or
251 by any command line option used to configure the encryption
252 algorithm.
253 This variable is deprecated. You should use ENCRYPT_METHOD.
255 MOTD_FILE (string)
257 If defined, ":" delimited list of "message of the day" files to
258 be displayed upon login.
259 NOLOGINS_FILE (string)
261 If defined, name of file whose presence will inhibit non-root
262 logins. The contents of this file should be a message
263 indicating why logins are inhibited.
264 OBSCURE_CHECKS_ENAB (boolean)
266 Enable additional checks upon password changes.
267 PASS_ALWAYS_WARN (boolean)
269 Warn about weak passwords (but still allow them) if you are
270 root.
271 PASS_CHANGE_TRIES (number)
273 Maximum number of attempts to change password if rejected (too
274 easy).
275 PASS_MAX_DAYS (number)
277 The maximum number of days a password may be used. If the
278 password is older than this, a password change will be forced.
279 If not specified, -1 will be assumed (which disables the
280 restriction).
281 PASS_MIN_DAYS (number)
283 The minimum number of days allowed between password changes.
284 Any password changes attempted sooner than this will be
285 rejected. If not specified, -1 will be assumed (which disables
286 the restriction).
287 PASS_WARN_AGE (number)
289 The number of days warning given before a password expires. A
290 zero means warning is given only upon the day of expiration, a
291 negative value means no warning is given. If not specified, no
292 warning will be provided.
293 PASS_MAX_DAYS, PASS_MIN_DAYS and PASS_WARN_AGE are only used at the
295 time of account creation. Any changes to these settings won´t
296 affect existing accounts.
297 PASS_MAX_LEN (number), PASS_MIN_LEN (number)
299 Number of significant characters in the password for crypt().
300 PASS_MAX_LEN is 8 by default. Don´t change unless your crypt()
301 is better. This is ignored if MD5_CRYPT_ENAB set to yes.
302 PORTTIME_CHECKS_ENAB (boolean)
304 Enable checking of time restrictions specified in
305 /etc/porttime.
306 QUOTAS_ENAB (boolean)
308 Enable setting of ulimit, umask, and niceness from passwd gecos
309 field.
310 SHA_CRYPT_MIN_ROUNDS (number), SHA_CRYPT_MAX_ROUNDS (number)
312 When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines
313 the number of SHA rounds used by the encryption algorithm by
314 default (when the number of rounds is not specified on the
315 command line).
316 With a lot of rounds, it is more difficult to brute forcing the
318 password. But note also that more CPU resources will be needed
319 to authenticate users.
320 If not specified, the libc will choose the default number of
322 rounds (5000).
323 The values must be inside the 1000-999999999 range.
325 If only one of the SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS
327 values is set, then this value will be used.
328 If SHA_CRYPT_MIN_ROUNDS > SHA_CRYPT_MAX_ROUNDS, the highest
330 value will be used.
331 SULOG_FILE (string)
333 If defined, all su activity is logged to this file.
334 SU_NAME (string)
336 If defined, the command name to display when running "su -".
337 For example, if this is defined as "su" then a "ps" will
338 display the command is "-su". If not defined, then "ps" would
339 display the name of the shell actually being run, e.g.
340 something like "-sh".
341 SU_WHEEL_ONLY (boolean)
343 If yes, the user must be listed as a member of the first gid 0
344 group in /etc/group (called root on most Linux systems) to be
345 able to su to uid 0 accounts. If the group doesn´t exist or is
346 empty, no one will be able to su to uid 0.
347 SYS_GID_MAX (number), SYS_GID_MIN (number)
349 Range of group IDs used for the creation of system groups by
350 useradd, groupadd, or newusers.
351 SYS_UID_MAX (number), SYS_UID_MIN (number)
353 Range of user IDs used for the creation of system users by
354 useradd or newusers.
355 SYSLOG_SG_ENAB (boolean)
357 Enable "syslog" logging of sg activity.
358 SYSLOG_SU_ENAB (boolean)
360 Enable "syslog" logging of su activity - in addition to sulog
361 file logging.
362 TTYGROUP (string), TTYPERM (string)
364 The terminal permissions: the login tty will be owned by the
365 TTYGROUP group, and the permissions will be set to TTYPERM.
366 By default, the ownership of the terminal is set to the user´s
368 primary group and the permissions are set to 0600.
369 TTYGROUP can be either the name of a group or a numeric group
372 identifier.
373 If you have a write program which is "setgid" to a special
375 group which owns the terminals, define TTYGROUP to the group
376 number and TTYPERM to 0620. Otherwise leave TTYGROUP commented
377 out and assign TTYPERM to either 622 or 600.
378 TTYTYPE_FILE (string)
380 If defined, file which maps tty line to TERM environment
381 parameter. Each line of the file is in a format something like
382 "vt100 tty01".
383 UID_MAX (number), UID_MIN (number)
385 Range of user IDs used for the creation of regular users by
386 useradd or newusers.
387 ULIMIT (number)
389 Default ulimit value.
390 UMASK (number)
392 The file mode creation mask is initialized to this value. If
393 not specified, the mask will be initialized to 022.
394 useradd and newusers use this mask to set the mode of the home
397 directory they create
398 It is also used by login to define users´ initial umask. Note
400 that this mask can be overriden by the user´s GECOS line (if
401 QUOTAS_ENAB is set) or by the specification of a limit with the
402 K identifier in limits(5).
403 USERDEL_CMD (string)
405 If defined, this command is run when removing a user. It should
406 remove any at/cron/print jobs etc. owned by the user to be
407 removed (passed as the first argument).
408 The return code of the script is not taken into account.
410 Here is an example script, which removes the user´s cron, at
412 and print jobs:
413 #! /bin/sh
415 # Check for the required argument.
417 if [ $# != 1 ]; then
418 echo "Usage: $0 username"
419 exit 1
420 fi
421 # Remove cron jobs.
423 crontab -r -u $1
424 # Remove at jobs.
426 # Note that it will remove any jobs owned by the same UID,
427 # even if it was shared by a different username.
428 AT_SPOOL_DIR=/var/spool/cron/atjobs
429 find $AT_SPOOL_DIR -name "[^.]*" -type f -user $1 -delete \;
430 # Remove print jobs.
432 lprm $1
433 # All done.
435 exit 0
436 USERGROUPS_ENAB (boolean)
440 Enable setting of the umask group bits to be the same as owner
441 bits (examples: 022 -> 002, 077 -> 007) for non-root users, if
442 the uid is the same as gid, and username is the same as the
443 primary group name.
444 If set to yes, userdel will remove the user´s group if it
446 contains no more members, and useradd will create by default a
447 group with the name of the user.
448
450 The following cross references show which programs in the shadow
451 password suite use which parameters.
452 chfn
454 CHFN_AUTH CHFN_RESTRICT LOGIN_STRING
456 chgpasswd
458 ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
459 SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
460 chpasswd
462 ENCRYPT_METHOD MD5_CRYPT_ENAB SHA_CRYPT_MAX_ROUNDS
463 SHA_CRYPT_MIN_ROUNDS
464 chsh
466 CHSH_AUTH LOGIN_STRING
467 gpasswd
469 ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
470 SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
471 groupadd
473 GID_MAX GID_MIN MAX_MEMBERS_PER_GROUP SYS_GID_MAX SYS_GID_MIN
474 groupdel
476 MAX_MEMBERS_PER_GROUP
477 groupmems
479 MAX_MEMBERS_PER_GROUP
480 groupmod
482 MAX_MEMBERS_PER_GROUP
483 grpck
485 MAX_MEMBERS_PER_GROUP
486 grpconv
488 MAX_MEMBERS_PER_GROUP
489 grpunconv
491 MAX_MEMBERS_PER_GROUP
492 login
494 CONSOLE CONSOLE_GROUPS DEFAULT_HOME ENV_HZ ENV_PATH ENV_SUPATH
496 ENV_TZ ENVIRON_FILE ERASECHAR FAIL_DELAY FAILLOG_ENAB FAKE_SHELL
497 FTMP_FILE HUSHLOGIN_FILE ISSUE_FILE KILLCHAR LASTLOG_ENAB
498 LOGIN_RETRIES LOGIN_STRING LOGIN_TIMEOUT LOG_OK_LOGINS
499 LOG_UNKFAIL_ENAB MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE MOTD_FILE
500 NOLOGINS_FILE PORTTIME_CHECKS_ENAB QUOTAS_ENAB TTYGROUP TTYPERM
501 TTYTYPE_FILE ULIMIT UMASK USERGROUPS_ENAB
502 newgrp / sg
504 SYSLOG_SG_ENAB
505 newusers
507 ENCRYPT_METHOD GID_MAX GID_MIN MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
508 PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE SHA_CRYPT_MAX_ROUNDS
509 SHA_CRYPT_MIN_ROUNDS SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX
510 SYS_UID_MIN UID_MAX UID_MIN UMASK
511 passwd
513 ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB PASS_ALWAYS_WARN
514 PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN SHA_CRYPT_MAX_ROUNDS
515 SHA_CRYPT_MIN_ROUNDS
516 pwck
518 PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
519 pwconv
521 PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
522 su
524 CONSOLE CONSOLE_GROUPS DEFAULT_HOME ENV_HZ ENVIRON_FILE ENV_PATH
526 ENV_SUPATH ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
527 QUOTAS_ENAB SULOG_FILE SU_NAME SU_WHEEL_ONLY SYSLOG_SU_ENAB
528 USERGROUPS_ENAB
529 sulogin
531 ENV_HZ ENV_TZ
532 useradd
534 CREATE_HOME GID_MAX GID_MIN MAIL_DIR MAX_MEMBERS_PER_GROUP
535 PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE SYS_GID_MAX SYS_GID_MIN
536 SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK
537 userdel
539 MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP USERDEL_CMD
540 USERGROUPS_ENAB
541 usermod
543 MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP
544
546 login(1), passwd(1), su(1), passwd(5), shadow(5), pam(8).
547File Formats and Conversions 07/24/2009 LOGIN.DEFS(5)