1LOGIN.DEFS(5)           File Formats and Configuration           LOGIN.DEFS(5)
2
3
4

NAME

6       login.defs - shadow password suite configuration
7

DESCRIPTION

9       The /etc/login.defs file defines the site-specific configuration for
10       the shadow password suite. This file is required. Absence of this file
11       will not prevent system operation, but will probably result in
12       undesirable operation.
13
14       This file is a readable text file, each line of the file describing one
15       configuration parameter. The lines consist of a configuration name and
16       value, separated by whitespace. Blank lines and comment lines are
17       ignored. Comments are introduced with a "#" pound sign and the pound
18       sign must be the first non-white character of the line.
19
20       Parameter values may be of four types: strings, booleans, numbers, and
21       long numbers. A string is comprised of any printable characters. A
22       boolean should be either the value yes or no. An undefined boolean
23       parameter or one with a value other than these will be given a no
24       value. Numbers (both regular and long) may be either decimal values,
25       octal values (precede the value with 0) or hexadecimal values (precede
26       the value with 0x). The maximum value of the regular and long numeric
27       parameters is machine-dependent.
28
29       Please note that the parameters in this configuration file control the
30       behavior of the tools from the shadow-utils component. None of these
31       tools uses the PAM mechanism, and the utilities that use PAM (such as
32       the passwd command) should be configured elsewhere. The only values
33       that affect PAM modules are ENCRYPT_METHOD and SHA_CRYPT_MAX_ROUNDS for
34       pam_unix module, FAIL_DELAY for pam_faildelay module, and UMASK for
35       pam_umask module. Refer to pam(8) for more information.
36
37       The following configuration items are provided:
38
39       CHFN_AUTH (boolean)
40           If yes, the chfn program will require authentication before making
41           any changes, unless run by the superuser.
42
43       CHFN_RESTRICT (string)
44           This parameter specifies which values in the gecos field of the
45           /etc/passwd file may be changed by regular users using the chfn
46           program. It can be any combination of letters f, r, w, h, for Full
47           name, Room number, Work phone, and Home phone, respectively. For
48           backward compatibility, yes is equivalent to rwh and no is
49           equivalent to frwh. If not specified, only the superuser can make
50           any changes. The most restrictive setting is better achieved by not
51           installing chfn SUID.
52
53       CHSH_AUTH (boolean)
54           If yes, the chsh program will require authentication before making
55           any changes, unless run by the superuser.
56
57       CONSOLE (string)
58           If defined, either full pathname of a file containing device names
59           (one per line) or a ":" delimited list of device names. Root logins
60           will be allowed only upon these devices.
61
62           If not defined, root will be allowed on any device.
63
64           The device should be specified without the /dev/ prefix.
65
66       CONSOLE_GROUPS (string)
67           List of groups to add to the user's supplementary groups set when
68           logging in on the console (as determined by the CONSOLE setting).
69           Default is none.
70
71           Use with caution - it is possible for users to gain permanent
72           access to these groups, even when not logged in on the console.
73
74       CREATE_HOME (boolean)
75           Indicate if a home directory should be created by default for new
76           users.
77
78           This setting does not apply to system users, and can be overridden
79           on the command line.
80
81       DEFAULT_HOME (boolean)
82           Indicate if login is allowed if we can't cd to the home directory.
83           Default is no.
84
85           If set to yes, the user will login in the root (/) directory if it
86           is not possible to cd to her home directory.
87
88       ENCRYPT_METHOD (string)
89           This defines the system default encryption algorithm for encrypting
90           passwords (if no algorithm are specified on the command line).
91
92           It can take one of these values: DES (default), MD5, SHA256,
93           SHA512. MD5 and DES should not be used for new hashes, see crypt(5)
94           for recommendations.
95
96           Note: this parameter overrides the MD5_CRYPT_ENAB variable.
97
98       ENV_HZ (string)
99           If set, it will be used to define the HZ environment variable when
100           a user login. The value must be preceded by HZ=. A common value on
101           Linux is HZ=100.
102
103       ENV_PATH (string)
104           If set, it will be used to define the PATH environment variable
105           when a regular user login. The value is a colon separated list of
106           paths (for example /bin:/usr/bin) and can be preceded by PATH=. The
107           default value is PATH=/bin:/usr/bin.
108
109       ENV_SUPATH (string)
110           If set, it will be used to define the PATH environment variable
111           when the superuser login. The value is a colon separated list of
112           paths (for example /sbin:/bin:/usr/sbin:/usr/bin) and can be
113           preceded by PATH=. The default value is
114           PATH=/sbin:/bin:/usr/sbin:/usr/bin.
115
116       ENV_TZ (string)
117           If set, it will be used to define the TZ environment variable when
118           a user login. The value can be the name of a timezone preceded by
119           TZ= (for example TZ=CST6CDT), or the full path to the file
120           containing the timezone specification (for example /etc/tzname).
121
122           If a full path is specified but the file does not exist or cannot
123           be read, the default is to use TZ=CST6CDT.
124
125       ENVIRON_FILE (string)
126           If this file exists and is readable, login environment will be read
127           from it. Every line should be in the form name=value.
128
129           Lines starting with a # are treated as comment lines and ignored.
130
131       ERASECHAR (number)
132           Terminal ERASE character (010 = backspace, 0177 = DEL).
133
134           The value can be prefixed "0" for an octal value, or "0x" for an
135           hexadecimal value.
136
137       FAIL_DELAY (number)
138           Delay in seconds before being allowed another attempt after a login
139           failure.
140
141       FAILLOG_ENAB (boolean)
142           Enable logging and display of /var/log/faillog login failure info.
143
144       FAKE_SHELL (string)
145           If set, login will execute this shell instead of the users' shell
146           specified in /etc/passwd.
147
148       FTMP_FILE (string)
149           If defined, login failures will be logged in this file in a utmp
150           format.
151
152       GID_MAX (number), GID_MIN (number)
153           Range of group IDs used for the creation of regular groups by
154           useradd, groupadd, or newusers.
155
156           The default value for GID_MIN (resp.  GID_MAX) is 1000 (resp.
157           60000).
158
159       HMAC_CRYPTO_ALGO (string)
160           Used to select the HMAC cryptography algorithm that the
161           pam_timestamp module is going to use to calculate the keyed-hash
162           message authentication code.
163
164           Note: Check hmac(3) to see the possible algorithms that are
165           available in your system.
166
167       HOME_MODE (number)
168           The mode for new home directories. If not specified, the UMASK is
169           used to create the mode.
170
171           useradd and newusers use this to set the mode of the home directory
172           they create.
173
174       HUSHLOGIN_FILE (string)
175           If defined, this file can inhibit all the usual chatter during the
176           login sequence. If a full pathname is specified, then hushed mode
177           will be enabled if the user's name or shell are found in the file.
178           If not a full pathname, then hushed mode will be enabled if the
179           file exists in the user's home directory.
180
181       ISSUE_FILE (string)
182           If defined, this file will be displayed before each login prompt.
183
184       KILLCHAR (number)
185           Terminal KILL character (025 = CTRL/U).
186
187           The value can be prefixed "0" for an octal value, or "0x" for an
188           hexadecimal value.
189
190       LASTLOG_ENAB (boolean)
191           Enable logging and display of /var/log/lastlog login time info.
192
193       LASTLOG_UID_MAX (number)
194           Highest user ID number for which the lastlog entries should be
195           updated. As higher user IDs are usually tracked by remote user
196           identity and authentication services there is no need to create a
197           huge sparse lastlog file for them.
198
199           No LASTLOG_UID_MAX option present in the configuration means that
200           there is no user ID limit for writing lastlog entries.
201
202       LOG_OK_LOGINS (boolean)
203           Enable logging of successful logins.
204
205       LOG_UNKFAIL_ENAB (boolean)
206           Enable display of unknown usernames when login failures are
207           recorded.
208
209           Note: logging unknown usernames may be a security issue if an user
210           enter her password instead of her login name.
211
212       LOGIN_RETRIES (number)
213           Maximum number of login retries in case of bad password.
214
215       LOGIN_STRING (string)
216           The string used for prompting a password. The default is to use
217           "Password: ", or a translation of that string. If you set this
218           variable, the prompt will not be translated.
219
220           If the string contains %s, this will be replaced by the user's
221           name.
222
223       LOGIN_TIMEOUT (number)
224           Max time in seconds for login.
225
226       MAIL_CHECK_ENAB (boolean)
227           Enable checking and display of mailbox status upon login.
228
229           You should disable it if the shell startup files already check for
230           mail ("mailx -e" or equivalent).
231
232       MAIL_DIR (string)
233           The mail spool directory. This is needed to manipulate the mailbox
234           when its corresponding user account is modified or deleted. If not
235           specified, a compile-time default is used. The parameter
236           CREATE_MAIL_SPOOL in /etc/default/useradd determines whether the
237           mail spool should be created.
238
239       MAIL_FILE (string)
240           Defines the location of the users mail spool files relatively to
241           their home directory.
242
243       The MAIL_DIR and MAIL_FILE variables are used by useradd, usermod, and
244       userdel to create, move, or delete the user's mail spool.
245
246       If MAIL_CHECK_ENAB is set to yes, they are also used to define the MAIL
247       environment variable.
248
249       MAX_MEMBERS_PER_GROUP (number)
250           Maximum members per group entry. When the maximum is reached, a new
251           group entry (line) is started in /etc/group (with the same name,
252           same password, and same GID).
253
254           The default value is 0, meaning that there are no limits in the
255           number of members in a group.
256
257           This feature (split group) permits to limit the length of lines in
258           the group file. This is useful to make sure that lines for NIS
259           groups are not larger than 1024 characters.
260
261           If you need to enforce such limit, you can use 25.
262
263           Note: split groups may not be supported by all tools (even in the
264           Shadow toolsuite). You should not use this variable unless you
265           really need it.
266
267       MD5_CRYPT_ENAB (boolean)
268           Indicate if passwords must be encrypted using the MD5-based
269           algorithm. If set to yes, new passwords will be encrypted using the
270           MD5-based algorithm compatible with the one used by recent releases
271           of FreeBSD. It supports passwords of unlimited length and longer
272           salt strings. Set to no if you need to copy encrypted passwords to
273           other systems which don't understand the new algorithm. Default is
274           no.
275
276           This variable is superseded by the ENCRYPT_METHOD variable or by
277           any command line option used to configure the encryption algorithm.
278
279           This variable is deprecated. You should use ENCRYPT_METHOD.
280
281       MOTD_FILE (string)
282           If defined, ":" delimited list of "message of the day" files to be
283           displayed upon login.
284
285       NOLOGINS_FILE (string)
286           If defined, name of file whose presence will inhibit non-root
287           logins. The contents of this file should be a message indicating
288           why logins are inhibited.
289
290       NONEXISTENT (string)
291           If a system account intentionally does not have a home directory
292           that exists, this string can be provided in the /etc/passwd entry
293           for the account to indicate this. The result is that pwck will not
294           emit a spurious warning for this account.
295
296       OBSCURE_CHECKS_ENAB (boolean)
297           Enable additional checks upon password changes.
298
299       PASS_ALWAYS_WARN (boolean)
300           Warn about weak passwords (but still allow them) if you are root.
301
302       PASS_CHANGE_TRIES (number)
303           Maximum number of attempts to change password if rejected (too
304           easy).
305
306       PASS_MAX_DAYS (number)
307           The maximum number of days a password may be used. If the password
308           is older than this, a password change will be forced. If not
309           specified, -1 will be assumed (which disables the restriction).
310
311       PASS_MIN_DAYS (number)
312           The minimum number of days allowed between password changes. Any
313           password changes attempted sooner than this will be rejected. If
314           not specified, 0 will be assumed (which disables the restriction).
315
316       PASS_WARN_AGE (number)
317           The number of days warning given before a password expires. A zero
318           means warning is given only upon the day of expiration, a negative
319           value means no warning is given. If not specified, no warning will
320           be provided.
321
322       PASS_MAX_DAYS, PASS_MIN_DAYS and PASS_WARN_AGE are only used at the
323       time of account creation. Any changes to these settings won't affect
324       existing accounts.
325
326       PASS_MAX_LEN (number), PASS_MIN_LEN (number)
327           Number of significant characters in the password for crypt().
328           PASS_MAX_LEN is 8 by default. Don't change unless your crypt() is
329           better. This is ignored if MD5_CRYPT_ENAB set to yes.
330
331       PORTTIME_CHECKS_ENAB (boolean)
332           Enable checking of time restrictions specified in /etc/porttime.
333
334       QUOTAS_ENAB (boolean)
335           Enable setting of resource limits from /etc/limits and ulimit,
336           umask, and niceness from the user's passwd gecos field.
337
338       SHA_CRYPT_MIN_ROUNDS (number), SHA_CRYPT_MAX_ROUNDS (number)
339           When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines the
340           number of SHA rounds used by the encryption algorithm by default
341           (when the number of rounds is not specified on the command line).
342
343           With a lot of rounds, it is more difficult to brute forcing the
344           password. But note also that more CPU resources will be needed to
345           authenticate users.
346
347           If not specified, the libc will choose the default number of rounds
348           (5000), which is orders of magnitude too low for modern hardware.
349
350           The values must be inside the 1000-999,999,999 range.
351
352           If only one of the SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS
353           values is set, then this value will be used.
354
355           If SHA_CRYPT_MIN_ROUNDS > SHA_CRYPT_MAX_ROUNDS, the highest value
356           will be used.
357
358       SULOG_FILE (string)
359           If defined, all su activity is logged to this file.
360
361       SU_NAME (string)
362           If defined, the command name to display when running "su -". For
363           example, if this is defined as "su" then a "ps" will display the
364           command is "-su". If not defined, then "ps" would display the name
365           of the shell actually being run, e.g. something like "-sh".
366
367       SU_WHEEL_ONLY (boolean)
368           If yes, the user must be listed as a member of the first gid 0
369           group in /etc/group (called root on most Linux systems) to be able
370           to su to uid 0 accounts. If the group doesn't exist or is empty, no
371           one will be able to su to uid 0.
372
373       SUB_GID_MIN (number), SUB_GID_MAX (number), SUB_GID_COUNT (number)
374           If /etc/subuid exists, the commands useradd and newusers (unless
375           the user already have subordinate group IDs) allocate SUB_GID_COUNT
376           unused group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each
377           new user.
378
379           The default values for SUB_GID_MIN, SUB_GID_MAX, SUB_GID_COUNT are
380           respectively 100000, 600100000 and 65536.
381
382       SUB_UID_MIN (number), SUB_UID_MAX (number), SUB_UID_COUNT (number)
383           If /etc/subuid exists, the commands useradd and newusers (unless
384           the user already have subordinate user IDs) allocate SUB_UID_COUNT
385           unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each
386           new user.
387
388           The default values for SUB_UID_MIN, SUB_UID_MAX, SUB_UID_COUNT are
389           respectively 100000, 600100000 and 65536.
390
391       SYS_GID_MAX (number), SYS_GID_MIN (number)
392           Range of group IDs used for the creation of system groups by
393           useradd, groupadd, or newusers.
394
395           The default value for SYS_GID_MIN (resp.  SYS_GID_MAX) is 101
396           (resp.  GID_MIN-1).
397
398       SYS_UID_MAX (number), SYS_UID_MIN (number)
399           Range of user IDs used for the creation of system users by useradd
400           or newusers.
401
402           The default value for SYS_UID_MIN (resp.  SYS_UID_MAX) is 101
403           (resp.  UID_MIN-1).
404
405       SYSLOG_SG_ENAB (boolean)
406           Enable "syslog" logging of sg activity.
407
408       SYSLOG_SU_ENAB (boolean)
409           Enable "syslog" logging of su activity - in addition to sulog file
410           logging.
411
412       TTYGROUP (string), TTYPERM (string)
413           The terminal permissions: the login tty will be owned by the
414           TTYGROUP group, and the permissions will be set to TTYPERM.
415
416           TTYGROUP can be either the name of a group or a numeric group
417           identifier.
418
419           If TTYGROUP is not defined, then the group ownership of the
420           terminal is set to the user's primary group. If TTYPERM is not
421           defined, then the permissions are set to 0600.
422
423           If you have a write program which is "setgid" to a special group
424           which owns the terminals, define TTYGROUP to the group number and
425           TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
426           TTYPERM to either 622 or 600.
427
428       TTYTYPE_FILE (string)
429           If defined, file which maps tty line to TERM environment parameter.
430           Each line of the file is in a format something like "vt100 tty01".
431
432       UID_MAX (number), UID_MIN (number)
433           Range of user IDs used for the creation of regular users by useradd
434           or newusers.
435
436           The default value for UID_MIN (resp.  UID_MAX) is 1000 (resp.
437           60000).
438
439       ULIMIT (number)
440           Default ulimit value.
441
442       UMASK (number)
443           The file mode creation mask is initialized to this value. If not
444           specified, the mask will be initialized to 022.
445
446           useradd and newusers use this mask to set the mode of the home
447           directory they create if HOME_MODE is not set.
448
449           It is also used by login to define users' initial umask. Note that
450           this mask can be overridden by the user's GECOS line (if
451           QUOTAS_ENAB is set) or by the specification of a limit with the K
452           identifier in limits(5).
453
454       USERDEL_CMD (string)
455           If defined, this command is run when removing a user. It should
456           remove any at/cron/print jobs etc. owned by the user to be removed
457           (passed as the first argument).
458
459           The return code of the script is not taken into account.
460
461           Here is an example script, which removes the user's cron, at and
462           print jobs:
463
464               #! /bin/sh
465
466               # Check for the required argument.
467               if [ $# != 1 ]; then
468                    echo "Usage: $0 username"
469                    exit 1
470               fi
471
472               # Remove cron jobs.
473               crontab -r -u $1
474
475               # Remove at jobs.
476               # Note that it will remove any jobs owned by the same UID,
477               # even if it was shared by a different username.
478               AT_SPOOL_DIR=/var/spool/cron/atjobs
479               find $AT_SPOOL_DIR -name "[^.]*" -type f -user $1 -delete \;
480
481               # Remove print jobs.
482               lprm $1
483
484               # All done.
485               exit 0
486
487
488
489       USERGROUPS_ENAB (boolean)
490           Enable setting of the umask group bits to be the same as owner bits
491           (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid
492           is the same as gid, and username is the same as the primary group
493           name.
494
495           If set to yes, userdel will remove the user's group if it contains
496           no more members, and useradd will create by default a group with
497           the name of the user.
498

CROSS REFERENCES

500       The following cross references show which programs in the shadow
501       password suite use which parameters.
502
503       chgpasswd
504           ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
505           SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
506
507       chpasswd
508           ENCRYPT_METHOD MD5_CRYPT_ENAB SHA_CRYPT_MAX_ROUNDS
509           SHA_CRYPT_MIN_ROUNDS
510
511       gpasswd
512           ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
513           SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
514
515       groupadd
516           GID_MAX GID_MIN MAX_MEMBERS_PER_GROUP SYS_GID_MAX SYS_GID_MIN
517
518       groupdel
519           MAX_MEMBERS_PER_GROUP
520
521       groupmems
522           MAX_MEMBERS_PER_GROUP
523
524       groupmod
525           MAX_MEMBERS_PER_GROUP
526
527       grpck
528           MAX_MEMBERS_PER_GROUP
529
530       grpconv
531           MAX_MEMBERS_PER_GROUP
532
533       grpunconv
534           MAX_MEMBERS_PER_GROUP
535
536       lastlog
537           LASTLOG_UID_MAX
538
539       newgrp / sg
540           SYSLOG_SG_ENAB
541
542       newusers
543           ENCRYPT_METHOD GID_MAX GID_MIN MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
544           HOME_MODE PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
545           SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS SUB_GID_COUNT SUB_GID_MAX
546           SUB_GID_MIN SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN SYS_GID_MAX
547           SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK
548
549       pwck
550           PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
551
552       pwconv
553           PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
554
555       useradd
556           CREATE_HOME GID_MAX GID_MIN HOME_MODE LASTLOG_UID_MAX MAIL_DIR
557           MAX_MEMBERS_PER_GROUP PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
558           SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN SUB_UID_COUNT SUB_UID_MAX
559           SUB_UID_MIN SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX
560           UID_MIN UMASK
561
562       userdel
563           MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP USERDEL_CMD
564           USERGROUPS_ENAB
565
566       usermod
567           LASTLOG_UID_MAX MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP
568

SEE ALSO

570       login(1), passwd(1), su(1), passwd(5), shadow(5), pam(8).
571
572
573
574shadow-utils 4.14.0               10/03/2023                     LOGIN.DEFS(5)
Impressum