1LOGIN.DEFS(5)            File Formats and Conversions            LOGIN.DEFS(5)
2
3
4

NAME

6       login.defs - shadow password suite configuration
7

DESCRIPTION

9       The /etc/login.defs file defines the site-specific configuration for
10       the shadow password suite. This file is required. Absence of this file
11       will not prevent system operation, but will probably result in
12       undesirable operation.
13
14       This file is a readable text file, each line of the file describing one
15       configuration parameter. The lines consist of a configuration name and
16       value, separated by whitespace. Blank lines and comment lines are
17       ignored. Comments are introduced with a "#" pound sign and the pound
18       sign must be the first non-white character of the line.
19
20       Parameter values may be of four types: strings, booleans, numbers, and
21       long numbers. A string is comprised of any printable characters. A
22       boolean should be either the value yes or no. An undefined boolean
23       parameter or one with a value other than these will be given a no
24       value. Numbers (both regular and long) may be either decimal values,
25       octal values (precede the value with 0) or hexadecimal values (precede
26       the value with 0x). The maximum value of the regular and long numeric
27       parameters is machine-dependent.
28
29       The following configuration items are provided:
30
31       CHFN_AUTH (boolean)
32           If yes, the chfn program will require authentication before making
33           any changes, unless run by the superuser.
34
35       CHFN_RESTRICT (string)
36           This parameter specifies which values in the gecos field of the
37           /etc/passwd file may be changed by regular users using the chfn
38           program. It can be any combination of letters f, r, w, h, for Full
39           name, Room number, Work phone, and Home phone, respectively. For
40           backward compatibility, yes is equivalent to rwh and no is
41           equivalent to frwh. If not specified, only the superuser can make
42           any changes. The most restrictive setting is better achieved by not
43           installing chfn SUID.
44
45       CHSH_AUTH (boolean)
46           If yes, the chsh program will require authentication before making
47           any changes, unless run by the superuser.
48
49       CONSOLE (string)
50           If defined, either full pathname of a file containing device names
51           (one per line) or a ":" delimited list of device names. Root logins
52           will be allowed only upon these devices.
53
54           If not defined, root will be allowed on any device.
55
56           The device should be specified without the /dev/ prefix.
57
58       CONSOLE_GROUPS (string)
59           List of groups to add to the user´s supplementary groups set when
60           logging in on the console (as determined by the CONSOLE setting).
61           Default is none.
62
63           Use with caution - it is possible for users to gain permanent
64           access to these groups, even when not logged in on the console.
65
66       CREATE_HOME (boolean)
67           Indicate if a home directory should be created by default for new
68           users.
69
70           This setting does not apply to system users, and can be overriden
71           on the command line.
72
73       DEFAULT_HOME (boolean)
74           Indicate if login is allowed if we can´t cd to the home directory.
75           Default in no.
76
77           If set to yes, the user will login in the root (/) directory if it
78           is not possible to cd to her home directory.
79
80       ENCRYPT_METHOD (string)
81           This defines the system default encryption algorithm for encrypting
82           passwords (if no algorithm are specified on the command line).
83
84           It can take one of these values:
85
86           ·   DES (default)
87
88           ·   MD5
89
90           ·   SHA256
91
92           ·   SHA512
93
94               Note: this parameter overrides the MD5_CRYPT_ENAB variable.
95
96           ENV_HZ (string)
97               If set, it will be used to define the HZ environment variable
98               when a user login. The value must be preceded by HZ=. A common
99               value on Linux is HZ=100.
100
101           ENV_PATH (string)
102               If set, it will be used to define the PATH environment variable
103               when a regular user login. The value can be preceded by PATH=,
104               or a colon separated list of paths (for example /bin:/usr/bin).
105               The default value is PATH=/bin:/usr/bin.
106
107           ENV_SUPATH (string)
108               If set, it will be used to define the PATH environment variable
109               when the superuser login. The value can be preceded by PATH=,
110               or a colon separated list of paths (for example
111               /sbin:/bin:/usr/sbin:/usr/bin). The default value is
112               PATH=/bin:/usr/bin.
113
114           ENV_TZ (string)
115               If set, it will be used to define the TZ environment variable
116               when a user login. The value can be the name of a timezone
117               preceded by TZ= (for example TZ=CST6CDT), or the full path to
118               the file containing the timezone specification (for example
119               /etc/tzname).
120
121               If a full path is specified but the file does not exist or
122               cannot be read, the default is to use TZ=CST6CDT.
123
124           ENVIRON_FILE (string)
125               If this file exists and is readable, login environment will be
126               read from it. Every line should be in the form name=value.
127
128               Lines starting with a # are treated as comment lines and
129               ignored.
130
131           ERASECHAR (number)
132               Terminal ERASE character (010 = backspace, 0177 = DEL).
133
134               The value can be prefixed "0" for an octal value, or "0x" for
135               an hexadecimal value.
136
137           FAIL_DELAY (number)
138               Delay in seconds before being allowed another attempt after a
139               login failure.
140
141           FAILLOG_ENAB (boolean)
142               Enable logging and display of /var/log/faillog login failure
143               info.
144
145           FAKE_SHELL (string)
146               If set, login will execute this shell instead of the users´
147               shell specified in /etc/passwd.
148
149           FTMP_FILE (string)
150               If defined, login failures will be logged in this file in a
151               utmp format.
152
153           GID_MAX (number), GID_MIN (number)
154               Range of group IDs used for the creation of regular groups by
155               useradd, groupadd, or newusers.
156
157           HUSHLOGIN_FILE (string)
158               If defined, this file can inhibit all the usual chatter during
159               the login sequence. If a full pathname is specified, then
160               hushed mode will be enabled if the user´s name or shell are
161               found in the file. If not a full pathname, then hushed mode
162               will be enabled if the file exists in the user´s home
163               directory.
164
165           ISSUE_FILE (string)
166               If defined, this file will be displayed before each login
167               prompt.
168
169           KILLCHAR (number)
170               Terminal KILL character (025 = CTRL/U).
171
172               The value can be prefixed "0" for an octal value, or "0x" for
173               an hexadecimal value.
174
175           LASTLOG_ENAB (boolean)
176               Enable logging and display of /var/log/lastlog login time info.
177
178           LOG_OK_LOGINS (boolean)
179               Enable logging of successful logins.
180
181           LOG_UNKFAIL_ENAB (boolean)
182               Enable display of unknown usernames when login failures are
183               recorded.
184
185               Note: logging unknown usernames may be a security issue if an
186               user enter her password instead of her login name.
187
188           LOGIN_RETRIES (number)
189               Maximum number of login retries in case of bad password.
190
191           LOGIN_STRING (string)
192               The string used for prompting a password. The default is to use
193               "Password: ", or a translation of that string. If you set this
194               variable, the prompt will no be translated.
195
196               If the string contains %s, this will be replaced by the user´s
197               name.
198
199           LOGIN_TIMEOUT (number)
200               Max time in seconds for login.
201
202           MAIL_CHECK_ENAB (boolean)
203               Enable checking and display of mailbox status upon login.
204
205               You should disable it if the shell startup files already check
206               for mail ("mailx -e" or equivalent).
207
208           MAIL_DIR (string)
209               The mail spool directory. This is needed to manipulate the
210               mailbox when its corresponding user account is modified or
211               deleted. If not specified, a compile-time default is used.
212
213           MAIL_FILE (string)
214               Defines the location of the users mail spool files relatively
215               to their home directory.
216
217           The MAIL_DIR and MAIL_FILE variables are used by useradd, usermod,
218           and userdel to create, move, or delete the user´s mail spool.
219
220           If MAIL_CHECK_ENAB is set to yes, they are also used to define the
221           MAIL environment variable.
222
223           MAX_MEMBERS_PER_GROUP (number)
224               Maximum members per group entry. When the maximum is reached, a
225               new group entry (line) is started in /etc/group (with the same
226               name, same password, and same GID).
227
228               The default value is 0, meaning that there are no limits in the
229               number of members in a group.
230
231               This feature (split group) permits to limit the length of lines
232               in the group file. This is useful to make sure that lines for
233               NIS groups are not larger than 1024 characters.
234
235               If you need to enforce such limit, you can use 25.
236
237               Note: split groups may not be supported by all tools (even in
238               the Shadow toolsuite). You should not use this variable unless
239               you really need it.
240
241           MD5_CRYPT_ENAB (boolean)
242               Indicate if passwords must be encrypted using the MD5-based
243               algorithm. If set to yes, new passwords will be encrypted using
244               the MD5-based algorithm compatible with the one used by recent
245               releases of FreeBSD. It supports passwords of unlimited length
246               and longer salt strings. Set to no if you need to copy
247               encrypted passwords to other systems which don´t understand the
248               new algorithm. Default is no.
249
250               This variable is superceded by the ENCRYPT_METHOD variable or
251               by any command line option used to configure the encryption
252               algorithm.
253
254               This variable is deprecated. You should use ENCRYPT_METHOD.
255
256           MOTD_FILE (string)
257               If defined, ":" delimited list of "message of the day" files to
258               be displayed upon login.
259
260           NOLOGINS_FILE (string)
261               If defined, name of file whose presence will inhibit non-root
262               logins. The contents of this file should be a message
263               indicating why logins are inhibited.
264
265           OBSCURE_CHECKS_ENAB (boolean)
266               Enable additional checks upon password changes.
267
268           PASS_ALWAYS_WARN (boolean)
269               Warn about weak passwords (but still allow them) if you are
270               root.
271
272           PASS_CHANGE_TRIES (number)
273               Maximum number of attempts to change password if rejected (too
274               easy).
275
276           PASS_MAX_DAYS (number)
277               The maximum number of days a password may be used. If the
278               password is older than this, a password change will be forced.
279               If not specified, -1 will be assumed (which disables the
280               restriction).
281
282           PASS_MIN_DAYS (number)
283               The minimum number of days allowed between password changes.
284               Any password changes attempted sooner than this will be
285               rejected. If not specified, -1 will be assumed (which disables
286               the restriction).
287
288           PASS_WARN_AGE (number)
289               The number of days warning given before a password expires. A
290               zero means warning is given only upon the day of expiration, a
291               negative value means no warning is given. If not specified, no
292               warning will be provided.
293
294           PASS_MAX_DAYS, PASS_MIN_DAYS and PASS_WARN_AGE are only used at the
295           time of account creation. Any changes to these settings won´t
296           affect existing accounts.
297
298           PASS_MAX_LEN (number), PASS_MIN_LEN (number)
299               Number of significant characters in the password for crypt().
300               PASS_MAX_LEN is 8 by default. Don´t change unless your crypt()
301               is better. This is ignored if MD5_CRYPT_ENAB set to yes.
302
303           PORTTIME_CHECKS_ENAB (boolean)
304               Enable checking of time restrictions specified in
305               /etc/porttime.
306
307           QUOTAS_ENAB (boolean)
308               Enable setting of ulimit, umask, and niceness from passwd gecos
309               field.
310
311           SHA_CRYPT_MIN_ROUNDS (number), SHA_CRYPT_MAX_ROUNDS (number)
312               When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines
313               the number of SHA rounds used by the encryption algorithm by
314               default (when the number of rounds is not specified on the
315               command line).
316
317               With a lot of rounds, it is more difficult to brute forcing the
318               password. But note also that more CPU resources will be needed
319               to authenticate users.
320
321               If not specified, the libc will choose the default number of
322               rounds (5000).
323
324               The values must be inside the 1000-999999999 range.
325
326               If only one of the SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS
327               values is set, then this value will be used.
328
329               If SHA_CRYPT_MIN_ROUNDS > SHA_CRYPT_MAX_ROUNDS, the highest
330               value will be used.
331
332           SULOG_FILE (string)
333               If defined, all su activity is logged to this file.
334
335           SU_NAME (string)
336               If defined, the command name to display when running "su -".
337               For example, if this is defined as "su" then a "ps" will
338               display the command is "-su". If not defined, then "ps" would
339               display the name of the shell actually being run, e.g.
340               something like "-sh".
341
342           SU_WHEEL_ONLY (boolean)
343               If yes, the user must be listed as a member of the first gid 0
344               group in /etc/group (called root on most Linux systems) to be
345               able to su to uid 0 accounts. If the group doesn´t exist or is
346               empty, no one will be able to su to uid 0.
347
348           SYS_GID_MAX (number), SYS_GID_MIN (number)
349               Range of group IDs used for the creation of system groups by
350               useradd, groupadd, or newusers.
351
352           SYS_UID_MAX (number), SYS_UID_MIN (number)
353               Range of user IDs used for the creation of system users by
354               useradd or newusers.
355
356           SYSLOG_SG_ENAB (boolean)
357               Enable "syslog" logging of sg activity.
358
359           SYSLOG_SU_ENAB (boolean)
360               Enable "syslog" logging of su activity - in addition to sulog
361               file logging.
362
363           TTYGROUP (string), TTYPERM (string)
364               The terminal permissions: the login tty will be owned by the
365               TTYGROUP group, and the permissions will be set to TTYPERM.
366
367               By default, the ownership of the terminal is set to the user´s
368               primary group and the permissions are set to 0600.
369
370
371               TTYGROUP can be either the name of a group or a numeric group
372               identifier.
373
374               If you have a write program which is "setgid" to a special
375               group which owns the terminals, define TTYGROUP to the group
376               number and TTYPERM to 0620. Otherwise leave TTYGROUP commented
377               out and assign TTYPERM to either 622 or 600.
378
379           TTYTYPE_FILE (string)
380               If defined, file which maps tty line to TERM environment
381               parameter. Each line of the file is in a format something like
382               "vt100 tty01".
383
384           UID_MAX (number), UID_MIN (number)
385               Range of user IDs used for the creation of regular users by
386               useradd or newusers.
387
388           ULIMIT (number)
389               Default ulimit value.
390
391           UMASK (number)
392               The file mode creation mask is initialized to this value. If
393               not specified, the mask will be initialized to 022.
394
395
396               useradd and newusers use this mask to set the mode of the home
397               directory they create
398
399               It is also used by login to define users´ initial umask. Note
400               that this mask can be overriden by the user´s GECOS line (if
401               QUOTAS_ENAB is set) or by the specification of a limit with the
402               K identifier in limits(5).
403
404           USERDEL_CMD (string)
405               If defined, this command is run when removing a user. It should
406               remove any at/cron/print jobs etc. owned by the user to be
407               removed (passed as the first argument).
408
409               The return code of the script is not taken into account.
410
411               Here is an example script, which removes the user´s cron, at
412               and print jobs:
413
414                   #! /bin/sh
415
416                   # Check for the required argument.
417                   if [ $# != 1 ]; then
418                        echo "Usage: $0 username"
419                        exit 1
420                   fi
421
422                   # Remove cron jobs.
423                   crontab -r -u $1
424
425                   # Remove at jobs.
426                   # Note that it will remove any jobs owned by the same UID,
427                   # even if it was shared by a different username.
428                   AT_SPOOL_DIR=/var/spool/cron/atjobs
429                   find $AT_SPOOL_DIR -name "[^.]*" -type f -user $1 -delete \;
430
431                   # Remove print jobs.
432                   lprm $1
433
434                   # All done.
435                   exit 0
436
437
438
439           USERGROUPS_ENAB (boolean)
440               Enable setting of the umask group bits to be the same as owner
441               bits (examples: 022 -> 002, 077 -> 007) for non-root users, if
442               the uid is the same as gid, and username is the same as the
443               primary group name.
444
445               If set to yes, userdel will remove the user´s group if it
446               contains no more members, and useradd will create by default a
447               group with the name of the user.
448

CROSS REFERENCES

450       The following cross references show which programs in the shadow
451       password suite use which parameters.
452
453       chfn
454
455           CHFN_AUTH CHFN_RESTRICT LOGIN_STRING
456
457       chgpasswd
458           ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
459           SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
460
461       chpasswd
462           ENCRYPT_METHOD MD5_CRYPT_ENAB SHA_CRYPT_MAX_ROUNDS
463           SHA_CRYPT_MIN_ROUNDS
464
465       chsh
466           CHSH_AUTH LOGIN_STRING
467
468       gpasswd
469           ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
470           SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
471
472       groupadd
473           GID_MAX GID_MIN MAX_MEMBERS_PER_GROUP SYS_GID_MAX SYS_GID_MIN
474
475       groupdel
476           MAX_MEMBERS_PER_GROUP
477
478       groupmems
479           MAX_MEMBERS_PER_GROUP
480
481       groupmod
482           MAX_MEMBERS_PER_GROUP
483
484       grpck
485           MAX_MEMBERS_PER_GROUP
486
487       grpconv
488           MAX_MEMBERS_PER_GROUP
489
490       grpunconv
491           MAX_MEMBERS_PER_GROUP
492
493       login
494
495           CONSOLE CONSOLE_GROUPS DEFAULT_HOME ENV_HZ ENV_PATH ENV_SUPATH
496           ENV_TZ ENVIRON_FILE ERASECHAR FAIL_DELAY FAILLOG_ENAB FAKE_SHELL
497           FTMP_FILE HUSHLOGIN_FILE ISSUE_FILE KILLCHAR LASTLOG_ENAB
498           LOGIN_RETRIES LOGIN_STRING LOGIN_TIMEOUT LOG_OK_LOGINS
499           LOG_UNKFAIL_ENAB MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE MOTD_FILE
500           NOLOGINS_FILE PORTTIME_CHECKS_ENAB QUOTAS_ENAB TTYGROUP TTYPERM
501           TTYTYPE_FILE ULIMIT UMASK USERGROUPS_ENAB
502
503       newgrp / sg
504           SYSLOG_SG_ENAB
505
506       newusers
507           ENCRYPT_METHOD GID_MAX GID_MIN MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
508           PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE SHA_CRYPT_MAX_ROUNDS
509           SHA_CRYPT_MIN_ROUNDS SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX
510           SYS_UID_MIN UID_MAX UID_MIN UMASK
511
512       passwd
513           ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB PASS_ALWAYS_WARN
514           PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN SHA_CRYPT_MAX_ROUNDS
515           SHA_CRYPT_MIN_ROUNDS
516
517       pwck
518           PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
519
520       pwconv
521           PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
522
523       su
524
525           CONSOLE CONSOLE_GROUPS DEFAULT_HOME ENV_HZ ENVIRON_FILE ENV_PATH
526           ENV_SUPATH ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
527           QUOTAS_ENAB SULOG_FILE SU_NAME SU_WHEEL_ONLY SYSLOG_SU_ENAB
528           USERGROUPS_ENAB
529
530       sulogin
531           ENV_HZ ENV_TZ
532
533       useradd
534           CREATE_HOME GID_MAX GID_MIN MAIL_DIR MAX_MEMBERS_PER_GROUP
535           PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE SYS_GID_MAX SYS_GID_MIN
536           SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK
537
538       userdel
539           MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP USERDEL_CMD
540           USERGROUPS_ENAB
541
542       usermod
543           MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP
544

SEE ALSO

546       login(1), passwd(1), su(1), passwd(5), shadow(5), pam(8).
547
548
549
550File Formats and Conversions      07/24/2009                     LOGIN.DEFS(5)
Impressum