1LOGIN.DEFS(5)            File Formats and Conversions            LOGIN.DEFS(5)
2
3
4

NAME

6       login.defs - shadow password suite configuration
7

DESCRIPTION

9       The /etc/login.defs file defines the site-specific configuration for
10       the shadow password suite. This file is required. Absence of this file
11       will not prevent system operation, but will probably result in
12       undesirable operation.
13
14       This file is a readable text file, each line of the file describing one
15       configuration parameter. The lines consist of a configuration name and
16       value, separated by whitespace. Blank lines and comment lines are
17       ignored. Comments are introduced with a "#" pound sign and the pound
18       sign must be the first non-white character of the line.
19
20       Parameter values may be of four types: strings, booleans, numbers, and
21       long numbers. A string is comprised of any printable characters. A
22       boolean should be either the value yes or no. An undefined boolean
23       parameter or one with a value other than these will be given a no
24       value. Numbers (both regular and long) may be either decimal values,
25       octal values (precede the value with 0) or hexadecimal values (precede
26       the value with 0x). The maximum value of the regular and long numeric
27       parameters is machine-dependent.
28
29       Please note that the parameters in this configuration file control the
30       behavior of the tools from the shadow-utils component. None of these
31       tools uses the PAM mechanism, and the utilities that use PAM (such as
32       the passwd command) should be configured elsewhere. The only values
33       that affect PAM modules are ENCRYPT_METHOD and SHA_CRYPT_MAX_ROUNDS for
34       pam_unix module, FAIL_DELAY for pam_faildelay module, and UMASK for
35       pam_umask module. Refer to pam(8) for more information.
36
37       The following configuration items are provided:
38
39       CHFN_AUTH (boolean)
40           If yes, the chfn program will require authentication before making
41           any changes, unless run by the superuser.
42
43       CHFN_RESTRICT (string)
44           This parameter specifies which values in the gecos field of the
45           /etc/passwd file may be changed by regular users using the chfn
46           program. It can be any combination of letters f, r, w, h, for Full
47           name, Room number, Work phone, and Home phone, respectively. For
48           backward compatibility, yes is equivalent to rwh and no is
49           equivalent to frwh. If not specified, only the superuser can make
50           any changes. The most restrictive setting is better achieved by not
51           installing chfn SUID.
52
53       CHSH_AUTH (boolean)
54           If yes, the chsh program will require authentication before making
55           any changes, unless run by the superuser.
56
57       CONSOLE (string)
58           If defined, either full pathname of a file containing device names
59           (one per line) or a ":" delimited list of device names. Root logins
60           will be allowed only upon these devices.
61
62           If not defined, root will be allowed on any device.
63
64           The device should be specified without the /dev/ prefix.
65
66       CONSOLE_GROUPS (string)
67           List of groups to add to the user's supplementary groups set when
68           logging in on the console (as determined by the CONSOLE setting).
69           Default is none.
70
71           Use with caution - it is possible for users to gain permanent
72           access to these groups, even when not logged in on the console.
73
74       CREATE_HOME (boolean)
75           Indicate if a home directory should be created by default for new
76           users.
77
78           This setting does not apply to system users, and can be overridden
79           on the command line.
80
81       DEFAULT_HOME (boolean)
82           Indicate if login is allowed if we can't cd to the home directory.
83           Default is no.
84
85           If set to yes, the user will login in the root (/) directory if it
86           is not possible to cd to her home directory.
87
88       ENCRYPT_METHOD (string)
89           This defines the system default encryption algorithm for encrypting
90           passwords (if no algorithm are specified on the command line).
91
92           It can take one of these values: DES (default), MD5, SHA256,
93           SHA512.
94
95           Note: this parameter overrides the MD5_CRYPT_ENAB variable.
96
97       ENV_HZ (string)
98           If set, it will be used to define the HZ environment variable when
99           a user login. The value must be preceded by HZ=. A common value on
100           Linux is HZ=100.
101
102       ENV_PATH (string)
103           If set, it will be used to define the PATH environment variable
104           when a regular user login. The value is a colon separated list of
105           paths (for example /bin:/usr/bin) and can be preceded by PATH=. The
106           default value is PATH=/bin:/usr/bin.
107
108       ENV_SUPATH (string)
109           If set, it will be used to define the PATH environment variable
110           when the superuser login. The value is a colon separated list of
111           paths (for example /sbin:/bin:/usr/sbin:/usr/bin) and can be
112           preceded by PATH=. The default value is
113           PATH=/sbin:/bin:/usr/sbin:/usr/bin.
114
115       ENV_TZ (string)
116           If set, it will be used to define the TZ environment variable when
117           a user login. The value can be the name of a timezone preceded by
118           TZ= (for example TZ=CST6CDT), or the full path to the file
119           containing the timezone specification (for example /etc/tzname).
120
121           If a full path is specified but the file does not exist or cannot
122           be read, the default is to use TZ=CST6CDT.
123
124       ENVIRON_FILE (string)
125           If this file exists and is readable, login environment will be read
126           from it. Every line should be in the form name=value.
127
128           Lines starting with a # are treated as comment lines and ignored.
129
130       ERASECHAR (number)
131           Terminal ERASE character (010 = backspace, 0177 = DEL).
132
133           The value can be prefixed "0" for an octal value, or "0x" for an
134           hexadecimal value.
135
136       FAIL_DELAY (number)
137           Delay in seconds before being allowed another attempt after a login
138           failure.
139
140       FAILLOG_ENAB (boolean)
141           Enable logging and display of /var/log/faillog login failure info.
142
143       FAKE_SHELL (string)
144           If set, login will execute this shell instead of the users' shell
145           specified in /etc/passwd.
146
147       FTMP_FILE (string)
148           If defined, login failures will be logged in this file in a utmp
149           format.
150
151       GID_MAX (number), GID_MIN (number)
152           Range of group IDs used for the creation of regular groups by
153           useradd, groupadd, or newusers.
154
155           The default value for GID_MIN (resp.  GID_MAX) is 1000 (resp.
156           60000).
157
158       HOME_MODE (number)
159           The mode for new home directories. If not specified, the UMASK is
160           used to create the mode.
161
162           useradd and newusers use this to set the mode of the home directory
163           they create.
164
165       HUSHLOGIN_FILE (string)
166           If defined, this file can inhibit all the usual chatter during the
167           login sequence. If a full pathname is specified, then hushed mode
168           will be enabled if the user's name or shell are found in the file.
169           If not a full pathname, then hushed mode will be enabled if the
170           file exists in the user's home directory.
171
172       ISSUE_FILE (string)
173           If defined, this file will be displayed before each login prompt.
174
175       KILLCHAR (number)
176           Terminal KILL character (025 = CTRL/U).
177
178           The value can be prefixed "0" for an octal value, or "0x" for an
179           hexadecimal value.
180
181       LASTLOG_ENAB (boolean)
182           Enable logging and display of /var/log/lastlog login time info.
183
184       LASTLOG_UID_MAX (number)
185           Highest user ID number for which the lastlog entries should be
186           updated. As higher user IDs are usually tracked by remote user
187           identity and authentication services there is no need to create a
188           huge sparse lastlog file for them.
189
190           No LASTLOG_UID_MAX option present in the configuration means that
191           there is no user ID limit for writing lastlog entries.
192
193       LOG_OK_LOGINS (boolean)
194           Enable logging of successful logins.
195
196       LOG_UNKFAIL_ENAB (boolean)
197           Enable display of unknown usernames when login failures are
198           recorded.
199
200           Note: logging unknown usernames may be a security issue if an user
201           enter her password instead of her login name.
202
203       LOGIN_RETRIES (number)
204           Maximum number of login retries in case of bad password.
205
206       LOGIN_STRING (string)
207           The string used for prompting a password. The default is to use
208           "Password: ", or a translation of that string. If you set this
209           variable, the prompt will not be translated.
210
211           If the string contains %s, this will be replaced by the user's
212           name.
213
214       LOGIN_TIMEOUT (number)
215           Max time in seconds for login.
216
217       MAIL_CHECK_ENAB (boolean)
218           Enable checking and display of mailbox status upon login.
219
220           You should disable it if the shell startup files already check for
221           mail ("mailx -e" or equivalent).
222
223       MAIL_DIR (string)
224           The mail spool directory. This is needed to manipulate the mailbox
225           when its corresponding user account is modified or deleted. If not
226           specified, a compile-time default is used.
227
228       MAIL_FILE (string)
229           Defines the location of the users mail spool files relatively to
230           their home directory.
231
232       The MAIL_DIR and MAIL_FILE variables are used by useradd, usermod, and
233       userdel to create, move, or delete the user's mail spool.
234
235       If MAIL_CHECK_ENAB is set to yes, they are also used to define the MAIL
236       environment variable.
237
238       MAX_MEMBERS_PER_GROUP (number)
239           Maximum members per group entry. When the maximum is reached, a new
240           group entry (line) is started in /etc/group (with the same name,
241           same password, and same GID).
242
243           The default value is 0, meaning that there are no limits in the
244           number of members in a group.
245
246           This feature (split group) permits to limit the length of lines in
247           the group file. This is useful to make sure that lines for NIS
248           groups are not larger than 1024 characters.
249
250           If you need to enforce such limit, you can use 25.
251
252           Note: split groups may not be supported by all tools (even in the
253           Shadow toolsuite). You should not use this variable unless you
254           really need it.
255
256       MD5_CRYPT_ENAB (boolean)
257           Indicate if passwords must be encrypted using the MD5-based
258           algorithm. If set to yes, new passwords will be encrypted using the
259           MD5-based algorithm compatible with the one used by recent releases
260           of FreeBSD. It supports passwords of unlimited length and longer
261           salt strings. Set to no if you need to copy encrypted passwords to
262           other systems which don't understand the new algorithm. Default is
263           no.
264
265           This variable is superseded by the ENCRYPT_METHOD variable or by
266           any command line option used to configure the encryption algorithm.
267
268           This variable is deprecated. You should use ENCRYPT_METHOD.
269
270       MOTD_FILE (string)
271           If defined, ":" delimited list of "message of the day" files to be
272           displayed upon login.
273
274       NOLOGINS_FILE (string)
275           If defined, name of file whose presence will inhibit non-root
276           logins. The contents of this file should be a message indicating
277           why logins are inhibited.
278
279       OBSCURE_CHECKS_ENAB (boolean)
280           Enable additional checks upon password changes.
281
282       PASS_ALWAYS_WARN (boolean)
283           Warn about weak passwords (but still allow them) if you are root.
284
285       PASS_CHANGE_TRIES (number)
286           Maximum number of attempts to change password if rejected (too
287           easy).
288
289       PASS_MAX_DAYS (number)
290           The maximum number of days a password may be used. If the password
291           is older than this, a password change will be forced. If not
292           specified, -1 will be assumed (which disables the restriction).
293
294       PASS_MIN_DAYS (number)
295           The minimum number of days allowed between password changes. Any
296           password changes attempted sooner than this will be rejected. If
297           not specified, -1 will be assumed (which disables the restriction).
298
299       PASS_WARN_AGE (number)
300           The number of days warning given before a password expires. A zero
301           means warning is given only upon the day of expiration, a negative
302           value means no warning is given. If not specified, no warning will
303           be provided.
304
305       PASS_MAX_DAYS, PASS_MIN_DAYS and PASS_WARN_AGE are only used at the
306       time of account creation. Any changes to these settings won't affect
307       existing accounts.
308
309       PASS_MAX_LEN (number), PASS_MIN_LEN (number)
310           Number of significant characters in the password for crypt().
311           PASS_MAX_LEN is 8 by default. Don't change unless your crypt() is
312           better. This is ignored if MD5_CRYPT_ENAB set to yes.
313
314       PORTTIME_CHECKS_ENAB (boolean)
315           Enable checking of time restrictions specified in /etc/porttime.
316
317       QUOTAS_ENAB (boolean)
318           Enable setting of resource limits from /etc/limits and ulimit,
319           umask, and niceness from the user's passwd gecos field.
320
321       SHA_CRYPT_MIN_ROUNDS (number), SHA_CRYPT_MAX_ROUNDS (number)
322           When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines the
323           number of SHA rounds used by the encryption algorithm by default
324           (when the number of rounds is not specified on the command line).
325
326           With a lot of rounds, it is more difficult to brute forcing the
327           password. But note also that more CPU resources will be needed to
328           authenticate users.
329
330           If not specified, the libc will choose the default number of rounds
331           (5000).
332
333           The values must be inside the 1000-999,999,999 range.
334
335           If only one of the SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS
336           values is set, then this value will be used.
337
338           If SHA_CRYPT_MIN_ROUNDS > SHA_CRYPT_MAX_ROUNDS, the highest value
339           will be used.
340
341       SULOG_FILE (string)
342           If defined, all su activity is logged to this file.
343
344       SU_NAME (string)
345           If defined, the command name to display when running "su -". For
346           example, if this is defined as "su" then a "ps" will display the
347           command is "-su". If not defined, then "ps" would display the name
348           of the shell actually being run, e.g. something like "-sh".
349
350       SU_WHEEL_ONLY (boolean)
351           If yes, the user must be listed as a member of the first gid 0
352           group in /etc/group (called root on most Linux systems) to be able
353           to su to uid 0 accounts. If the group doesn't exist or is empty, no
354           one will be able to su to uid 0.
355
356       SUB_GID_MIN (number), SUB_GID_MAX (number), SUB_GID_COUNT (number)
357           If /etc/subuid exists, the commands useradd and newusers (unless
358           the user already have subordinate group IDs) allocate SUB_GID_COUNT
359           unused group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each
360           new user.
361
362           The default values for SUB_GID_MIN, SUB_GID_MAX, SUB_GID_COUNT are
363           respectively 100000, 600100000 and 65536.
364
365       SUB_UID_MIN (number), SUB_UID_MAX (number), SUB_UID_COUNT (number)
366           If /etc/subuid exists, the commands useradd and newusers (unless
367           the user already have subordinate user IDs) allocate SUB_UID_COUNT
368           unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each
369           new user.
370
371           The default values for SUB_UID_MIN, SUB_UID_MAX, SUB_UID_COUNT are
372           respectively 100000, 600100000 and 65536.
373
374       SYS_GID_MAX (number), SYS_GID_MIN (number)
375           Range of group IDs used for the creation of system groups by
376           useradd, groupadd, or newusers.
377
378           The default value for SYS_GID_MIN (resp.  SYS_GID_MAX) is 101
379           (resp.  GID_MIN-1).
380
381       SYS_UID_MAX (number), SYS_UID_MIN (number)
382           Range of user IDs used for the creation of system users by useradd
383           or newusers.
384
385           The default value for SYS_UID_MIN (resp.  SYS_UID_MAX) is 101
386           (resp.  UID_MIN-1).
387
388       SYSLOG_SG_ENAB (boolean)
389           Enable "syslog" logging of sg activity.
390
391       SYSLOG_SU_ENAB (boolean)
392           Enable "syslog" logging of su activity - in addition to sulog file
393           logging.
394
395       TTYGROUP (string), TTYPERM (string)
396           The terminal permissions: the login tty will be owned by the
397           TTYGROUP group, and the permissions will be set to TTYPERM.
398
399           By default, the ownership of the terminal is set to the user's
400           primary group and the permissions are set to 0600.
401
402           TTYGROUP can be either the name of a group or a numeric group
403           identifier.
404
405           If you have a write program which is "setgid" to a special group
406           which owns the terminals, define TTYGROUP to the group number and
407           TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
408           TTYPERM to either 622 or 600.
409
410       TTYTYPE_FILE (string)
411           If defined, file which maps tty line to TERM environment parameter.
412           Each line of the file is in a format something like "vt100 tty01".
413
414       UID_MAX (number), UID_MIN (number)
415           Range of user IDs used for the creation of regular users by useradd
416           or newusers.
417
418           The default value for UID_MIN (resp.  UID_MAX) is 1000 (resp.
419           60000).
420
421       ULIMIT (number)
422           Default ulimit value.
423
424       UMASK (number)
425           The file mode creation mask is initialized to this value. If not
426           specified, the mask will be initialized to 022.
427
428           useradd and newusers use this mask to set the mode of the home
429           directory they create if HOME_MODE is not set.
430
431           It is also used by login to define users' initial umask. Note that
432           this mask can be overridden by the user's GECOS line (if
433           QUOTAS_ENAB is set) or by the specification of a limit with the K
434           identifier in limits(5).
435
436       USERDEL_CMD (string)
437           If defined, this command is run when removing a user. It should
438           remove any at/cron/print jobs etc. owned by the user to be removed
439           (passed as the first argument).
440
441           The return code of the script is not taken into account.
442
443           Here is an example script, which removes the user's cron, at and
444           print jobs:
445
446               #! /bin/sh
447
448               # Check for the required argument.
449               if [ $# != 1 ]; then
450                    echo "Usage: $0 username"
451                    exit 1
452               fi
453
454               # Remove cron jobs.
455               crontab -r -u $1
456
457               # Remove at jobs.
458               # Note that it will remove any jobs owned by the same UID,
459               # even if it was shared by a different username.
460               AT_SPOOL_DIR=/var/spool/cron/atjobs
461               find $AT_SPOOL_DIR -name "[^.]*" -type f -user $1 -delete \;
462
463               # Remove print jobs.
464               lprm $1
465
466               # All done.
467               exit 0
468
469
470
471       USERGROUPS_ENAB (boolean)
472           Enable setting of the umask group bits to be the same as owner bits
473           (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid
474           is the same as gid, and username is the same as the primary group
475           name.
476
477           If set to yes, userdel will remove the user's group if it contains
478           no more members, and useradd will create by default a group with
479           the name of the user.
480

CROSS REFERENCES

482       The following cross references show which programs in the shadow
483       password suite use which parameters.
484
485       chgpasswd
486           ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
487           SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
488
489       chpasswd
490           ENCRYPT_METHOD MD5_CRYPT_ENAB SHA_CRYPT_MAX_ROUNDS
491           SHA_CRYPT_MIN_ROUNDS
492
493       gpasswd
494           ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
495           SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
496
497       groupadd
498           GID_MAX GID_MIN MAX_MEMBERS_PER_GROUP SYS_GID_MAX SYS_GID_MIN
499
500       groupdel
501           MAX_MEMBERS_PER_GROUP
502
503       groupmems
504           MAX_MEMBERS_PER_GROUP
505
506       groupmod
507           MAX_MEMBERS_PER_GROUP
508
509       grpck
510           MAX_MEMBERS_PER_GROUP
511
512       grpconv
513           MAX_MEMBERS_PER_GROUP
514
515       grpunconv
516           MAX_MEMBERS_PER_GROUP
517
518       lastlog
519           LASTLOG_UID_MAX
520
521       newgrp / sg
522           SYSLOG_SG_ENAB
523
524       newusers
525           ENCRYPT_METHOD GID_MAX GID_MIN MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
526           HOME_MODE PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
527           SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS SUB_GID_COUNT SUB_GID_MAX
528           SUB_GID_MIN SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN SYS_GID_MAX
529           SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN UMASK
530
531       pwck
532           PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
533
534       pwconv
535           PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
536
537       useradd
538           CREATE_HOME GID_MAX GID_MIN HOME_MODE LASTLOG_UID_MAX MAIL_DIR
539           MAX_MEMBERS_PER_GROUP PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
540           SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN SUB_UID_COUNT SUB_UID_MAX
541           SUB_UID_MIN SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX
542           UID_MIN UMASK
543
544       userdel
545           MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP USERDEL_CMD
546           USERGROUPS_ENAB
547
548       usermod
549           LASTLOG_UID_MAX MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP
550

SEE ALSO

552       login(1), passwd(1), su(1), passwd(5), shadow(5), pam(8).
553
554
555
556shadow-utils 4.8.1                03/29/2021                     LOGIN.DEFS(5)
Impressum