hasufell
/
etc-gentoo
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
932 Commits
1 Branch
8.5 MiB
 
 
 
 
 
 
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
etc-gentoo/login.defs

388 lines
10 KiB
Raw Permalink Blame History 

  1. #

  2. # /etc/login.defs - Configuration control definitions for the shadow package.

  3. #

  4. #	$Id: login.defs 3189 2010-03-26 11:53:06Z nekral-guest $

  5. #

  6. 

  7. #

  8. # Delay in seconds before being allowed another attempt after a login failure

  9. # Note: When PAM is used, some modules may enfore a minimal delay (e.g.

  10. #       pam_unix enforces a 2s delay)

  11. #

  12. FAIL_DELAY		3

  13. 

  14. #

  15. # Enable logging and display of /var/log/faillog login failure info.

  16. #

  17. #FAILLOG_ENAB 

  18. 

  19. #

  20. # Enable display of unknown usernames when login failures are recorded.

  21. #

  22. LOG_UNKFAIL_ENAB	no

  23. 

  24. #

  25. # Enable logging of successful logins

  26. #

  27. LOG_OK_LOGINS		no

  28. 

  29. #

  30. # Enable logging and display of /var/log/lastlog login time info.

  31. #

  32. #LASTLOG_ENAB 

  33. 

  34. #

  35. # Enable checking and display of mailbox status upon login.

  36. #

  37. # Disable if the shell startup files already check for mail

  38. # ("mailx -e" or equivalent).

  39. #

  40. #MAIL_CHECK_ENAB 

  41. 

  42. #

  43. # Enable additional checks upon password changes.

  44. #

  45. #OBSCURE_CHECKS_ENAB 

  46. 

  47. #

  48. # Enable checking of time restrictions specified in /etc/porttime.

  49. #

  50. #PORTTIME_CHECKS_ENAB 

  51. 

  52. #

  53. # Enable setting of ulimit, umask, and niceness from passwd gecos field.

  54. #

  55. #QUOTAS_ENAB 

  56. 

  57. #

  58. # Enable "syslog" logging of su activity - in addition to sulog file logging.

  59. # SYSLOG_SG_ENAB does the same for newgrp and sg.

  60. #

  61. SYSLOG_SU_ENAB		yes

  62. SYSLOG_SG_ENAB		yes

  63. 

  64. #

  65. # If defined, either full pathname of a file containing device names or

  66. # a ":" delimited list of device names.  Root logins will be allowed only

  67. # upon these devices.

  68. #

  69. CONSOLE		/etc/securetty

  70. #CONSOLE	console:tty01:tty02:tty03:tty04

  71. 

  72. #

  73. # If defined, all su activity is logged to this file.

  74. #

  75. #SULOG_FILE	/var/log/sulog

  76. 

  77. #

  78. # If defined, ":" delimited list of "message of the day" files to

  79. # be displayed upon login.

  80. #

  81. #MOTD_FILE 

  82. #MOTD_FILE 

  83. 

  84. #

  85. # If defined, this file will be output before each login prompt.

  86. #

  87. #ISSUE_FILE	/etc/issue

  88. 

  89. #

  90. # If defined, file which maps tty line to TERM environment parameter.

  91. # Each line of the file is in a format something like "vt100  tty01".

  92. #

  93. #TTYTYPE_FILE	/etc/ttytype

  94. 

  95. #

  96. # If defined, login failures will be logged here in a utmp format.

  97. # last, when invoked as lastb, will read /var/log/btmp, so...

  98. #

  99. #FTMP_FILE 

  100. 

  101. #

  102. # If defined, name of file whose presence which will inhibit non-root

  103. # logins.  The contents of this file should be a message indicating

  104. # why logins are inhibited.

  105. #

  106. #NOLOGINS_FILE 

  107. 

  108. #

  109. # If defined, the command name to display when running "su -".  For

  110. # example, if this is defined as "su" then a "ps" will display the

  111. # command is "-su".  If not defined, then "ps" would display the

  112. # name of the shell actually being run, e.g. something like "-sh".

  113. #

  114. SU_NAME		su

  115. 

  116. #

  117. # *REQUIRED*

  118. #   Directory where mailboxes reside, _or_ name of file, relative to the

  119. #   home directory.  If you _do_ define both, MAIL_DIR takes precedence.

  120. #

  121. MAIL_DIR	/var/spool/mail

  122. #MAIL_FILE	.mail

  123. 

  124. #

  125. # If defined, file which inhibits all the usual chatter during the login

  126. # sequence.  If a full pathname, then hushed mode will be enabled if the

  127. # user's name or shell are found in the file.  If not a full pathname, then

  128. # hushed mode will be enabled if the file exists in the user's home directory.

  129. #

  130. HUSHLOGIN_FILE	.hushlogin

  131. #HUSHLOGIN_FILE	/etc/hushlogins

  132. 

  133. #

  134. # If defined, either a TZ environment parameter spec or the

  135. # fully-rooted pathname of a file containing such a spec.

  136. #

  137. #ENV_TZ		TZ=CST6CDT

  138. #ENV_TZ		/etc/tzname

  139. 

  140. #

  141. # If defined, an HZ environment parameter spec.

  142. #

  143. # for Linux/x86

  144. #ENV_HZ 

  145. # For Linux/Alpha...

  146. #ENV_HZ 

  147. 

  148. #

  149. # *REQUIRED*  The default PATH settings, for superuser and normal users.

  150. #

  151. # (they are minimal, add the rest in the shell startup files)

  152. ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin

  153. ENV_PATH	PATH=/bin:/usr/bin

  154. 

  155. #

  156. # Terminal permissions

  157. #

  158. #	TTYGROUP	Login tty will be assigned this group ownership.

  159. #	TTYPERM		Login tty will be set to this permission.

  160. #

  161. # If you have a "write" program which is "setgid" to a special group

  162. # which owns the terminals, define TTYGROUP to the group number and

  163. # TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign

  164. # TTYPERM to either 622 or 600.

  165. #

  166. TTYGROUP	tty

  167. TTYPERM		0600

  168. 

  169. #

  170. # Login configuration initializations:

  171. #

  172. #	ERASECHAR	Terminal ERASE character ('\010' = backspace).

  173. #	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).

  174. #	ULIMIT		Default "ulimit" value.

  175. #

  176. # The ERASECHAR and KILLCHAR are used only on System V machines.

  177. # The ULIMIT is used only if the system supports it.

  178. # (now it works with setrlimit too; ulimit is in 512-byte units)

  179. #

  180. # Prefix these values with "0" to get octal, "0x" to get hexadecimal.

  181. #

  182. ERASECHAR	0177

  183. KILLCHAR	025

  184. #ULIMIT		2097152

  185. 

  186. # Default initial "umask" value used by login on non-PAM enabled systems.

  187. # Default "umask" value for pam_umask on PAM enabled systems.

  188. # UMASK is also used by useradd and newusers to set the mode of new home

  189. # directories.

  190. # 022 is the default value, but 027, or even 077, could be considered

  191. # better for privacy. There is no One True Answer here: each sysadmin

  192. # must make up her mind.

  193. UMASK		022

  194. 

  195. #

  196. # Password aging controls:

  197. #

  198. #	PASS_MAX_DAYS	Maximum number of days a password may be used.

  199. #	PASS_MIN_DAYS	Minimum number of days allowed between password changes.

  200. #	PASS_MIN_LEN	Minimum acceptable password length.

  201. #	PASS_WARN_AGE	Number of days warning given before a password expires.

  202. #

  203. PASS_MAX_DAYS	99999

  204. PASS_MIN_DAYS	0

  205. #PASS_MIN_LEN 

  206. PASS_WARN_AGE	7

  207. 

  208. #

  209. # If "yes", the user must be listed as a member of the first gid 0 group

  210. # in /etc/group (called "root" on most Linux systems) to be able to "su"

  211. # to uid 0 accounts.  If the group doesn't exist or is empty, no one

  212. # will be able to "su" to uid 0.

  213. #

  214. #SU_WHEEL_ONLY 

  215. 

  216. #

  217. # If compiled with cracklib support, where are the dictionaries

  218. #

  219. #CRACKLIB_DICTPATH 

  220. 

  221. #

  222. # Min/max values for automatic uid selection in useradd

  223. #

  224. UID_MIN			 1000

  225. UID_MAX			60000

  226. # System accounts

  227. SYS_UID_MIN		  101

  228. SYS_UID_MAX		  999

  229. 

  230. #

  231. # Min/max values for automatic gid selection in groupadd

  232. #

  233. GID_MIN			 1000

  234. GID_MAX			60000

  235. # System accounts

  236. SYS_GID_MIN		  101

  237. SYS_GID_MAX		  999

  238. 

  239. #

  240. # Max number of login retries if password is bad

  241. #

  242. LOGIN_RETRIES		5

  243. 

  244. #

  245. # Max time in seconds for login

  246. #

  247. LOGIN_TIMEOUT		60

  248. 

  249. #

  250. # Maximum number of attempts to change password if rejected (too easy)

  251. #

  252. #PASS_CHANGE_TRIES 

  253. 

  254. #

  255. # Warn about weak passwords (but still allow them) if you are root.

  256. #

  257. #PASS_ALWAYS_WARN 

  258. 

  259. #

  260. # Number of significant characters in the password for crypt().

  261. # Default is 8, don't change unless your crypt() is better.

  262. # Ignored if MD5_CRYPT_ENAB set to "yes".

  263. #

  264. #PASS_MAX_LEN		8

  265. 

  266. #

  267. # Require password before chfn/chsh can make any changes.

  268. #

  269. #CHFN_AUTH 

  270. 

  271. #

  272. # Which fields may be changed by regular users using chfn - use

  273. # any combination of letters "frwh" (full name, room number, work

  274. # phone, home phone).  If not defined, no changes are allowed.

  275. # For backward compatibility, "yes" = "rwh" and "no" = "frwh".

  276. # 

  277. CHFN_RESTRICT		rwh

  278. 

  279. #

  280. # Password prompt (%s will be replaced by user name).

  281. #

  282. # XXX - it doesn't work correctly yet, for now leave it commented out

  283. # to use the default which is just "Password: ".

  284. #LOGIN_STRING		"%s's Password: "

  285. 

  286. #

  287. # Only works if compiled with MD5_CRYPT defined:

  288. # If set to "yes", new passwords will be encrypted using the MD5-based

  289. # algorithm compatible with the one used by recent releases of FreeBSD.

  290. # It supports passwords of unlimited length and longer salt strings.

  291. # Set to "no" if you need to copy encrypted passwords to other systems

  292. # which don't understand the new algorithm.  Default is "no".

  293. #

  294. # Note: If you use PAM, it is recommended to use a value consistent with

  295. # the PAM modules configuration.

  296. #

  297. # This variable is deprecated. You should use ENCRYPT_METHOD.

  298. #

  299. #MD5_CRYPT_ENAB	no

  300. 

  301. #

  302. # Only works if compiled with ENCRYPTMETHOD_SELECT defined:

  303. # If set to MD5 , MD5-based algorithm will be used for encrypting password

  304. # If set to SHA256, SHA256-based algorithm will be used for encrypting password

  305. # If set to SHA512, SHA512-based algorithm will be used for encrypting password

  306. # If set to DES, DES-based algorithm will be used for encrypting password (default)

  307. # Overrides the MD5_CRYPT_ENAB option

  308. #

  309. # Note: If you use PAM, it is recommended to use a value consistent with

  310. # the PAM modules configuration.

  311. #

  312. #ENCRYPT_METHOD DES

  313. 

  314. #

  315. # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.

  316. #

  317. # Define the number of SHA rounds.

  318. # With a lot of rounds, it is more difficult to brute forcing the password.

  319. # But note also that it more CPU resources will be needed to authenticate

  320. # users.

  321. #

  322. # If not specified, the libc will choose the default number of rounds (5000).

  323. # The values must be inside the 1000-999999999 range.

  324. # If only one of the MIN or MAX values is set, then this value will be used.

  325. # If MIN > MAX, the highest value will be used.

  326. #

  327. # SHA_CRYPT_MIN_ROUNDS 5000

  328. # SHA_CRYPT_MAX_ROUNDS 5000

  329. 

  330. #

  331. # List of groups to add to the user's supplementary group set

  332. # when logging in on the console (as determined by the CONSOLE

  333. # setting).  Default is none.

  334. #

  335. # Use with caution - it is possible for users to gain permanent

  336. # access to these groups, even when not logged in on the console.

  337. # How to do it is left as an exercise for the reader...

  338. #

  339. #CONSOLE_GROUPS		floppy:audio:cdrom

  340. 

  341. #

  342. # Should login be allowed if we can't cd to the home directory?

  343. # Default in no.

  344. #

  345. DEFAULT_HOME	yes

  346. 

  347. #

  348. # If this file exists and is readable, login environment will be

  349. # read from it.  Every line should be in the form name=value.

  350. #

  351. #ENVIRON_FILE 

  352. 

  353. #

  354. # If defined, this command is run when removing a user.

  355. # It should remove any at/cron/print jobs etc. owned by

  356. # the user to be removed (passed as the first argument).

  357. #

  358. #USERDEL_CMD	/usr/sbin/userdel_local

  359. 

  360. #

  361. # Enable setting of the umask group bits to be the same as owner bits

  362. # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is

  363. # the same as gid, and username is the same as the primary group name.

  364. #

  365. # This also enables userdel to remove user groups if no members exist.

  366. #

  367. USERGROUPS_ENAB yes

  368. 

  369. #

  370. # If set to a non-nul number, the shadow utilities will make sure that

  371. # groups never have more than this number of users on one line.

  372. # This permit to support split groups (groups split into multiple lines,

  373. # with the same group ID, to avoid limitation of the line length in the

  374. # group file).

  375. #

  376. # 0 is the default value and disables this feature.

  377. #

  378. #MAX_MEMBERS_PER_GROUP	0

  379. 

  380. #

  381. # If useradd should create home directories for users by default (non

  382. # system users only)

  383. # This option is overridden with the -M or -m flags on the useradd command

  384. # line.

  385. #

  386. #CREATE_HOME     yes