d316ba1b87
users. (was sometimes <emphasis remap='I'>) * Use <option> vor the variable names. This makes the manpage much more readable. * (ENCRYPT_METHOD, MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS, SHA_CRYPT_MAX_ROUNDS): Mention that command line option may supersede the system setting. * Document the variables used by chpasswd and chgpasswd.
435 lines
14 KiB
XML
435 lines
14 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<refentry id='login.defs.5'>
|
|
<!-- $Id$ -->
|
|
<refmeta>
|
|
<refentrytitle>login.defs</refentrytitle>
|
|
<manvolnum>5</manvolnum>
|
|
<refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
|
|
</refmeta>
|
|
<refnamediv id='name'>
|
|
<refname>login.defs</refname>
|
|
<refpurpose>shadow password suite configuration</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsect1 id='description'>
|
|
<title>DESCRIPTION</title>
|
|
<para>
|
|
The <filename>/etc/login.defs</filename> file defines the
|
|
site-specific configuration for the shadow password suite. This file
|
|
is required. Absence of this file will not prevent system operation,
|
|
but will probably result in undesirable operation.
|
|
</para>
|
|
|
|
<para>
|
|
This file is a readable text file, each line of the file describing
|
|
one configuration parameter. The lines consist of a configuration name
|
|
and value, separated by whitespace. Blank lines and comment lines are
|
|
ignored. Comments are introduced with a "#" pound sign and the pound
|
|
sign must be the first non-white character of the line.
|
|
</para>
|
|
|
|
<para>
|
|
Parameter values may be of four types: strings, booleans, numbers, and
|
|
long numbers. A string is comprised of any printable characters. A
|
|
boolean should be either the value <replaceable>yes</replaceable> or
|
|
<replaceable>no</replaceable>. An undefined boolean
|
|
parameter or one with a value other than these will be given a
|
|
<replaceable>no</replaceable>
|
|
value. Numbers (both regular and long) may be either decimal values,
|
|
octal values (precede the value with <replaceable>0</replaceable>) or
|
|
hexadecimal values
|
|
(precede the value with <replaceable>0x</replaceable>).
|
|
The maximum value of the regular and
|
|
long numeric parameters is machine-dependent.
|
|
</para>
|
|
|
|
<para>The following configuration items are provided:</para>
|
|
|
|
<variablelist remap='IP'>
|
|
<varlistentry>
|
|
<term><option>CHFN_AUTH</option> (boolean)</term>
|
|
<listitem>
|
|
<para>
|
|
If <replaceable>yes</replaceable>, the
|
|
<command>chfn</command> and <command>chsh</command> programs
|
|
will require authentication before making any changes, unless
|
|
run by the superuser.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><option>CHFN_RESTRICT</option> (string)</term>
|
|
<listitem>
|
|
<para>
|
|
This parameter specifies which values in the <emphasis
|
|
remap='I'>gecos</emphasis> field of the
|
|
<filename>/etc/passwd</filename> file may be changed by regular
|
|
users using the <command>chfn</command> program. It can be any
|
|
combination of letters <replaceable>f</replaceable>,
|
|
<replaceable>r</replaceable>, <replaceable>w</replaceable>,
|
|
<replaceable>h</replaceable>, for Full name, Room number,
|
|
Work phone, and Home phone, respectively. For backward
|
|
compatibility, <replaceable>yes</replaceable> is equivalent to
|
|
<replaceable>rwh</replaceable> and
|
|
<replaceable>no</replaceable> is
|
|
equivalent to <replaceable>frwh</replaceable>. If not specified,
|
|
only the superuser can
|
|
make any changes. The most restrictive setting is better
|
|
achieved by not installing <command>chfn</command> SUID.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><option>ENCRYPT_METHOD</option> (string)</term>
|
|
<listitem>
|
|
<para>
|
|
This defines the system default encryption algorithm for
|
|
encrypting passwords (if no algorithm are specified on the
|
|
command line).
|
|
</para>
|
|
<para>
|
|
It can take one of these values:
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><replaceable>DES</replaceable> (default)</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><replaceable>MD5</replaceable></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><replaceable>SHA256</replaceable></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><replaceable>SHA512</replaceable></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
<para>
|
|
Note: this parameter overrides the
|
|
<option>MD5_CRYPT_ENAB</option> variable.
|
|
</para>
|
|
<para>
|
|
Note: if you use PAM, it is recommended to set this variable
|
|
consistently with the PAM modules configuration.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><option>GID_MAX</option> (number)</term>
|
|
<term><option>GID_MIN</option> (number)</term>
|
|
<listitem>
|
|
<para>
|
|
Range of group IDs to choose from for the
|
|
<command>useradd</command> and <command>groupadd</command>
|
|
programs.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><option>MAIL_DIR</option> (string)</term>
|
|
<listitem>
|
|
<para>
|
|
The mail spool directory. This is needed to manipulate the
|
|
mailbox when its corresponding user account is modified or
|
|
deleted. If not specified, a compile-time default is used.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><option>MAX_MEMBERS_PER_GROUP</option> (number)</term>
|
|
<listitem>
|
|
<para>
|
|
Maximum members per group entry. When the maximum is reached,
|
|
a new group entry (line) is started in
|
|
<filename>/etc/group</filename> (with the same name, same
|
|
password, and same GID).
|
|
</para>
|
|
<para>
|
|
The default value is 0, meaning that there are no limits in
|
|
the number of members in a group.
|
|
</para>
|
|
<!-- Note: on HP, split groups have the same ID, but different
|
|
names. -->
|
|
<para>
|
|
This feature (split group) permits to limit the length of
|
|
lines in the group file. This is useful to make sure that
|
|
lines for NIS groups are not larger than 1024 characters.
|
|
</para>
|
|
<para>
|
|
If you need to enforce such limit, you can use 25.
|
|
</para>
|
|
<para>
|
|
Note: split groups may not be supported by all tools (even in
|
|
the Shadow toolsuite. You should not use this variable unless
|
|
you really need it.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><option>MD5_CRYPT_ENAB</option> (boolean)</term>
|
|
<listitem>
|
|
<para>
|
|
Indicate if passwords must be encrypted using the MD5-based
|
|
algorithm. If set to <replaceable>yes</replaceable>, new
|
|
passwords will be encrypted
|
|
using the MD5-based algorithm compatible with the one used by
|
|
recent releases of FreeBSD. It supports passwords of
|
|
unlimited length and longer salt strings. Set to
|
|
<replaceable>no</replaceable> if you
|
|
need to copy encrypted passwords to other systems which don't
|
|
understand the new algorithm. Default is
|
|
<replaceable>no</replaceable>.
|
|
</para>
|
|
<para>
|
|
This variable is superceded by the
|
|
<option>ENCRYPT_METHOD</option> variable or by any command
|
|
line option used to configure the encryption algorithm.
|
|
</para>
|
|
<para>
|
|
This variable is deprecated. You should use
|
|
<option>ENCRYPT_METHOD</option>.
|
|
</para>
|
|
<para>
|
|
Note: if you use PAM, it is recommended to set this variable
|
|
consistently with the PAM modules configuration.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><option>PASS_MAX_DAYS</option> (number)</term>
|
|
<listitem>
|
|
<para>
|
|
The maximum number of days a password may be used. If the
|
|
password is older than this, a password change will be forced.
|
|
If not specified, -1 will be assumed (which disables the
|
|
restriction).
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><option>PASS_MIN_DAYS</option> (number)</term>
|
|
<listitem>
|
|
<para>
|
|
The minimum number of days allowed between password changes.
|
|
Any password changes attempted sooner than this will be
|
|
rejected. If not specified, -1 will be assumed (which disables
|
|
the restriction).
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><option>PASS_WARN_AGE</option> (number)</term>
|
|
<listitem>
|
|
<para>
|
|
The number of days warning given before a password expires. A
|
|
zero means warning is given only upon the day of expiration, a
|
|
negative value means no warning is given. If not specified, no
|
|
warning will be provided.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>
|
|
<option>PASS_MAX_DAYS</option>, <option>PASS_MIN_DAYS</option> and
|
|
<option>PASS_WARN_AGE</option> are only used at the
|
|
time of account creation. Any changes to these settings won't affect
|
|
existing accounts.
|
|
</para>
|
|
<variablelist remap='IP'>
|
|
<varlistentry>
|
|
<term><option>SHA_CRYPT_MIN_ROUNDS</option> (number)</term>
|
|
<term><option>SHA_CRYPT_MAX_ROUNDS</option> (number)</term>
|
|
<listitem>
|
|
<para>
|
|
When <option>ENCRYPT_METHOD</option> is set to
|
|
<replaceable>SHA256</replaceable> or
|
|
<replaceable>SHA512</replaceable>, this defines the number of
|
|
SHA rounds used by the encryption algorithm by default (when
|
|
the number of rounds is not specified on the command line).
|
|
</para>
|
|
<para>
|
|
With a lot of rounds, it is more difficult to brute forcing
|
|
the password. But note also that more CPU resources will be
|
|
needed to authenticate users.
|
|
</para>
|
|
<para>
|
|
If not specified, the libc will choose the default number of
|
|
rounds (5000).
|
|
</para>
|
|
<para>
|
|
The values must be inside the 1000-999999999 range.
|
|
</para>
|
|
<para>
|
|
If only one of the <option>SHA_CRYPT_MIN_ROUNDS</option> or
|
|
<option>SHA_CRYPT_MAX_ROUNDS</option> values is set, then this
|
|
value will be used.
|
|
</para>
|
|
<para>
|
|
If <option>SHA_CRYPT_MIN_ROUNDS</option> >
|
|
<option>SHA_CRYPT_MAX_ROUNDS</option>, the highest value will
|
|
be used.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><option>UID_MAX</option> (number)</term>
|
|
<term><option>UID_MIN</option> (number)</term>
|
|
<listitem>
|
|
<para>
|
|
Range of user IDs to choose from for the
|
|
<command>useradd</command> program.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><option>UMASK</option> (number)</term>
|
|
<listitem>
|
|
<para>
|
|
The permission mask is initialized to this value. If not
|
|
specified, the permission mask will be initialized to 022.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><option>USERDEL_CMD</option> (string)</term>
|
|
<listitem>
|
|
<para>
|
|
If defined, this command is run when removing a user. It should
|
|
remove any at/cron/print jobs etc. owned by the user to be
|
|
removed (passed as the first argument).
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1 id='cross_reference'>
|
|
<title>CROSS REFERENCE</title>
|
|
<para>
|
|
The following cross reference shows which programs in the shadow
|
|
password suite use which parameters.
|
|
</para>
|
|
<!-- .na -->
|
|
<variablelist remap='IP'>
|
|
<varlistentry>
|
|
<term>chfn</term>
|
|
<listitem>
|
|
<para>CHFN_AUTH CHFN_RESTRICT</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>chgpasswd</term>
|
|
<listitem>
|
|
<para>
|
|
MD5_CRYPT_ENAB ENCRYPT_METHOD SHA_CRYPT_MIN_ROUNDS
|
|
SHA_CRYPT_MAX_ROUNDS MAX_MEMBERS_PER_GROUP
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>chpasswd</term>
|
|
<listitem>
|
|
<para>
|
|
MD5_CRYPT_ENAB ENCRYPT_METHOD SHA_CRYPT_MIN_ROUNDS
|
|
SHA_CRYPT_MAX_ROUNDS
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>chsh</term>
|
|
<listitem>
|
|
<para>CHFN_AUTH</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>groupadd</term>
|
|
<listitem>
|
|
<para>GID_MAX GID_MIN</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>newusers</term>
|
|
<listitem>
|
|
<para>
|
|
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE UMASK
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>pwconv</term>
|
|
<listitem>
|
|
<para>PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>useradd</term>
|
|
<listitem>
|
|
<para>
|
|
GID_MAX GID_MIN
|
|
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
|
|
UID_MAX UID_MIN
|
|
UMASK
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>userdel</term>
|
|
<listitem>
|
|
<para>MAIL_DIR
|
|
USERDEL_CMD
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>usermod</term>
|
|
<listitem>
|
|
<para>MAIL_DIR</para>
|
|
<!-- .ad -->
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1 id='bugs'>
|
|
<title>BUGS</title>
|
|
<para>
|
|
Much of the functionality that used to be provided by the shadow
|
|
password suite is now handled by PAM. Thus,
|
|
<filename>/etc/login.defs</filename> is no longer used by programs
|
|
such as: <citerefentry>
|
|
<refentrytitle>login</refentrytitle><manvolnum>1</manvolnum>
|
|
</citerefentry>, <citerefentry>
|
|
<refentrytitle>passwd</refentrytitle><manvolnum>1</manvolnum>
|
|
</citerefentry>, <citerefentry>
|
|
<refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
|
|
</citerefentry>. Please refer to the corresponding PAM configuration
|
|
files instead.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1 id='see_also'>
|
|
<title>SEE ALSO</title>
|
|
<para>
|
|
<citerefentry>
|
|
<refentrytitle>login</refentrytitle><manvolnum>1</manvolnum>
|
|
</citerefentry>,
|
|
<citerefentry>
|
|
<refentrytitle>passwd</refentrytitle><manvolnum>1</manvolnum>
|
|
</citerefentry>,
|
|
<citerefentry>
|
|
<refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
|
|
</citerefentry>,
|
|
<citerefentry>
|
|
<refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum>
|
|
</citerefentry>,
|
|
<citerefentry>
|
|
<refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum>
|
|
</citerefentry>,
|
|
<citerefentry>
|
|
<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
|
|
</citerefentry>.
|
|
</para>
|
|
</refsect1>
|
|
</refentry>
|