diff options
Diffstat (limited to 'base/bin/config/login.defs')
-rw-r--r-- | base/bin/config/login.defs | 261 |
1 files changed, 261 insertions, 0 deletions
diff --git a/base/bin/config/login.defs b/base/bin/config/login.defs new file mode 100644 index 0000000..b929796 --- /dev/null +++ b/base/bin/config/login.defs @@ -0,0 +1,261 @@ +# +# /etc/login.defs - settings for user account and group utilities. +# + +# +# Delay in seconds before being allowed another attempt after a login failure +# Note: When PAM is used, some modules may enfore a minimal delay (e.g. +# pam_unix enforces a 2s delay) +# +# This setting affects 'su' and 'login' from util-linux. +# +FAIL_DELAY 3 + +# +# Enable display of unknown usernames when login failures are recorded. +# +# This setting affects 'login' from util-linux. +# +LOG_UNKFAIL_ENAB no + +# +# Enable "syslog" logging of 'sg' activity. +# +# This setting affects 'sg' from shadow. +# +SYSLOG_SG_ENAB yes + +# +# If defined, ":" delimited list of "message of the day" files to +# be displayed upon login. This is better handled by pam_motd.so so the +# declaration here is empty to suppress display by tools which read +# their settings from this file. +# +# This setting affects 'login' from util-linux. +# +MOTD_FILE +#MOTD_FILE /etc/motd:/usr/lib/news/news-motd + +# +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# +# This setting affects 'useradd', 'userdel' and 'usermod' from shadow. +# +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail +#QMAIL_DIR Maildir + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +# This setting affects 'login' from util-linux. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +# +# These settings affects 'login', 'su' and 'runuser' from util-linux. +# +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin +ENV_PATH PATH=/usr/local/bin:/bin:/usr/bin +#ENV_ROOTPATH PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin + +# +# If set to yes and --login and --preserve-environment were not specified +# su initializes PATH. +# +# This setting affects 'su' and 'runuser' from util-linux. +# +#ALWAYS_SET_PATH no + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# These settings affects 'login' from util-linux. +# +TTYGROUP tty +TTYPERM 0620 + +# +# This is the umask used to set the mode of new user directories. +# +# 022 is the default value, but 027, or even 077, could be considered +# better for privacy. There is no One True Answer here: each sysadmin +# must make up her mind. +# +# This setting affects 'newusers' and 'useradd' from shadow. +# +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +# These settings affects 'chpasswd', 'newusers', 'pwck', 'pwconv', 'pwunconv', +# 'useradd' and 'usermod' from shadow. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 +# +# This setting affects 'passwd' from shadow. +# +PASS_MIN_LEN 5 + +# +# Min/max values for automatic uid selection in useradd from shadow +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +SYS_UID_MIN 101 +SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd for shadow +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +SYS_GID_MIN 101 +SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad +# +# This setting affects 'login' from util-linux. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +# This setting affects 'login' from util-linux. +# +LOGIN_TIMEOUT 60 + +# +# Maximum number of attempts to change password if rejected (too easy) +# +# This setting affects 'passwd' from shadow. +# +PASS_CHANGE_TRIES 5 + +# +# Warn about weak passwords (but still allow them) if you are root. +# +# This setting affects 'passwd' from shadow. +# +PASS_ALWAYS_WARN yes + +# +# Number of significant characters in the password for crypt(). +# Default is 8, don't change unless your crypt() is better. +# Ignored if MD5_CRYPT_ENAB set to "yes". +# +# This setting affects 'passwd' from shadow. +# +#PASS_MAX_LEN 8 + +# +# Only works if compiled with ENCRYPTMETHOD_SELECT defined: +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: If you use PAM, it is recommended to use a value consistent with +# the PAM modules configuration. +# +# This setting affects 'passwd' from shadow. +# +ENCRYPT_METHOD SHA512 + +# +# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# This setting affects 'passwd' from shadow. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +# This setting affects 'login' from util-linux. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +# This setting affects 'userdel' from shadow. +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# Enable setting of the umask group bits to be the same as owner bits +# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is +# the same as gid, and username is the same as the primary group name. +# +# This also enables userdel to remove user groups if no members exist. +# +# This setting affects 'useradd' and 'userdel' from shadow. +# +USERGROUPS_ENAB yes + +# +# If set to a non-nul number, the shadow utilities will make sure that +# groups never have more than this number of users on one line. +# This permit to support split groups (groups split into multiple lines, +# with the same group ID, to avoid limitation of the line length in the +# group file). +# +# 0 is the default value and disables this feature. +# +#MAX_MEMBERS_PER_GROUP 0 + +# +# If useradd should create home directories for users by default (non +# system users only) +# This option is overridden with the -M or -m flags on the useradd command +# line. +# +# This setting affects 'useradd' from shadow. +# +#CREATE_HOME yes |