# # /etc/login.defs - settings for user account and group utilities. # # # Delay in seconds before being allowed another attempt after a login failure # Note: When PAM is used, some modules may enfore a minimal delay (e.g. # pam_unix enforces a 2s delay) # # This setting affects 'su' and 'login' from util-linux. # FAIL_DELAY 3 # # Enable display of unknown usernames when login failures are recorded. # # This setting affects 'login' from util-linux. # LOG_UNKFAIL_ENAB no # # Enable "syslog" logging of 'sg' activity. # # This setting affects 'sg' from shadow. # SYSLOG_SG_ENAB yes # # If defined, ":" delimited list of "message of the day" files to # be displayed upon login. This is better handled by pam_motd.so so the # declaration here is empty to suppress display by tools which read # their settings from this file. # # This setting affects 'login' from util-linux. # MOTD_FILE #MOTD_FILE /etc/motd:/usr/lib/news/news-motd # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # # This setting affects 'useradd', 'userdel' and 'usermod' from shadow. # MAIL_DIR /var/spool/mail #MAIL_FILE .mail #QMAIL_DIR Maildir # # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the # user's name or shell are found in the file. If not a full pathname, then # hushed mode will be enabled if the file exists in the user's home directory. # # This setting affects 'login' from util-linux. # HUSHLOGIN_FILE .hushlogin #HUSHLOGIN_FILE /etc/hushlogins # # *REQUIRED* The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) # # These settings affects 'login', 'su' and 'runuser' from util-linux. # ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin ENV_PATH PATH=/usr/local/bin:/bin:/usr/bin #ENV_ROOTPATH PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin # # If set to yes and --login and --preserve-environment were not specified # su initializes PATH. # # This setting affects 'su' and 'runuser' from util-linux. # #ALWAYS_SET_PATH no # # Terminal permissions # # TTYGROUP Login tty will be assigned this group ownership. # TTYPERM Login tty will be set to this permission. # # If you have a "write" program which is "setgid" to a special group # which owns the terminals, define TTYGROUP to the group number and # TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign # TTYPERM to either 622 or 600. # # These settings affects 'login' from util-linux. # TTYGROUP tty TTYPERM 0620 # # This is the umask used to set the mode of new user directories. # # 022 is the default value, but 027, or even 077, could be considered # better for privacy. There is no One True Answer here: each sysadmin # must make up her mind. # # This setting affects 'newusers' and 'useradd' from shadow. # UMASK 022 # # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # # These settings affects 'chpasswd', 'newusers', 'pwck', 'pwconv', 'pwunconv', # 'useradd' and 'usermod' from shadow. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 # # This setting affects 'passwd' from shadow. # PASS_MIN_LEN 5 # # Min/max values for automatic uid selection in useradd from shadow # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 101 SYS_UID_MAX 999 # # Min/max values for automatic gid selection in groupadd for shadow # GID_MIN 1000 GID_MAX 60000 # System accounts SYS_GID_MIN 101 SYS_GID_MAX 999 # # Max number of login retries if password is bad # # This setting affects 'login' from util-linux. # LOGIN_RETRIES 5 # # Max time in seconds for login # # This setting affects 'login' from util-linux. # LOGIN_TIMEOUT 60 # # Maximum number of attempts to change password if rejected (too easy) # # This setting affects 'passwd' from shadow. # PASS_CHANGE_TRIES 5 # # Warn about weak passwords (but still allow them) if you are root. # # This setting affects 'passwd' from shadow. # PASS_ALWAYS_WARN yes # # Number of significant characters in the password for crypt(). # Default is 8, don't change unless your crypt() is better. # Ignored if MD5_CRYPT_ENAB set to "yes". # # This setting affects 'passwd' from shadow. # #PASS_MAX_LEN 8 # # Only works if compiled with ENCRYPTMETHOD_SELECT defined: # If set to MD5 , MD5-based algorithm will be used for encrypting password # If set to SHA256, SHA256-based algorithm will be used for encrypting password # If set to SHA512, SHA512-based algorithm will be used for encrypting password # If set to DES, DES-based algorithm will be used for encrypting password (default) # Overrides the MD5_CRYPT_ENAB option # # Note: If you use PAM, it is recommended to use a value consistent with # the PAM modules configuration. # # This setting affects 'passwd' from shadow. # ENCRYPT_METHOD SHA512 # # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. # # Define the number of SHA rounds. # With a lot of rounds, it is more difficult to brute forcing the password. # But note also that it more CPU resources will be needed to authenticate # users. # # If not specified, the libc will choose the default number of rounds (5000). # The values must be inside the 1000-999999999 range. # If only one of the MIN or MAX values is set, then this value will be used. # If MIN > MAX, the highest value will be used. # # This setting affects 'passwd' from shadow. # # SHA_CRYPT_MIN_ROUNDS 5000 # SHA_CRYPT_MAX_ROUNDS 5000 # # Should login be allowed if we can't cd to the home directory? # Default in no. # # This setting affects 'login' from util-linux. # DEFAULT_HOME yes # # If defined, this command is run when removing a user. # It should remove any at/cron/print jobs etc. owned by # the user to be removed (passed as the first argument). # # This setting affects 'userdel' from shadow. # #USERDEL_CMD /usr/sbin/userdel_local # # Enable setting of the umask group bits to be the same as owner bits # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is # the same as gid, and username is the same as the primary group name. # # This also enables userdel to remove user groups if no members exist. # # This setting affects 'useradd' and 'userdel' from shadow. # USERGROUPS_ENAB yes # # If set to a non-nul number, the shadow utilities will make sure that # groups never have more than this number of users on one line. # This permit to support split groups (groups split into multiple lines, # with the same group ID, to avoid limitation of the line length in the # group file). # # 0 is the default value and disables this feature. # #MAX_MEMBERS_PER_GROUP 0 # # If useradd should create home directories for users by default (non # system users only) # This option is overridden with the -M or -m flags on the useradd command # line. # # This setting affects 'useradd' from shadow. # #CREATE_HOME yes