*******************************************************************************
* VALID USER ATTRIBUTES FOR /ETC/SECURITY/USER:
* 
* account_locked Defines whether the account is locked. Locked accounts can
* not be used for login. Possible values: true or false.
*
* admin Defines the administrative status of the user.
* Possible values: true or false.
*
* admgroups Lists the groups that the user administrates. The value
* is a comma-separated list of valid group names.
*
* auth1 Defines primary authentication methods for a user. This
* attribute describes Version 3 style authentication methods. 
* Commands login, telnet, rlogin, and su support these 
* authentication methods.
*
* Possible values: SYSTEM,NONE,token;username.
*
* SYSTEM : Describes normal password authentication in
* Version 3. Version 4 has extended this 
* definition to include loadable modules and 
* an authentication grammar. See SYSTEM 
* attribute description below.
*
* NONE : No authentication.
*
* token;username : A generic name for a custom 
* authentication method defined in 
* /etc/security/login.cfg.
* 
* Example:
* If auth1 is:
* auth1 = SYSTEM,mylogin;mary
*
* And the stanza in /etc/security/login.cfg is:
* mylogin:
* program = /etc/myprogram
*
* This will do password authentication, and then
* invoke the program /etc/myprogram with "mary"
* as the first parameter.
* 
* auth2 Defines the secondary authentication methods for a user.
* It is not a requirement to pass this method to login.
* See auth1 description above for examples.
*
* SYSTEM Describes Version 4 authentication requirements. This 
* attribute can be used to describe multiple or alternate 
* authentication methods. See authenticate() routine and 
* SYSTEM grammar manual pages. 
*
* Possible tokens:
*
* files : local only authentication.
* compat : local plus NIS authentication. 
* Version 3 behavior.
* DCE : Distributed Computing Environment 
* authentication.
* 
* Example:
* SYSTEM = "DCE OR DCE[UNAVAIL] AND compat" 
*
* daemon Defines whether the user can execute programs using the system
* resource controller (SRC). Possible values: true or false.
*
* dictionlist Defines the password dictionaries used when checking new
* passwords. The format is a comma-separated list of absolute
* path names to dictionary files. A dictionary file contains
* one word per line where each word has no leading or trailing
* white space. Words should only contain 7 bit ASCII characters.
* All dictionary files and directories should be write protected
* from everyone except root. The default is valueless, which is
* equivalent to no dictionary checking.
*
* Example dictionary: /usr/share/dict/words
* (Only available if text processing is installed.)
*
* expires Defines the expiration time for the user account.
* Possible values: a valid date in the form MMDDHHMMYY or 0.
* If 0 the account does not expire. If 0101000070 the account 
* is disabled. The range for YY is:
* 00 - 38 years 2000 thru 2038
* 39 - 99 years 1939 thru 1999
*
* histexpire Defines the period of time in weeks that a user
* will not be able to reuse a password.
* Possible values: an integer value between 0 and 260.
* 26 (approximately 6 months) is the recommended value.
*
* histsize Defines the number of previous passwords which cannot be
* reused.
* Possible values: an integer value between 0 and 50.
*
* login Defines whether the user can login.
* Possible values : true or false.
*
* logintimes Defines the times a user can login. The value is a comma
* separated list of items as follows:
* [!][MMdd[-MMdd]]:hhmm-hhmm
* or
* [!]MMdd[-MMdd][:hhmm-hhmm]
* or
* [!][w[-w]]:hhmm-hhmm
* or
* [!]w[-w][:hhmm-hhmm]
* where MM is a month number (00=January, 11=December), dd is
* the day of the month, hh is the hour of the day (00 - 23), mm
* is the minute of the hour, and w is a weekday (0=Sunday, 6=
* Saturday).
*
* loginretries The number of invalid login attempts before a user is not
* allowed to login. Possible values: a positive integer or 0
* to disable this feature.
*
* maxage Defines the maximum number of weeks a password is valid. The
* default is 0, which is equivalent to unlimited. Range: 0 to 52.
*
* maxexpired Defines the maximum number of weeks after maxage that an expired
* password can be changed by a user. The default is -1, which
* is equivalent to unlimited. Range: -1 to 52. maxage must
* be greater than 0 for maxexpired to be enforced. (root is
* exempt from maxexpired.)
*
* maxrepeats Defines the maximum number of times a given character can
* appear in a password. The default is 8, which is equivalent
* to unlimited. Range: 0 to 8.
*
* minage Defines the minimum number of weeks between password changes.
* The default is 0. Range: 0 to 52.
*
* minalpha Defines the minimum number of alphabetic characters in a
* password. The default is 0. Range: 0 to 8.
*
* mindiff Defines the minimum number of characters in the new password
* that were not in the old password. The default is 0.
* Range: 0 to 8.
*
* minlen Defines the minimum length of a password. The default is 0.
* Range: 0 to 8.
*
* Note: The minimum length of a password is determined by minlen and/or
* 'minalpha + minother', whichever is greater. 'minalpha + minother'
* should never be greater than 8. If 'minalpha + minother' is greater
* than 8, then minother is reduced to '8 - minalpha'.
*
* minother Defines the minimum number of non-alphabetic characters in a
* password. The default is 0. Range: 0 to 8.
*
* pwdchecks Defines external password restriction methods used when
* checking new passwords. The format is a comma-separated list
* of absolute path names to methods and/or method path names
* relative to /usr/lib. A password restriction method is a
* program module that is loaded by the password restrictions code
* at runtime. All password restriction methods and directories
* should be write protected from everyone except root. The
* default is valueless, which is equivalent to no external
* password restriction methods.
*
* pwdwarntime The number of days before a forced password change that a
* warning will be given to the user informing them of the
* impending password change. Possible values: a positive integer
* or 0 to disable this feature.
*
* registry Describes where this user is administered. It is used
* whenever there is a possibility of resolving a remotely
* administered user to the local administration domain. 
* This can happen when network services go down or
* network databases are replicated locally. 
* Possible values : files, NIS, or DCE
*
* rlogin Defines whether the user account can be accessed by remote 
* logins. Commands rlogin and telnet support this attribute.
* Possible values: true or false.
*
* su Defines whether other users can switch to this user account. 
* Command su supports this attribute.
* Possible values: true or false.
*
* sugroups Defines which groups can switch to this user account.
* Alternatively you may explicitly deny groups by preceding
* the group name with a ! character.
* Possible values : 
* A list of valid groups separated by commas, ALL, or *. 
*
* tpath Defines the user's trusted path characteristics.
* Possible values:
* nosak : The Secure Attention Key (SAK) key (^X^R) 
* has no effect.
* notsh : The SAK key logs you out. You can never be 
* on the trusted path.
* always : When you log in you are always on the 
* trusted path.
* on : The trusted path is entered when the SAK 
* key is hit.
*
* Note : This attribute only takes effect if the sak_enabled
* attribute (in /etc/security/login.cfg) is set to 
* true for the port you are logging into.
*
* ttys Defines which terminals can access the user account.
* Alternatively you may explicitly deny terminals by preceding
* the terminal name with the ! character.
* Possible values: 
* List of device paths separated by commas, ALL or *.
*
* umask Defines the default umask for the user.
* Possible values: three-digit octal value.
*
* Notes: Boolean values (i.e. true or false) may use any of the 
* following values. These values are not case sensitive.
*
* true, false, yes, no, always, never.
*
*******************************************************************************
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups = ALL
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "compat"
logintimes = 
pwdwarntime = 0
account_locked = false
loginretries = 0
histexpire = 0
histsize = 0
minage = 0
maxage = 0
maxexpired = -1
minalpha = 0
minother = 0
minlen = 0
mindiff = 0
maxrepeats = 8
dictionlist =
pwdchecks =
root:
admin = true
SYSTEM = "compat"
registry = files
loginretries = 0
account_locked = false
daemon:
admin = true
expires = 0101000070
bin:
admin = true
expires = 0101000070
sys:
admin = true
expires = 0101000070
adm:
admin = true
uucp:
admin = true
login = false
rlogin = false
su = true
guest:
nobody:
admin = true
expires = 0101000070
lpd:
admin = true
expires = 0101000070
invscout:
admin = true
snapp:
admin = false
rlogin = false
su = false
SYSTEM = "NONE"
login = true
ttys = /dev/tty0
registry = files
dce_export = false
ipsec:
admin = false
nuucp:
admin = false
　
esaadmin:
admin = true
edsadm:
admin = false
registry = files
umask = 22
oraeds:
admin = false
registry = files
umask = 22
test:
admin = false