LOGIN(5) File Formats Manual LOGIN(5)
/etc/login.defs - Login configuration
The /etc/login.defs file defines the site-specific configuration for the shadow login suite. This file is required. Absence of this file
will not prevent system operation, but will probably result in undesirable operation.
This file is a readable text file, each line of the file describing one configuration parameter. The lines consist of a configuration name
and value, seperated by whitespace. Blank lines and comment lines are ignored. Comments are introduced with a `#' pound sign and the
pound sign must be the first non-white character of the line.
Parameter values may be of four types: strings, booleans, numbers, and long numbers. A string is comprised of any printable characters.
A boolean should be either the value ``yes'' or ``no''. An undefined boolean parameter or one with a value other than these will be given
a ``no'' value. Numbers (both regular and long) may be either decimal values, octal values (precede the value with ``0'') or hexadecimal
values (precede the value with ``0x''). The maximum value of the regular and long numeric parameters is machine-dependant.
The following configuration items are provided:
User accounts and Group names have to match the regex expression of this variable.
If yes, the chfn and chsh programs will ask for password before making any changes, unless run by the superuser.
This parameter specifies which values in the gecos field of the passwd file may be changed by regular users using the chfn program.
It can be any combination of letters f, r, w, h, for Full name, Room number, Work phone, and Home phone, respectively. If not spec-
ified, only the superuser can make any changes.
If the home directory of a user is not reachable, should the use be allowed to login ?
This parameter must be defined as the search path for regular users. When a login with UID other than zero occurs, the PATH envi-
ronment parameter is initialized to this value.
This parameter must be defined as the search path for root.
Delay time in seconds after each failed login attempt.
Range of group IDs to choose from for the groupadd program.
This parameter is used to establish ``hushlogin'' conditions. There are two possible ways to establish these conditions. First, if
the value of this parameter is a filename and that file exists in the user's home directory then ``hushlogin'' conditions will be in
effect. The contents of this file are ignored; its mere presence triggers ``hushlogin'' conditions. Second, if the value of this
parameter is a full pathname and either the user's login name or the user's shell is found in this file, then ``hushlogin'' condi-
tions will be in effect. In this case, the file should be in a format similar to:
When ``hushlogin'' conditions are established, the message of the day printed by /bin/login is suppressed. See MOTD_FILE for related
If yes then unknown usernames will be included when a login failure is recorded. Note that this is a potential security risk; a
common login failure mode is transposition of the user name and password, thus this mode will often cause passwords to accumulate in
the failure logs. If this option is disabled then unknown usernames will be suppressed in login failure messages.
Number of login attempts allowed before the login program exits.
Time in seconds after the login program exits if the user doesn't type his password.
This parameter specifies a colon-delimited list of pathnames to ``message of the day'' files. If a specified file exists, then its
contents are displayed to the user upon login. If this parameter is not defined or ``hushlogin'' login conditions are in effect,
this information will be suppressed.
The minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected. If
not specified, a zero value will be assumed.
The maximum number of days a password may be used. If the password is older than this, then the account will be locked. If not
specified, a large value will be assumed.
The number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a nega-
tive value means no warning is given. If not specified, no warning will be provided.
Max group ID value used by automatic gid selection in groupadd for system groups
Min group ID value used by automatic gid selection in groupadd for system groups
Max user ID value used by automatic uid selection in useradd for system accounts
Min user ID value used by automatic uid selection in useradd for system accounts
TTYGROUP (string or number)
The group ownership of the terminal is initialized to this group name or number. One well-known security attack involves forcing
terminal control sequences upon another user's terminal line. This problem can be averted by disabling permissions which allow
other users to access the terminal line, but this unfortunately prevents programs such as write from operating. Another solution is
to use a version of the write program which filters out potentially dangerous character sequences, make this program ``setgid'' to a
special group, assign group ownership of the terminal line to this special group, and assign permissions of 0620 to the terminal
line. The TTYGROUP definition has been provided for just this situation. If this item is not defined, then the group ownership of
the terminal is initialized to the user's group number. See TTYPERMS for related information.
The login terminal permissions are initialized to this value. Typical values will be 0622 to permit others write access to the line
or 0600 to secure the line from other users. If not specified, the terminal permissions will be initialized to 0622. See TTYGROUP
for related information.
This parameter specifies the full pathname to a file which maps terminal lines to terminal types. Each line of the file contains a
terminal type and a terminal line, seperated by whitespace, for example:
This information is only used to initialize the TERM environment parameter when it does not already exist. A line starting with a
``#'' pound sign will be treated as a comment. If this paramter is not specified, the file does not exist, or the terminal line is
not found in the file, then the TERM environment parameter will not be set.
Max user ID value for automatic uid selection in useradd
Min user ID value for automatic uid selection in useradd
If defined, this command is run after adding a user with useradd. It can, for example, rebuild the NIS maps in this script.
If defined, this command is run before removing a user with userdel. It should remove any at/cron/print jobs etc. owned by the user
to be removed (passed as the first argument).
If defined, this command is run after removing a user with userdel. It can, for example, rebuild any NIS database etc. to remove
the account from it.
The following cross reference shows which programs in the shadow login suite use which parameters.
login DEFAULT_HOME ENV_PATH ENV_ROOTPATH FAIL_DELAY HUSHLOGIN_FILE LOG_UNKFAIL_ENAB LOGIN_RETRIES LOGIN_TIMEOUT MOTD_FILE TTYPERM
useradd PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
passwd OBSCURE_CHECKS_ENAB PASS_MAX_LEN PASS_MIN_LEN PASS_ALWAYS_WARN CRACKLIB_DICTPATH PASS_CHANGE_TRIES
pwconv PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
Some of the supported configuration parameters are not documented in this manual page.
Julianne Frances Haugh (firstname.lastname@example.org)
Thorsten Kukuk (email@example.com)