login.defs(5) Linux Manual Page by Debian

**What does the `login.defs` file define?** The `login.defs` file defines *the site-specific configuration for the shadow password suite.* **Is `login.defs` a required file?** *No*, `login.defs` isn't a required file. **What will probably happen if `login.defs` isn't present?** If `login.defs` isn't present, it will probably *result in undesirable operation.* > [!todo] > This section of the manpage describes the format of the configuration file. **What are the different configuration parameters?** The different configuration parameters are: | Parameter Name | Description | | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | | `CFHN_RESTRICT` | Values in the `gecos` field of the `/etc/passwd` file that can be changed by regular users using `cfhn`. | | `CONSOLE_GROUPS` | List of groups to add to the user's supplementary groups when logging in on the console. | | `CREATE_HOME` | If a home directory should be created by default for new users. | | `DEFAULT_HOME` | If login is allowed if you can't `cd` to the home directory. | | `ENCRYPT_METHOD` | System default encryption algorithm for encrypting passwords. | | `ENV_HZ` | `HZ` environment variable when a user logs in. | | `ENV_PATH` | `PATH` environment variable when a regular user logs in. | | `ENV_SUPATH` | `PATH` environment variable when the superuser logs in. | | `ERASECHAR` | Terminal `ERASE` character. | | `FAIL_DELAY` | Delay in seconds before being allowed another attempt after login failure. | | `FAKE_SHELL` | Shell to execute instead of the users' specified shell in `/etc/passwd`. | | `GID_MIN`, `GID_MAX` | Range of group IDs used when regular users are created with `useradd`, `groupadd`, or `newusers`. | | `HOME_MODE` | Mode for new home directories. | | `HUSHLOGIN_FILE` | File to inhibit all the usual chatter during the login sequence. | | `KILLCHAR` | Terminal `KILL` character. | | `LASTLOG_UID_MAX` | Highest user ID number for which the `lastlog` entries should be updated. | | `LOG_OK_LOGINS` | Enable logging of successful login attempts. | | `LOG_UNKFAIL_ENAB` | Enable display of unknown usernames when login failures are recorded. | | `LOGIN_RETRIES` | Maximum number of login retries in case of a bad password. | | `LOGIN_TIMEOUT` | Maximum number of seconds for login. | | `MAIL_DIR` | Mail spool directory. | | `MAIL_FILE` | Location of the user's mail spool files relative to their home directory. | | `MAX_MEMBERS_PER_GROUP` | Maximum number of members per group entry. | | `MD5_CRYPT_ENAB` | If passwords must be encrypted using the MD5-based algorithm that's compatible with the recent releases of FreeBSD. | | `NONEXISTENT` | String that can be provided in the `/etc/passwd` entry to indicate the home directory of a system account intentionally doesn't exist. | | `PASS_MAX_DAYS` | Maximum number of days a password may be used. | | `PASS_MIN_DAYS` | Minimum number of days allowed between password changes. | | `PASS_WARN_AGE` | Number of days warning before a password expires. | | `SHA_CRYPT_MIN_ROUNDS`, `SHA_CRYPT_MAX_ROUNDS` | Number of SHA rounds used by encryption algorithm by default. | | `SULOG_FILE` | File where all `su` activity is logged. | | `SU_NAME` | Command name to display when running `su -`. | | `SUB_GID_MIN`, `SUB_GID_MAX`, `SUB_GID_COUNT` | If `/etc/subuid` exists, `useradd` and `newusers` allocate `SUB_GID_COUNT` unused group IDs between `SUB_GID_MIN` and `SUB_GID_MAX`. | | `SUB_UID_MIN`, `SUB_UID_MAX`, `SUB_UID_COUNT` | If `/etc/subuid` exists, `useradd` and `newusers` allocate `SUB_UID_COUNT` unused user IDs between `SUB_UID_MIN` and `SUB_UID_MAX`. | | `SYS_GID_MIN`, `SYS_GID_MAX` | Range of group IDs used for creating system groups with `useradd`, `groupadd`, or `newusers`. | | `SYS_UID_MIN`, `SYS_UID_MAX` | Range of user IDs used for creating system groups with `useradd`, or `newusers`. | | `SYSLOG_SG_ENAB` | If `sg` activity should be syslogged. | | `SYSLOG_SU_ENAB` | If `su` activity should be syslogged. | | `TTYGROUP`, `TTYPERM` | Owning group and permissions of the login TTY. | | `TTYTYPE_FILE` | File which maps TTY line to `TERM` environment parameter. | | `UID_MIN`, `UID_MAX` | Range of user IDs used with `useradd` or `newusers`. | | `UMASK` | File mode creation mask is initialized with this value. | | `USERDEL_CMD` | Command that's run when removing a user. | | `USERGROUPS_ENAB` | If `userdel` will remove the user's group if it contains no more members and `useradd` creates a group with the name of the user. | **What combination of letters are used with the `CFHN_RESTRICT` parameter and what do they mean?** The combination of letters used with the `CFHN_RESTRICT` parameter and what they mean include: * `f` - Full name. * `r` - Room number. * `w` - Work phone. * `h` - Home phone. > **What is `yes` equivalent to when used for the `CFHN_RESTRICT` parameter?** > When used for the `CFHN_RESTRICT` parameter, `yes` is equivalent to `rwh`. > > **What is `no` equivalent to when used for the `CFHN_RESTRICT` parameter?** > When used for the `CFHN_RESTRICT` parameter, `no` is equivalent to `frwh`. > > **How is the most restrictive setting for `CFHN_RESTRICT` achieved?** > The most restrictive setting for `CFHN_RESTRICT` is achieved *by not installing `cfhn` SUID.* **What is possible for users to gain with the groups added to the `CONSOLE_GROUPS` parameter?** With the groups added to the `CONSOLE_GROUPS` parameter, it's possible for users to gain *permanent access to them even without logging in on the console.* **Does the `CREATE_HOME` setting apply to system users?** *No*, the `CREATE_HOME` setting doesn't apply to system users. **What directory will a user log into if `DEFAULT_HOME` is set to `yes` and you can't `cd` to the home directory?** If `DEFAULT_HOME` is set to `yes` and you can't `cd` into the home directory of a user, they will log into *the root (`/`).* **What are the four possible values for the `ENCRYPT_METHOD` parameter?** The four possible values for the `ENCRYPT_METHOD` parameter are: 1. `DES`. 2. `MD5`. 3. `SHA256`. 4. `SHA512`. > **What parameter does `ENCRYPT_METHOD` override?** > `ENCRYPT_METHOD` overrides *the `MD5_CRYPT_ENAB` parameter.* > > **Which passwords are affected by the `ENCRYPT_METHOD` parameter?** > The `ENCRYPT_METHOD` parameters affects *group passwords.* > > **What controls the generation of user passwords?** > The generation of user passwords is controlled by *`PAM` and its configuration.* **When is the `HZ` environment variable set?** The `HZ` environment variable is set *when the user (the superuser) logs in with `sulogin`.* **When is hushed mode enabled if you use a full file path with the `HUSHLOGIN_FILE` parameter?** If you use a full file path with the `HUSHLOGIN_FILE` parameter, hushed mode will be enabled *if the user's name or shell is found in the file.* > **When is hushed mode enabled if you use a relative file path with the `HUSHLOGIN_FILE` parameter?** > When you use a relative file path with the `HUSHLOGIN_FILE` parameter, hushed mode will be enabled *if the file exists in the user's home directory.* **How can enabling logging of unknown usernames with the `LOG_UNKFAIL_ENAB` parameter be a security risk?** Enabling logging of unknown usernames with the `LOG_UNKFAIL_ENAB` parameter can be a security risk *because a user could enter their password into the username field on accident.* **What will the `LOGIN_RETRIES` parameter likely be overwritten by?** The `LOGIN_RETRIES` parameter will likely be overwritten by *`PAM_MAXTRIES`, whose default value is 3.* **What is the `MAIL_DIR` parameter needed for?** The `MAIL_DIR` parameter is needed *to manipulate the mailbox when its corresponding user is modified or deleted.* > **What value for `MAIL_DIR` is used by default?** > The value for `MAIL_DIR` used by default is *a compile-time default.* > > **What parameter outside of `login.defs` determines if a mail spool should be created?** > The parameter outside of `login.defs` which determines if a mail spool should be created is *the `CREATE_MAIL_SPOOL` parameter in `/etc/default/useradd`.* **What three programs use the `MAIL_DIR` and `MAIL_FILE` parameters?** The three programs that use the `MAIL_DIR` and `MAIL_FILE` parameters are: 1. `useradd`. 2. `usermod`. 3. `userdel`. **What does the `MAX_MEMBERS_PER_GROUP` parameter cause lines in the `/etc/group` file to do?** The `MAX_MEMBERS_PER_GROUP` parameter causes lines in the `/etc/group` file to *split and start a new line with the same group ID if the line reaches the maximum number of members.* > **What should you considered when setting `MAX_MEMBERS_PER_GROUP`?** > When setting `MAX_MEMBERS_PER_GROUP`, you should consider *the fact that split groups may not be supported by all tools.* **What is the benefit of setting the `SHA_CRYPT_MIN_ROUNDS` and `SHA_CRYPT_MAX_ROUNDS` to a high number?** The benefit of setting the `SHA_CRYPT_MIN_ROUNDS` and `SHA_CRYPT_MAX_ROUNDS` to a high number is that *more rounds make it harder to brute force the password.* > **What is the downside of setting the `SHA_CRYPT_MIN_ROUNDS` and `SHA_CRYPT_MAX_ROUNDS` to a high number?** > The downside of setting the `SHA_CRYPT_MIN_ROUNDS` and `SHA_CRYPT_MAX_ROUNDS` to a high number is that *it is more CPU intensive to authenticate users.* > > **What chooses the default value for when `SHA_CRYPT_MIN_ROUNDS` and `SHA_CRYPT_MAX_ROUNDS` aren't specified and what value is chosen?** > The default value for when `SHA_CRYPT_MIN_ROUNDS` and `SHA_CRYPT_MAX_ROUNDS` aren't specified is chosen by *`libc`, which chooses 5000.* > > **Why is 5000 rounds for SHA encryption bad?** > > 5000 rounds for SHA encryption is bad *because it's orders of magnitude too low for modern hardware.* **Who is the owner of the login TTY set to by default?** By default, the owner of the login TTY is set to *the user's primary group.* > **What are the permissions of the login TTY set to by default?** > By default, the permissions of the login TTY are set to *0600.* **When do `useradd` and `newusers` use the `UMASK` parameter?** `useradd` and `newusers` use the `UMASK` parameter *if the `HOME_MODE` parameter isn't specified.* **What should the program specified in the `USERDEL_CMD` parameter do?** The program specified in the `USERDEL_CMD` parameter should *remove any `at`/`cron`/print jobs etc. owned by the user to be removed.* > [!summary] > The parameters that are likely to be overwritten by `PAM` include: > * `ENCRYPT_METHOD` (user passwords). > * `LOGIN_RETRIES`. > * `MD5_CRYPT_ENAB` (user passwords). > * `SHA_CRYPT_MIN_ROUNDS` (user passwords). > [!summary] > The parameters used by other programs include: > * `CHFN_RESTRICT` - `chfn`. > * `HOME_MODE` - `useradd` and `newusers`. > * `MAIL_DIR` - `useradd`, `usermod`, and `userdel`. > * `MAIL_FILE` - `useradd`, `usermod`, and `userdel`. > * `SUB_GID_MIN` and `SUB_GID_MAX` - `useradd` and `newusers`. > * `SUB_UID_MIN` and `SUB_UID_MAX` - `useradd` and `newusers`. > * `SYS_GID_MIN` and `SYS_GID_MAX` - `useradd`, `groupadd`, and `newusers`. > * `SYS_UID_MIN` and `SYS_UID_MAX` - `useradd` and `newusers`. > * `UID_MIN` and `UID_MAX` - `useradd` and `newusers`. > * `UMASK` - `pam_umask` (default value). > * `USERGROUPS_ENAB` - `useradd` and `userdel`.