login.conf(5)
NAME
login.conf - login class capability database
SYNOPSIS
/etc/login.conf, ~/.login_conf
DESCRIPTION
- login.conf contains various attributes and capabilities of
- login classes.
A login class (an optional annotation against each record in - the user
account database, /etc/master.passwd) determines session ac - counting,
resource limits and user environment settings. It is used - by various
programs in the system to set up a user's login environment - and to
enforce policy, accounting and administrative restrictions. - It also provides the means by which users are able to be authenticated
- to the system
and the types of authentication available. Attributes in - addition to the
ones described here are available with third-party packages. - A special record "default" in the system user class capabil
- ity database
/etc/login.conf is used automatically for any non-root user - without a
valid login class in /etc/master.passwd. A user with a uid - of 0 without
a valid login class will use the record "root" if it exists, - or "default"
if not. - In FreeBSD, users may individually create a file called
- .login_conf in
their home directory using the same format, consisting of a - single entry
with a record id of "me". If present, this file is used by - login(1) to
set user-defined environment settings which override those - specified in
the system login capabilities database. Only a subset of - login capabilities may be overridden, typically those which do not involve
- authentication, resource limits and accounting.
- Records in a class capabilities database consist of a number
- of colonseparated fields. The first entry for each record gives one
- or more
names that a record is to be known by, each separated by a
The first name is the most common abbreviation. The last - name given
should be a long name that is more descriptive of the capa - bility entry,
and all others are synonyms. All names but the last should - be in lower
case and contain no blanks; the last name may contain upper - case characters and blanks for readability.
- The default /etc/login.conf shipped with FreeBSD is an out
- of the box
configuration. Whenever changes to this, or the user's - ~/.login_conf,
file are made, the modifications will not be picked up until - cap_mkdb(1)
is used to compile the file into a database. This database - file will
have a .db extension and is accessed through cgetent(3). - See getcap(3)
for a more in-depth description of the format of a capabili - ty database.
CAPABILITIES
- Fields within each record in the database follow the get
- cap(3) conventions for boolean, type string `=' and type numeric `#', al
- though type
numeric is deprecated in favour of the string format and ei - ther form is
accepted for a numeric datum. Values fall into the follow - ing categories:
- bool If the name is present, then the boolean value is
- true; other
- wise, it is false
- file Path name to a data file
- program Path name to an executable file
- list A list of values (or pairs of values) separated by
- commas or
- spaces
- path A space or comma separated list of path names, fol
- lowing the
- usual csh conventions (leading tilde with and with
- out username
being expanded to home directories etc.) - number A numeric value, either decimal (default), hexadec
- imal (with
- leading 0x), or octal (with a leading 0). With a
- numeric type,
only one numeric value is allowed. Numeric types - may also be
specified in string format (i.e., the capability - tag being
delimited from the value by '=' instead of '#'). - Whichever
method is used, then all records in the database - must use the
same method to allow values to be correctly over - ridden in interpolated records.
- size A number which expresses a size. The default in
- terpretation of
- a value is the number of bytes, but a suffix may
- specify alternate units:
b explicitly selects 512-byte blocks
k selects kilobytes (1024 bytes)
m specifies a multiplier of 1 megabyte(1048576bytes),g specifies units of gigabytes, and
t represents terabytes. - A size value is a numeric quantity and case of the
- suffix is not
significant. Concatenated values are added togeth - er.
- time A period of time, by default in seconds. A prefix
- may specify a
- different unit:
y indicates the number of 365 day years,
w indicates the number of weeks,
d the number of days,
h the number of hours,
m the number of minutes, and
s the number of seconds. - Concatenated values are added together. For exam
- ple, 2 hours
and 40 minutes may be written either as 9600s, 160m - or 2h40m.
- The usual convention to interpolate capability entries using
- the special
tc=value notation may be used.
RESOURCE LIMITS
- Name Type Notes Description
coredumpsize size Maximum coredump size
- limit.
cputime time CPU usage limit.
datasize size Maximum data size limit.
filesize size Maximum file size limit.
maxproc number Maximum number of pro - cesses.
memorylocked size Maximum locked in core - memory size
- limit.
- memoryuse size Maximum of core memory
- use size
- limit.
- openfiles number Maximum number of open
- files per
- process.
- sbsize size Maximum permitted sock
- etbuffer size.
vmemoryuse size Maximum permitted total - VM usage per
- process.
- stacksize size Maximum stack size lim
- it.
- These resource limit entries actually specify both the maxi
- mum and current limits (see getrlimit(2)). The current (soft) limit is
- the one normally used, although the user is permitted to increase the
- current limit
to the maximum (hard) limit. The maximum and current limits - may be specified individually by appending a -max or -cur to the capa
- bility name.
ENVIRONMENT
- Name Type Notes Description
charset string Set $MM_CHARSET
- environment
- variable to the
- specified
value. - hushlogin bool false Same as having a
- ~/.hushlogin
- file.
- ignorenologin bool false Login not pre
- vented by
- nologin.
- ftp-chroot bool false Limit FTP access
- with
- chroot(2) to the
- HOME directory of the us
- er. See
ftpd(8) for de - tails.
- label string Default MAC pol
- icy; see
- maclabel(7).
- lang string Set $LANG envi
- ronment
- variable to the
- specified
value. - manpath path Default search
- path for
- manpages.
- nocheckmail bool false Display mail
- status at login.
nologin file If the file ex - ists it will be
- displayed and
- the login session will be
- terminated.
- path path /bin /usr/bin Default search
- path.
priority number Initial priority - (nice)
- level.
- requirehome bool false Require a valid
- home
- directory to lo
- gin.
- setenv list A comma-separat
- ed list of
- environment
- variables and
values to which - they are to
be set. - shell prog Session shell to
- execute
- rather than the
- shell specified in the
- passwd file. The
SHELL environ - ment variable
will contain the - shell specified in the
- password file.
- term string Default terminal
- type if not
- able to deter
- mine from other
means. - timezone string Default value of
- $TZ
- environment
- variable.
- umask number 022 Initial umask.
- Should always
- have a leading 0
- to ensure
octal interpre - tation.
- welcome file /etc/motd File containing
- welcome
- message.
AUTHENTICATION
- Name Type Notes Description copyright file File containing addi
- tional copyright
- information
- host.allow list List of remote host
- wildcards from
- which users in the
- class may access.
- host.deny list List of remote host
- wildcards from
- which users in the
- class may not
access. - login_prompt string The login prompt given
- by login(1)
login-backoff number 3 The number of login at - tempts allowed
- before the backoff de
- lay is inserted
after each subsequent - attempt. The
backoff delay is the - number of tries
above login-backoff - multiplied by 5
seconds. - login-retries number 10 The number of login at
- tempts allowed
- before the login fails.
- passwd_format string md5 The encryption format
- that new or
- changed passwords will
- use. Valid
values include "des", - "md5" and
"blf". NIS clients us - ing a
non-FreeBSD NIS server - should probably use "des".
- passwd_prompt string The password prompt
- presented by
- login(1)
- times.allow list List of time periods
- during which
- logins are allowed.
- times.deny list List of time periods
- during which
- logins are disallowed.
- ttys.allow list List of ttys and tty
- groups which
- users in the class may
- use for
access. - ttys.deny list List of ttys and tty
- groups which
- users in the class may
- not use for
access. - warnexpire time Advance notice for
- pending account
- expiry.
- warnpassword time Advance notice for
- pending password
- expiry.
- These fields are intended to be used by passwd(1) and other
- programs in
the login authentication system. - Capabilities that set environment variables are scanned for
- both `~' and
`$' characters, which are substituted for a user's home di - rectory and
name respectively. To pass these characters literally into - the environment variable, escape the character by preceding it with a
- backslash ''.
- The host.allow and host.deny entries are comma separated
- lists used for
checking remote access to the system, and consist of a list - of hostnames
and/or IP addresses against which remote network logins are - checked.
Items in these lists may contain wildcards in the form used - by shell programs for wildcard matching (See fnmatch(3) for details on
- the implementation). The check on hosts is made against both the remote
- system's
Internet address and hostname (if available). If both lists - are empty or
not specified, then logins from any remote host are allowed. - If
host.allow contains one or more hosts, then only remote sys - tems matching
any of the items in that list are allowed to log in. If - host.deny contains one or more hosts, then a login from any matching
- hosts will be
disallowed. - The times.allow and times.deny entries consist of a comma
- separated list
of time periods during which the users in a class are al - lowed to be
logged in. These are expressed as one or more day codes - followed by a
start and end times expressed in 24 hour format, separated - by a hyphen or
dash. For example, MoThSa0200-1300 translates to Monday, - Thursday and
Saturday between the hours of 2 am and 1 p.m.. If both of - these time
lists are empty, users in the class are allowed access at - any time. If
times.allow is specified, then logins are only allowed dur - ing the periods
given. If times.deny is specified, then logins are denied - during the
periods given, regardless of whether one of the periods - specified in
times.allow applies. - Note that login(1) enforces only that the actual login falls
- within periods allowed by these entries. Further enforcement over the
- life of a
session requires a separate daemon to monitor transitions - from an allowed
period to a non-allowed one. - The ttys.allow and ttys.deny entries contain a comma-sepa
- rated list of
tty devices (without the /dev/ prefix) that a user in a - class may use to
access the system, and/or a list of ttygroups (See gett - tyent(3) and
ttys(5) for information on ttygroups). If neither entry ex - ists, then the
choice of login device used by the user is unrestricted. If - only
ttys.allow is specified, then the user is restricted only to - ttys in the
given group or device list. If only ttys.deny is specified, - then the
user is prevented from using the specified devices or de - vices in the
group. If both lists are given and are non-empty, the user - is restricted
to those devices allowed by ttys.allow that are not avail - able by
ttys.deny. - The minpasswordlen and minpasswordcase facilities for en
- forcing restrictions on password quality, which used to be supported by
- login.conf, have
been superseded by the pam_passwdqc(8) PAM module.
RESERVED CAPABILITIES
- The following capabilities are reserved for the purposes in
- dicated and
may be supported by third-party software. They are not im - plemented in
the base system. - Name Type Notes Description accounted bool false Enable session time
- accounting for
- all users in this
- class.
- autodelete time Time after expiry when
- account is
- auto-deleted.
- bootfull bool false Enable 'boot only if
- ttygroup is
- full' strategy when
- terminating
sessions. - daytime time Maximum login time per
- day.
expireperiod time Time for expiry allo - cation.
graceexpire time Grace days for expired - account.
gracetime time Additional grace login - time
- allowed.
- host.accounted list List of remote host
- wildcards from
- which login sessions
- will be
accounted. - host.exempt list List of remote host
- wildcards from
- which login session
- accounting is
exempted. - idletime time Maximum idle time be
- fore logout.
minpasswordlen number 6 The minimum length a - local password
- may be.
- mixpasswordcase bool true Whether passwd(1) will
- warn the
- user if an all lower
- case password
is entered. - monthtime time Maximum login time per
- month.
passwordtime time Used by passwd(1) to - set next pass
- word expiry date.
- refreshtime time New time allowed on
- account
- refresh.
- refreshperiod str How often account time
- is
- refreshed.
- sessiontime time Maximum login time per
- session.
sessionlimit number Maximum number of con - current login
- sessions on ttys in
- any group.
- ttys.accounted list List of ttys and tty
- groups for
- which login accounting
- is active.
- ttys.exempt list List of ttys and tty
- groups for
- which login accounting
- is exempt.
- warntime time Advance notice for
- pending out-of
- time.
- weektime time Maximum login time per
- week.
- The ttys.accounted and ttys.exempt fields operate in a simi
- lar manner to
ttys.allow and ttys.deny as explained above. Similarly with - the
host.accounted and host.exempt lists.
SEE ALSO
- cap_mkdb(1), login(1), chroot(2), getcap(3), getttyent(3),
- login_cap(3),
login_class(3), pam(3), passwd(5), ttys(5), ftpd(8), - pam_passwdqc(8)
- BSD April 19, 2006