1.\" 2.\" Copyright (c) 1995,1996,1997 Berkeley Software Design, Inc. 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. All advertising materials mentioning features or use of this software 14.\" must display the following acknowledgement: 15.\" This product includes software developed by Berkeley Software Design, 16.\" Inc. 17.\" 4. The name of Berkeley Software Design, Inc. may not be used to endorse 18.\" or promote products derived from this software without specific prior 19.\" written permission. 20.\" 21.\" THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND 22.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24.\" ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE 25.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.\" $OpenBSD: login.conf.5,v 1.73 2025/01/26 05:47:17 semarie Exp $ 34.\" BSDI $From: login.conf.5,v 2.20 2000/06/26 14:50:38 prb Exp $ 35.\" 36.Dd $Mdocdate: January 26 2025 $ 37.Dt LOGIN.CONF 5 38.Os 39.Sh NAME 40.Nm login.conf 41.Nd login class capability database 42.Sh DESCRIPTION 43The 44.Nm 45file describes the various attributes of login classes. 46A login class determines what styles of authentication are available 47as well as session resource limits and environment setup. 48While designed primarily for the 49.Xr login 1 50program, 51it is also used by other programs, such as 52.Xr ftpd 8 , 53to determine what means of authentication are available. 54It is also used by programs which need to set up a user environment. 55.Pp 56A special record, 57.Dq default , 58in 59.Pa /etc/login.conf 60is used for any user without a valid login class in 61.Pa /etc/master.passwd . 62.Pp 63In case the 64.Pa /etc/login.conf.d/${ Ns Va class Ns } 65file exists, it will take precedence over the same login class 66defined in 67.Pa /etc/login.conf . 68.Pp 69Sites with very large 70.Pa /etc/login.conf 71files may wish to create a database version of the file, 72.Pa /etc/login.conf.db , 73for improved performance. 74Using a database version for small files does not result in a 75performance improvement. 76To build 77.Pa /etc/login.conf.db 78from 79.Pa /etc/login.conf 80the following command may be used: 81.Pp 82.Dl # cap_mkdb /etc/login.conf 83.Pp 84Note that 85.Xr cap_mkdb 1 86must be run after each edit of 87.Pa /etc/login.conf 88or the 89.Pa /etc/login.conf.d/${class} 90file to keep the database version in sync with the plain file. 91.Sh CAPABILITIES 92Refer to 93.Xr cgetent 3 94for a description of the file layout. 95All entries in the 96.Nm 97file are either boolean or use a 98.Ql = 99to separate the capability from the value. 100The types are described after the capability table. 101.Bl -column "approve-service" "program" "bcrypt,8" "Description" 102.It Sy Name Ta Sy Type Ta Sy Default Ta Sy Description 103.\" 104.It approve Ta program Ta "" Ta 105Default program to approve login. 106.\" 107.Pp 108.It approve- Ns Ar service Ta program Ta "" Ta 109Program to approve login for 110.Ar service . 111.\" 112.Pp 113.It auth Ta list Ta Dv passwd Ta 114Allowed authentication styles. 115The first value is the default style. 116.\" 117.Pp 118.It auth- Ns Ar type Ta list Ta "" Ta 119Allowed authentication styles for the authentication type 120.Ar type . 121.\" 122.Pp 123.It classify Ta program Ta "" Ta 124Classify type of login. 125.\" 126.Pp 127.It copyright Ta file Ta "" Ta 128File containing additional copyright information. 129.\" 130.Pp 131.It coredumpsize Ta size Ta "" Ta 132Maximum coredump size limit. 133.\" 134.Pp 135.It cputime Ta time Ta "" Ta 136CPU usage limit. 137.\" 138.Pp 139.It datasize Ta size Ta "" Ta 140Maximum data size limit. 141.\" 142.Pp 143.It expire-warn Ta time Ta Dv 2w Ta 144If the user's account will expire within this length of time then 145warn the user of this. 146.\" 147.Pp 148.It filesize Ta size Ta "" Ta 149Maximum file size limit. 150.\" 151.Pp 152.It hushlogin Ta bool Ta Dv false Ta 153Same as having a 154.Pa $HOME/.hushlogin 155file. 156See 157.Xr login 1 . 158.\" 159.Pp 160.It ignorenologin Ta bool Ta Dv false Ta 161Not affected by 162.Pa nologin 163files. 164See 165.Xr login 1 . 166.\" 167.Pp 168.It localcipher Ta string Ta bcrypt,a Ta 169The cipher to use for encrypting passwords. 170Refer to 171.Xr crypt_newhash 3 172for possible values. 173.\" 174.Pp 175.It login-backoff Ta number Ta 3 Ta 176After 177.Ar login-backoff 178unsuccessful login attempts during a single session, 179.Xr login 1 180will start sleeping a bit in between attempts. 181.\" 182.Pp 183.It login-timeout Ta time Ta 300 Ta 184Number of seconds before 185.Xr login 1 186times out at the password prompt. 187Note that this setting is only valid for the 188.Li default 189record. 190.\" 191.Pp 192.It login-tries Ta number Ta 10 Ta 193Number of tries a user gets to successfully login before 194.Xr login 1 195closes the connection. 196.\" 197.Pp 198.It stacksize Ta size Ta "" Ta 199Maximum stack size limit. 200.\" 201.Pp 202.It maxproc Ta number Ta "" Ta 203Maximum number of processes. 204.\" 205.Pp 206.It memorylocked Ta size Ta "" Ta 207Maximum locked in core memory size limit. 208.\" 209.Pp 210.It memoryuse Ta size Ta "" Ta 211Maximum in core memoryuse size limit. 212.\" 213.Pp 214.It minpasswordlen Ta number Ta 6 Ta 215The minimum length a local password may be. 216If a negative value or zero, no length restrictions are enforced. 217Used by the 218.Xr passwd 1 219utility. 220.\" 221.Pp 222.It nologin Ta file Ta "" Ta 223If the file exists, it will be displayed 224and the login session will be terminated. 225.\" 226.Pp 227.It openfiles Ta number Ta "" Ta 228Maximum number of open file descriptors per process. 229.\" 230.Pp 231.It password-dead Ta time Ta Dv 0 Ta 232Length of time a password may be expired but not quite dead yet. 233When set (for both the client and remote server machine when doing 234remote authentication), a user is allowed to log in just one more 235time after their password (but not account) has expired. 236This allows a grace period for updating their password. 237.\" 238.Pp 239.It password-warn Ta time Ta Dv 2w Ta 240If the user's password will expire within this length of time then 241warn the user of this. 242.\" 243.Pp 244.It passwordcheck Ta program Ta "" Ta 245An external program that checks the quality of the password. 246The password is passed to the program on 247.Pa stdin . 248An exit code of 0 indicates that the quality of the password is 249sufficient, an exit code of 1 signals that the password failed the check. 250.\" 251.Pp 252.It passwordtime Ta time Ta "" Ta 253The lifetime of a password in seconds, reset every time a user 254changes their password. 255When this value is exceeded, the user will no longer be able to 256login unless the 257.Li password-dead 258option has been specified. 259Used by the 260.Xr passwd 1 261utility. 262.\" 263.Pp 264.It passwordtries Ta number Ta 3 Ta 265The number of times the 266.Xr passwd 1 267utility enforces a check on the password. 268If 0, the new password will only be accepted if it passes the password 269quality check. 270.\" 271.Pp 272.It path Ta path Ta value of Dv _PATH_DEFPATH Ta 273.br 274Default search path. 275See 276.Pa /usr/include/paths.h . 277.\" 278.Pp 279.It priority Ta number Ta "" Ta 280Initial priority (nice) level. 281.\" 282.Pp 283.It requirehome Ta bool Ta Dv false Ta 284Require home directory to login. 285.\" 286.Pp 287.It rtable Ta number Ta "" Ta 288Rtable to be set for the class. 289.\" 290.Pp 291.It setenv Ta envlist Ta "" Ta 292A list of environment variables and associated values to be set for the class. 293.\" 294.Pp 295.It shell Ta program Ta "" Ta 296Session shell to execute rather than the shell specified in the password file. 297The 298.Ev SHELL 299environment variable will contain the shell specified in the password file. 300.\" 301.Pp 302.It tc Ta string Ta "" Ta 303Interpolate/expands records from corresponding 304.Pa login.conf . 305See 306.Xr cgetent 3 . 307.\" 308.Pp 309.It term Ta string Ta Dv su Ta 310Default terminal type if not able to determine from other means. 311.\" 312.Pp 313.It umask Ta number Ta Dv 022 Ta 314Initial umask. 315Should always have a leading 316.Li 0 317to ensure octal interpretation. 318See 319.Xr umask 2 . 320.\" 321.Pp 322.It vmemoryuse Ta size Ta "" Ta 323Maximum virtual memoryuse size limit. 324.\" 325.Pp 326.It welcome Ta file Ta Pa /etc/motd Ta 327File containing welcome message. 328.El 329.Pp 330The resource limit entries 331.Va ( cputime , filesize , datasize , stacksize , coredumpsize , 332.Va memoryuse , memorylocked , maxproc , 333and 334.Va openfiles ) 335actually specify both the maximum and current limits (see 336.Xr getrlimit 2 ) . 337The current limit is the one normally used, although the user is permitted 338to increase the current limit to the maximum limit. 339The maximum and current limits may be specified individually by appending a 340.Va \-max 341or 342.Va \-cur 343to the capability name (e.g., 344.Va openfiles-max 345and 346.Va openfiles-cur ) . 347.Pp 348.Ox 349will never define capabilities which start with 350.Li x- 351or 352.Li X- , 353these are reserved for external use (unless included through contributed 354software). 355.Pp 356The argument types are defined as: 357.Bl -tag -width programxx 358.\" 359.It envlist 360A comma-separated list of environment variables of the form 361.Ev variable Ns No = Ns value . 362If no value is specified, the 363.Sq = 364is optional. 365A 366.Li ~ 367in the path name is expanded to the user's home directory 368if it is at the end of a string or is followed by a slash 369.Pq Sq / 370or the user's login name. 371A 372.Li $ 373in the path name is expanded to the user's login name. 374.\" 375.It file 376Path name to a text file. 377.\" 378.It list 379A comma-separated list of values. 380.\" 381.It number 382A number, or 383.Cm infinity 384for no limit. 385A leading 386.Li 0x 387implies the number is expressed in hexadecimal. 388A leading 389.Li 0 390implies the number is expressed in octal. 391Any other number is treated as decimal. 392.\" 393.It path 394A space-separated list of path names. 395Login name and directory are substituted as for 396.Em envlist . 397Additionally, a 398.Li ~ 399is only expanded at the beginning of a path name. 400.\" 401.It program 402A path name to program. 403.\" 404.It size 405A number which expresses a size, or 406.Cm infinity 407for no limit. 408By default, the size is specified in bytes. 409It may have a trailing 410.Li b , 411.Li k , 412.Li m , 413.Li g 414or 415.Li t 416to indicate that the value is in 512-byte blocks, 417kilobytes, megabytes, gigabytes, or terabytes, respectively. 418.\" 419.It time 420A time in seconds, or 421.Cm infinity 422for no limit. 423A time may be expressed as a series of numbers which are added together. 424Each number may have a trailing character to represent time units: 425.Bl -tag -width xxx 426.\" 427.It y 428Indicates a number of 365 day years. 429.\" 430.It w 431Indicates a number of 7 day weeks. 432.\" 433.It d 434Indicates a number of 24 hour days. 435.\" 436.It h 437Indicates a number of 60 minute hours. 438.\" 439.It m 440Indicates a number of 60 second minutes. 441.\" 442.It s 443Indicates a number of seconds. 444.El 445.Pp 446For example, to indicate 1 and 1/2 hours, the following string could be used: 447.Li 1h30m . 448.El 449.\" 450.Sh AUTHENTICATION 451.Ox 452uses 453.Bx 454Authentication, which is made up of a variety of 455authentication styles. 456The authentication styles currently provided are: 457.Bl -tag -width lchpassxx 458.\" 459.It Li activ 460Authenticate using an ActivCard token. 461See 462.Xr login_activ 8 . 463.\" 464.It Li chpass 465Change user's password. 466See 467.Xr login_chpass 8 . 468.\" 469.It Li crypto 470Authenticate using a CRYPTOCard token. 471See 472.Xr login_crypto 8 . 473.\" 474.It Li lchpass 475Change user's local password. 476See 477.Xr login_lchpass 8 . 478.\" 479.It Li ldap 480Authenticate using an LDAP server. 481See 482.Xr login_ldap 8 . 483.\" 484.It Li passwd 485Request a password and check it against the password in the master.passwd file. 486See 487.Xr login_passwd 8 . 488.\" 489.It Li radius 490Normally linked to another authentication type, contact a RADIUS server 491to do authentication. 492See 493.Xr login_radius 8 . 494.\" 495.It Li reject 496Request a password and reject any request. 497See 498.Xr login_reject 8 . 499.\" 500.It Li skey 501Send a challenge and request a response, checking it 502with S/Key (tm) authentication. 503See 504.Xr login_skey 8 . 505.\" 506.It Li snk 507Authenticate using a SecureNet Key token. 508See 509.Xr login_snk 8 . 510.\" 511.It Li token 512Authenticate using a generic X9.9 token. 513See 514.Xr login_token 8 . 515.\" 516.It Li yubikey 517Authenticate using a Yubico YubiKey token. 518See 519.Xr login_yubikey 8 . 520.El 521.Pp 522Local authentication styles may be added by creating a login script 523for the style (see below). 524To prevent collisions with future official 525.Bx 526Authentication style names, all local style names should start with a dash (-). 527Current plans are for all official 528.Bx 529Authentication style names to begin 530with a lower case alphabetic character. 531For example, if you have a new style you refer to as 532.Li slick 533then you should create an authentication script named 534.Pa /usr/libexec/auth/login_-slick 535using the style name 536.Li -slick . 537When logging in via the 538.Xr login 1 539program, the syntax 540.Ar user Ns Li :-slick 541would be used. 542.Pp 543Authentication requires several pieces of information: 544.Bl -tag -width usernamexx 545.\" 546.It Ar class 547The login class being used. 548.It Ar service 549The type of service requesting authentication. 550The service type is used to determine what information the authentication 551program can provide to the user and what information the user can provide 552to the authentication program. 553.Pp 554The service type 555.Li login 556is appropriate for most situations. 557Two other service types, 558.Li challenge 559and 560.Li response , 561are provided for use by programs like 562.Xr ftpd 8 563and 564.Xr radiusd 8 . 565If no service type is specified, 566.Li login 567is used. 568.It Ar style 569The authentication style being used. 570.It Ar type 571The authentication type, 572used to determine the available authentication styles. 573.It Ar username 574The name of the user to authenticate. 575The name may contain an instance. 576If the authentication style being used does not support such instances, 577the request will fail. 578.El 579.Pp 580The program requesting authentication must specify a username and an 581authentication style. 582(For example, 583.Xr login 1 584requests a username from the user. 585Users may enter usernames of the form 586.Dq user:style 587to optionally specify the authentication style.) 588The requesting program may also specify the type of authentication 589that will be done. 590Most programs will only have a single type, if any at all, i.e., 591.Xr ftpd 8 592will always request the 593.Li ftp 594type authentication, and 595.Xr su 1 596will always request the 597.Li su 598type authentication. 599The 600.Xr login 1 601utility is special in that it may select an authentication type based 602on information found in the 603.Pa /etc/ttys 604file for the appropriate tty (see 605.Xr ttys 5 ) . 606.Pp 607The class to be used is normally determined by the 608.Li class 609field in the password file (see 610.Xr passwd 5 ) . 611.Pp 612The class is used to look up a corresponding entry in the 613.Pa login.conf 614file. 615If an authentication type is defined and a value for 616.Li auth- Ns Ar type 617exists in that entry, 618it will be used as a list of potential authentication styles. 619If an authentication type is not defined, or 620.Li auth- Ns Ar type 621is not specified for the class, 622the value of 623.Li auth 624is used as the list of available authentication styles. 625.Pp 626If the user did not specify an authentication style, the first style 627in the list of available styles is used. 628If the user did specify an authentication style and the style is in the 629list of available styles it will be used, otherwise the request is 630rejected. 631.Pp 632For any given style, the program 633.Pa /usr/libexec/auth/login_ Ns Va style 634is used to perform the authentication. 635The synopsis of this program is: 636.Pp 637.Li /usr/libexec/auth/login_ Ns Va style 638.Op Fl v Va name=value 639.Op Fl s Va service 640.Va username class 641.Pp 642The 643.Fl v 644option is used to specify arbitrary information to the authentication 645programs. 646Any number of 647.Fl v 648options may be used. 649The 650.Xr login 1 651program provides the following through the 652.Fl v 653option: 654.Bl -tag -width remote_addrxxx 655.It Li auth_type 656The type of authentication to use. 657.It Li fqdn 658The hostname provided to login by the 659.Fl h 660option. 661.It Li hostname 662The name 663.Xr login 1 664will place in the utmp file 665for the remote hostname. 666.It Li local_addr 667The local IP address given to 668.Xr login 1 669by the 670.Fl L 671option. 672.It Li lastchance 673Set to 674.Dq yes 675when a user's password has expired but the user is being given one last 676chance to login and update the password. 677.It Li login 678This is a new login session (as opposed to a simple identity check). 679.It Li remote_addr 680The remote IP address given to 681.Xr login 1 682by the 683.Fl R 684option. 685.It Li style 686The style of authentication used for this user 687(see approval scripts below). 688.El 689.Pp 690The 691.Xr su 1 692program provides the following through the 693.Fl v 694option: 695.Bl -tag -width remote_addrxxx 696.It Li wheel 697Set to either 698.Dq yes 699or 700.Dq no 701to indicate if the user is in group wheel when they are trying to become root. 702Some authentication types require the user to be in group wheel when using 703the 704.Xr su 1 705program to become super user. 706.El 707.Pp 708When the authentication program is executed, 709the environment will only contain the values 710.Ev PATH=/bin:/usr/bin 711and 712.Ev SHELL=/bin/sh . 713File descriptor 3 will be open for reading and writing. 714The authentication program should write one or more of the following 715strings to this file descriptor: 716.Bl -tag -width authorize 717.\" 718.It Li authorize 719The user has been authorized. 720.\" 721.It Li authorize secure 722The user has been authorized and root should be allowed to 723login even if this is not a secure terminal. 724This should only be sent by authentication styles that are secure 725over insecure lines. 726.\" 727.It Li reject 728Authorization is rejected. 729This overrides any indication that the user was authorized (though 730one would question the wisdom in sending both a 731.Va reject 732and an 733.Va authorize 734command). 735.\" 736.It Li reject challenge 737Authorization was rejected and a challenge has been made available 738via the value 739.Li challenge . 740.\" 741.It Li reject silent 742Authorization is rejected, but no error messages should be generated. 743.\" 744.It Li remove Va file 745If the login session fails for any reason, remove 746.Va file 747before termination. 748.\" 749.It Li setenv Va name Va value 750If the login session succeeds, the environment variable 751.Va name 752should be set to the specified 753.Va value . 754.\" 755.It Li unsetenv Va name 756If the login session succeeds, the environment variable 757.Va name 758should be removed. 759.\" 760.It Li value Va name Va value 761Set the internal variable 762.Va name 763to the specified 764.Va value . 765The 766.Va value 767should only contain printable characters. 768Several \e sequences may be used to introduce non printing characters. 769These are: 770.Bl -tag -width indent 771.It Li \en 772A newline. 773.It Li \er 774A carriage return. 775.It Li \et 776A tab. 777.It Li \e Ns Va xxx 778The character represented by the octal value 779.Va xxx . 780The value may be one, two, or three octal digits. 781.It Li \e Ns Va c 782The string is replaced by the value of 783.Va c . 784This allows quoting an initial space or the \e character itself. 785.El 786.Pp 787The following values are currently defined: 788.Bl -tag -width indent 789.It Li challenge 790See section on challenges below. 791.It Li errormsg 792If set, the value is the reason authentication failed. 793The calling program may choose to display this when rejecting the user, but 794display is not required. 795.El 796.El 797.Pp 798In order for authentication to be successful, 799the authentication program must exit with a value of 0 as well 800as provide an 801.Li authorize 802or 803.Li "authorize root" 804statement on file descriptor 3. 805.Pp 806An authentication program must not assume it will be called as root, 807nor must it assume it will not be called as root. 808If it needs special permissions to access files, it should be setuid or 809setgid to the appropriate user/group. 810See 811.Xr chmod 1 . 812.Sh CHALLENGES 813When an authentication program is called with a service of 814.Li challenge 815it should do one of three things: 816.Pp 817If this style of authentication supports challenge response, 818it should set the internal variable 819.Li challenge 820to be the appropriate challenge for the user. 821This is done by the 822.Li value 823command listed above. 824The program should also issue a 825.Li reject challenge 826and then exit with a 0 status. 827See the section on responses below. 828.Pp 829If this style of authentication does not support challenge response, 830but does support the 831.Li response 832service (described below) it should issue 833.Li reject silent 834and then exit with a 0 status. 835.Pp 836If this style of authentication does not support the 837.Li response 838service it should simply fail, complaining about an unknown service type. 839It should exit with a non-zero status. 840.Sh RESPONSES 841When an authentication program is called with a service of 842.Li response , 843and this style supports this mode of authentication, 844it should read two null terminated strings from file descriptor 3. 845The first string is a challenge that was issued to the user 846(obtained from the 847.Li challenge 848service above). 849The second string is the response the user gave (i.e., the password). 850If the response is correct for the specified challenge, the authentication 851should be accepted, else it should be rejected. 852It is possible for the challenge to be an empty string, which implies 853the calling program did first obtain a challenge prior to getting a 854response from the user. 855Not all authentication styles support empty challenges. 856.Sh APPROVAL 857An approval program has the synopsis of: 858.Bd -filled -offset indent 859.Va approve 860.Op Fl v Ar name=value 861.Va username class service 862.Ed 863.Pp 864Just as with an authentication program, file descriptor 3 will be 865open for writing when the approval program is executed. 866The 867.Fl v 868option is the same as in the authentication program. 869Unlike an authentication program, 870the approval program need not explicitly send an 871.Li authorize 872or 873.Li "authorize root" 874statement, 875it only need exit with a value of 0 or non-zero. 876An exit value of 0 is equivalent to an 877.Li authorize 878statement, and non-zero to a 879.Li reject 880statement. 881This allows for simple programs which have no information to provide 882other than approval or denial. 883.Sh CLASSIFICATION 884A classify program has the synopsis of: 885.Bd -filled -offset indent 886.Va classify 887.Op Fl v Ar name=value 888.Op Fl f 889.Op user 890.Ed 891.Pp 892See 893.Xr login 1 894for a description of the 895.Fl f , 896option. 897The 898.Fl v 899option is the same as for the authentication programs. 900The 901.Va user 902is the username passed to 903.Xr login 1 904login, if any. 905.Pp 906The typical job of the classify program is to determine what authentication 907type should actually be used, presumably based on the remote IP address. 908It might also re-specify the hostname to be included in the 909.Xr utmp 5 910file, reject the login attempt outright, 911or even print an additional login banner (e.g., 912.Pa /etc/issue ) . 913.Pp 914The classify entry is only valid for the 915.Li default 916class as it is used prior to knowing who the user is. 917The classify script may pass environment variables or other commands 918back to 919.Xr login 1 920on file descriptor 3, just as an authentication program does. 921The two variables 922.Nm AUTH_TYPE 923and 924.Nm REMOTE_NAME 925are used to specify a new authentication type (the type must have the 926form 927.Li auth- Ns Ar type ) 928and override the 929.Fl h 930option to login, respectively. 931.Sh FILES 932.Bl -tag -width "/etc/login.conf" 933.It Pa /etc/login.conf 934Login class capability database. 935.It Pa /etc/login.conf.d/${ Ns Va class Ns } 936Login class capability database for the specified 937login class. 938.El 939.Sh SEE ALSO 940.Xr cap_mkdb 1 , 941.Xr login 1 , 942.Xr auth_subr 3 , 943.Xr authenticate 3 , 944.Xr cgetent 3 , 945.Xr login_cap 3 , 946.Xr passwd 5 , 947.Xr ttys 5 , 948.Xr ftpd 8 949