1.\" $NetBSD: login.conf.5,v 1.31 2015/07/11 14:18:08 kamil Exp $ 2.\" 3.\" Copyright (c) 1995,1996,1997 Berkeley Software Design, Inc. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. All advertising materials mentioning features or use of this software 15.\" must display the following acknowledgement: 16.\" This product includes software developed by Berkeley Software Design, 17.\" Inc. 18.\" 4. The name of Berkeley Software Design, Inc. may not be used to endorse 19.\" or promote products derived from this software without specific prior 20.\" written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND 23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25.\" ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" BSDI login.conf.5,v 2.19 1998/02/19 23:39:39 prb Exp 35.\" 36.Dd July 11, 2015 37.Dt LOGIN.CONF 5 38.Os 39.Sh NAME 40.Nm login.conf 41.Nd login class capability data base 42.Sh SYNOPSIS 43.Nm login.conf 44.Sh DESCRIPTION 45The 46.Nm login.conf 47file describes the various attributes of login classes. 48A login class determines what styles of authentication are available 49as well as session resource limits and environment setup. 50While designed primarily for the 51.Xr login 1 52program, 53it is also used by other programs, e.g., 54.Xr rexecd 8 , 55which need to set up a user environment. 56.Pp 57The class to be used is normally determined by the 58.Li class 59field in the password file (see 60.Xr passwd 5 ) . 61The class is used to look up a corresponding entry in the 62.Pa login.conf 63file. 64A special class called 65.Dq default 66will be used (if it exists) if the field in the password file is empty. 67.Sh CAPABILITIES 68Refer to 69.Xr capfile 5 70for a description of the file layout. 71An example entry is: 72.Bd -literal -offset indent 73classname|Description entry:\\ 74 :capability=value:\\ 75 :booleancapability:\\ 76 \&.\&.\&. 77 :lastcapability=value: 78.Ed 79.Pp 80All entries in the 81.Nm login.conf 82file are either boolean or use a `=' to separate the capability 83from the value. 84The types are described after the capability table. 85.Bl -column minpasswordlen program default 86.It Sy Name Type Default Description 87.\" 88.sp 89.It Sy copyright Ta file Ta "" Ta 90File containing additional copyright information. 91(If the file exists, 92.Xr login 1 93displays it before the welcome message.) 94.\" 95.sp 96.It Sy coredumpsize Ta size Ta "" Ta 97Maximum coredump size. 98.\" 99.sp 100.It Sy cputime Ta time Ta "" Ta 101CPU usage limit. 102.\" 103.sp 104.It Sy datasize Ta size Ta "" Ta 105Maximum data size. 106.\" 107.sp 108.It Sy filesize Ta size Ta "" Ta 109Maximum file size. 110.\" 111.sp 112.It Sy host.allow Ta string Ta "" Ta 113A comma-separated list of host name or IP address patterns 114from which a class is allowed access. 115Access is instead denied from any hosts preceded 116by 117.Sq Li \&! . 118Patterns can contain the 119.Xr sh 1 Ns -style 120.Sq Li * 121and 122.Sq Li \&? 123wildcards. 124The 125.Sy host.deny 126entry is checked before 127.Sy host.allow . 128(Currently used only by 129.Xr sshd 8 . ) 130.\" 131.sp 132.It Sy host.deny Ta string Ta "" Ta 133A comma-separated list of host name or IP address patterns 134from which a class is denied access. 135Patterns as per 136.Sy host.allow , 137although a matched pattern that has been negated with 138.Sq Li \&! 139is ignored. 140(Currently used only by 141.Xr sshd 8 . ) 142.\" 143.sp 144.It Sy hushlogin Ta bool Ta Li false Ta 145Same as having a 146.Pa $HOME/.hushlogin 147file. 148See 149.Xr login 1 . 150.\" 151.sp 152.It Sy ignorenologin Ta bool Ta Li false Ta 153Not affected by 154.Pa nologin 155files. 156.\" 157.sp 158.It Sy login-retries Ta number Ta 10 Ta 159Maximum number of login attempts allowed. 160.\" 161.sp 162.It Sy login-backoff Ta number Ta 3 Ta 163Number of login attempts after which to start random back-off. 164.\" 165.sp 166.It Sy maxproc Ta number Ta "" Ta 167Maximum number of processes. 168.\" 169.sp 170.It Sy maxthread Ta number Ta "" Ta 171Maximum number of threads. 172The first thread of each process is not counted against this. 173.\" 174.sp 175.It Sy memorylocked Ta size Ta "" Ta 176Maximum locked in core memory size. 177.\" 178.sp 179.It Sy memoryuse Ta size Ta "" Ta 180Maximum in core memoryuse size. 181.\" 182.sp 183.It Sy minpasswordlen Ta number Ta "" Ta 184The minimum length a local password may be. 185Used by the 186.Xr passwd 1 187utility. 188.\" 189.sp 190.It Sy nologin Ta file Ta "" Ta 191If the file exists it will be displayed 192and the login session will be terminated. 193.\" 194.sp 195.It Sy openfiles Ta number Ta "" Ta 196Maximum number of open file descriptors per process. 197.\" 198.\"XX .sp 199.\"XX .It Sy password-dead Ta time Ta Li 0 Ta 200.\"XX Length of time a password may be expired but not quite dead yet. 201.\"XX When set (for both the client and remote server machine when doing 202.\"XX remote authentication), a user is allowed to log in just one more 203.\"XX time after their password (but not account) has expired. 204.\"XX This allows a grace period for updating their password. 205.\" 206.sp 207.It Sy passwordtime Ta time Ta "" Ta 208Used by 209.Xr passwd 1 210to set next password expiry date. 211.\" 212.sp 213.It Sy password-warn Ta time Ta Li 2w Ta 214If the user's password will expire within this length of time then 215warn the user of this. 216.\" 217.sp 218.It Sy path Ta path Ta Li "/bin /usr/bin" Ta 219.br 220Default search path. 221.\" 222.sp 223.It Sy priority Ta number Ta "" Ta 224Initial priority (nice) level. 225.\" 226.sp 227.It Sy requirehome Ta bool Ta Li false Ta 228Require home directory to login. 229.\" 230.sp 231.It Sy sbsize Ta size Ta "" Ta 232Maximum socket buffer size. 233.\" 234.sp 235.It Sy setenv Ta list Ta "" Ta 236Comma or whitespace separated list 237of environment variables and values to be set. 238Commas and whitespace can be escaped using \e\e. 239.\" 240.sp 241.It Sy shell Ta program Ta "" Ta 242Session shell to execute rather than the shell specified in the password file. 243The 244.Ev SHELL 245environment variable will contain the shell specified in the password file. 246.\" 247.sp 248.It Sy stacksize Ta size Ta "" Ta 249Maximum stack size. 250.\" 251.sp 252.It Sy tc Ta string Ta "" Ta 253A "continuation" entry, which must be the last capability provided. 254More capabilities are read from the named entry. 255The capabilities given before 256.Sy tc 257override those in the entry invoked by 258.Sy tc . 259.\" 260.sp 261.It Sy term Ta string Ta Li su Ta 262Default terminal type if not able to determine from other means. 263.\" 264.sp 265.It Sy umask Ta number Ta Li 022 Ta 266Initial umask. 267Should always have a leading 268.Li 0 269to assure octal interpretation. 270See 271.Xr umask 2 . 272.\" 273.sp 274.It Sy vmemoryuse Ta size Ta "" Ta 275Maximum virtual address space size. 276.\" 277.sp 278.It Sy welcome Ta file Ta Li /etc/motd Ta 279File containing welcome message. 280.Xr login 1 281displays this and 282.Xr sshd 8 283sends this. 284.El 285.Pp 286The resource limit entries 287.Sy ( coredumpsize , 288.Sy cputime , 289.Sy datasize , 290.Sy filesize , 291.Sy maxproc , 292.Sy memorylocked , 293.Sy memoryuse , 294.Sy openfiles , 295.Sy sbsize , 296.Sy stacksize 297and 298.Sy vmemoryuse ) 299actually specify both the maximum and current limits (see 300.Xr getrlimit 2 ) . 301The current limit is the one normally used, 302although the user is permitted to increase the current limit to the 303maximum limit. 304The maximum and current limits may be specified individually by appending 305a 306.Sq Sy \-max 307or 308.Sq Sy \-cur 309to the capability name (e.g., 310.Sy openfiles-max 311and 312.Sy openfiles-cur Ns No ) . 313.Pp 314.Nx 315will never define capabilities which start with 316.Li x- 317or 318.Li X- ; 319these are reserved for external use (unless included through contributed 320software). 321.Pp 322The argument types are defined as: 323.Bl -tag -width programxx 324.\" 325.It Sy bool 326If the name is present, then the boolean value is true; 327otherwise, it is false. 328.\" 329.It Sy file 330Path name to a text file. 331.\" 332.It Sy list 333A comma or whitespace separated list of values. 334.\" 335.It Sy number 336A number. 337A leading 338.Li 0x 339implies the number is expressed in hexadecimal. 340A leading 341.Li 0 342implies the number is expressed in octal. 343Any other number is treated as decimal. 344.\" 345.It Sy path 346A space separated list of path names. 347If a 348.Sq Li ~ 349is the first character in the path name, the 350.Sq Li ~ 351is expanded to the user's home directory. 352.\" 353.It Sy program 354A path name to program. 355.\" 356.It Sy size 357A number which expresses a size in bytes. 358It may have a trailing 359.Li b 360to multiply the value by 512, a 361.Li k 362to multiply the value by 1 K (1024), and a 363.Li m 364to multiply the value by 1 M (1048576). 365.\" 366.It Sy time 367A time in seconds. 368A time may be expressed as a series of numbers 369which are added together. 370Each number may have a trailing character to 371represent time units: 372.Bl -tag -width xxx 373.\" 374.It Sy y 375Indicates a number of 365 day years. 376.\" 377.It Sy w 378Indicates a number of 7 day weeks. 379.\" 380.It Sy d 381Indicates a number of 24 hour days. 382.\" 383.It Sy h 384Indicates a number of 60 minute hours. 385.\" 386.It Sy m 387Indicates a number of 60 second minutes. 388.\" 389.It Sy s 390Indicates a number of seconds. 391.El 392.Pp 393For example, to indicate 1 and 1/2 hours, the following string 394could be used: 395.Li 1h30m . 396.El 397.\" 398.Sh FILES 399.Bl -tag -width /etc/login.conf.db -compact 400.It Pa /etc/login.conf 401login class capability database 402.It Pa /etc/login.conf.db 403hashed database built with 404.Xr cap_mkdb 1 405.El 406.Sh SEE ALSO 407.Xr cap_mkdb 1 , 408.Xr login 1 , 409.Xr login_cap 3 , 410.Xr capfile 5 , 411.Xr ttys 5 , 412.Xr ftpd 8 , 413.Xr sshd 8 414.Sh HISTORY 415The 416.Nm 417configuration file appeared in 418.Nx 1.5 . 419