NAME

login.conf — login class capability data base

SYNOPSIS

login.conf

DESCRIPTION

The login.conf file describes the various attributes of login classes. A login class determines what styles of authentication are available as well as session resource limits and environment setup. While designed primarily for the login(1) program, it is also used by other programs, e.g., rexecd(8), which need to set up a user environment.

The class to be used is normally determined by the class field in the password file (see passwd(5)). The class is used to look up a corresponding entry in the login.conf file. A special class called “default” will be used (if it exists) if the field in the password file is empty.

CAPABILITIES

Refer to getcap(3) for a description of the file layout. An example entry is:

classname|Description entry:\ 
	:capability=value:\ 
	:booleancapability:\ 
		... 
	:lastcapability=value:

All entries in the login.conf file are either boolean or use a `=' to separate the capability from the value. The types are described after the capability table.

Name	Type	Default	Description
copyright	file		File containing additional copyright information. (If the file exists, login(1) displays it before the welcome message.)
coredumpsize	size		Maximum coredump size limit.
cputime	time		CPU usage limit.
datasize	size		Maximum data size limit.
filesize	size		Maximum file size limit.
host.allow	string		A comma-separated list of host name or IP address patterns from which a class is allowed access. Access is instead denied from any hosts preceded by ‘!'. Patterns can contain the sh(1)-style ‘*' and ‘?' wildcards. The host.deny entry is checked before host.allow. (Currently used only by sshd(8).)
host.deny	string		A comma-separated list of host name or IP address patterns from which a class is denied access. Patterns as per host.allow, although a matched pattern that has been negated with ‘!' is ignored. (Currently used only by sshd(8).)
hushlogin	bool	false	Same as having a $HOME/.hushlogin file. See login(1).
ignorenologin	bool	false	Not affected by nologin files.
login-retries	number	10	Maximum number of login attempts allowed.
login-backoff	number	3	Number of login attempts after which to start random back-off.
maxproc	number		Maximum number of processes.
memorylocked	size		Maximum locked in core memory size limit.
memoryuse	size		Maximum in core memoryuse size limit.
minpasswordlen	number		The minimum length a local password may be. Used by the passwd(1) utility.
nologin	file		If the file exists it will be displayed and the login session will be terminated.
openfiles	number		Maximum number of open file descriptors per process.
passwordtime	time		Used by passwd(1) to set next password expiry date.
password-warn	time	2w	If the user's password will expire within this length of time then warn the user of this.
path	path	/bin /usr/bin	Default search path.
priority	number		Initial priority (nice) level.
requirehome	bool	false	Require home directory to login.
sbsize	size		Maximum socket buffer size limit.
setenv	list		Comma or whitespace separated list of environment variables and values to be set. Commas and whitespace can be escaped using \\.
shell	program		Session shell to execute rather than the shell specified in the password file. The SHELL environment variable will contain the shell specified in the password file.
stacksize	size		Maximum stack size limit.
tc	string		A "continuation" entry, which must be the last capability provided. More capabilities are read from the named entry. The capabilities given before tc override those in the entry invoked by tc.
term	string	su	Default terminal type if not able to determine from other means.
umask	number	022	Initial umask. Should always have a leading 0 to assure octal interpretation. See umask(2).
welcome	file	/etc/motd	File containing welcome message. login(1) displays this and sshd(8) sends this.

The resource limit entries (coredumpsize, cputime, datasize, filesize, maxproc, memorylocked, memoryuse, openfiles, sbsize, and stacksize) actually specify both the maximum and current limits (see getrlimit(2)). The current limit is the one normally used, although the user is permitted to increase the current limit to the maximum limit. The maximum and current limits may be specified individually by appending a ‘-max' or ‘-cur' to the capability name (e.g., openfiles-max and openfiles-cur).

NetBSD will never define capabilities which start with x- or X-; these are reserved for external use (unless included through contributed software).

The argument types are defined as:

bool

If the name is present, then the boolean value is true; otherwise, it is false.

file

Path name to a text file.

list

A comma or whitespace separated list of values.

number

A number. A leading 0x implies the number is expressed in hexadecimal. A leading 0 implies the number is expressed in octal. Any other number is treated as decimal.

path

A space separated list of path names. If a ‘~' is the first character in the path name, the ‘~' is expanded to the user's home directory.

program

A path name to program.

size

A number which expresses a size in bytes. It may have a trailing b to multiply the value by 512, a k to multiply the value by 1 K (1024), and a m to multiply the value by 1 M (1048576).

time

A time in seconds. A time may be expressed as a series of numbers which are added together. Each number may have a trailing character to represent time units:

y

Indicates a number of 365 day years.

w

Indicates a number of 7 day weeks.

d

Indicates a number of 24 hour days.

h

Indicates a number of 60 minute hours.

m

Indicates a number of 60 second minutes.

s

Indicates a number of seconds.

For example, to indicate 1 and 1/2 hours, the following string could be used: 1h30m.

FILES

/etc/login.conf

login class capability database

/etc/login.conf.db

hashed database built with cap_mkdb(1)

SEE ALSO

cap_mkdb(1), login(1), getcap(3), login_cap(3), ttys(5), ftpd(8), sshd(8)

HISTORY

The login.conf configuration file appeared in NetBSD 1.5.