login(4)

login -- login default file

Description

Options for the login program can be set or changed with keywords in /etc/default/login. The following keywords are recognized by login.

USERS

Define users of the system in addition to root whose login access to terminals will be restricted by the CONSOLE keyword. For reasons of security, it may be desirable to restrict access by privileged users such as the system owner. Users may be specified by name, by ID, and by ranges of IDs The following example defines the user gemini and users with IDs 1000 through 1999 as being restricted by CONSOLE:

   USERS=gemini,1000-1999

Note that restricted access is always applied to root.

CONSOLE

If set, users defined by the USERS keyword may only log in on one of the terminals defined by the CONSOLE keyword. The following example would only allow restricted users to log in on the console (/dev/console):

   CONSOLE=/dev/console

Multiple devices and ranges of devices can be specified, for example:

   CONSOLE=/dev/console,/dev/inet/tcp000-/dev/inet/tcp999,/dev/pts000-/dev/pts255

This would allow restricted users to log in on the console, or to log in using rlogin or telnet.

If CONSOLE is not in /etc/default/login, or its entry is commented out, users may log in on any terminal.

ALTSHELL

If the user's shell is defined in /etc/passwd and this keyword is set to YES, the SHELL environment variable is set to the user's shell. If set to NO, the names of nonstandard shells are not put in the SHELL environment variable. For increased security, the default value of this keyword is YES.

PASSREQ

If set to YES, all users must have a password. Any user without a password is asked for one at the first opportunity permitted by the password aging set for that user.

MANDPASS

If set to YES, all users must have a password. Users without passwords will not be able to log in at all (overriding PASSREQ).

TIMEZONE

This keyword sets the TZ variable in the environment of the user. It must match the format of the timezone set in /etc/TIMEZONE.

HZ

This keyword sets the environment variable HZ, the rate of the system clock, for the user logging in. The default is 100.

PATH

This keyword sets a default path for an unprivileged user. The default is /usr/bin.

SUPATH

This keyword sets the default path for the privileged user logging in. Another default path for the privileged user is in /etc/default/su, which is set for privileged users who did not log in as such. The default is /sbin:/usr/sbin:/usr/bin:/etc.

ULIMIT

This keyword sets the maximum file size for a user. It is in units of 512-byte blocks.

UMASK

This keyword is the default umask for users. The default is 077.

IDLEWEEKS

This keyword is the number of weeks an account may remain idle before its login is disabled.

NOTE: A user's account will be disabled if their password is forcibly changed and the value of IDLEWEEKS is null or 0. To correct this, set IDLEWEEKS to a value greater than 0 or remove it from the file altogether.

TIMEOUT

This keyword is the length of time, in seconds, that login waits for a password after receiving a user name. The default is 60.

MAXTRYS

This keyword sets the maximum number of login attempts permitted. The default is 5.

LOGFAILURES

This keyword sets the number of consecutive failed login attempts that are permitted before a record is written to the log file (see loginlog(4)). The default is 5. See also the descriptions of LOCKONLOGFAIL and MAILONLOGFAIL.

LOCKONLOGFAIL

When set to YES, lock an account when the number of consecutive failed login attempts reaches the limit set by LOGFAILURES. The default value is NO which prevents the account being locked for this reason.

MAILONLOGFAIL

If LOCKONLOGFAIL is set to YES, this keyword defines the mail address(es) of the user(s) who should be notified when an account is locked because of too many failed login attempts. Multiple mail addresses should be specified as a comma-separated list. If undefined or set to null, mail is sent to root by default. If LOCKONLOGFAIL is set to NO, no mail is sent.

DISABLETIME

This keyword sets the number of seconds to sleep after MAXTRYS or LOGFAILURES failed logins. The default is 20.

SLEEPTIME

This keyword sets the number of seconds to sleep before printing an error message. The default is 1.

OPT_FPM

This keyword is the pathname of a regular, non-executable file containing a site-specific message to a user without a password, asking that user to pick a password. The default message is Choose one. This option is obsolete and no longer used, due to the PAM-enabling of login.

DELAYEDEXIT

This keyword is used to delay the exit from the login process, for the specified number of seconds, so the user logging in has time to read messages before the screen is cleared. Its value can be set to any number between 0 and 10; the default value is 0. (If you try to assign a value greater than the default--10--the value will be set to 10.)

Files

/etc/default/login

References

defadm(1M), loginlog(4)