1.\" 2.\" Copyright (c) 1995,1996,1997 Berkeley Software Design, Inc. 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. All advertising materials mentioning features or use of this software 14.\" must display the following acknowledgement: 15.\" This product includes software developed by Berkeley Software Design, 16.\" Inc. 17.\" 4. The name of Berkeley Software Design, Inc. may not be used to endorse 18.\" or promote products derived from this software without specific prior 19.\" written permission. 20.\" 21.\" THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND 22.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24.\" ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE 25.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.\" $OpenBSD: login.conf.5,v 1.72 2024/01/22 19:26:55 deraadt Exp $ 34.\" BSDI $From: login.conf.5,v 2.20 2000/06/26 14:50:38 prb Exp $ 35.\" 36.Dd $Mdocdate: January 22 2024 $ 37.Dt LOGIN.CONF 5 38.Os 39.Sh NAME 40.Nm login.conf 41.Nd login class capability database 42.Sh DESCRIPTION 43The 44.Nm 45file describes the various attributes of login classes. 46A login class determines what styles of authentication are available 47as well as session resource limits and environment setup. 48While designed primarily for the 49.Xr login 1 50program, 51it is also used by other programs, such as 52.Xr ftpd 8 , 53to determine what means of authentication are available. 54It is also used by programs which need to set up a user environment. 55.Pp 56A special record, 57.Dq default , 58in 59.Pa /etc/login.conf 60is used for any user without a valid login class in 61.Pa /etc/master.passwd . 62.Pp 63In case the 64.Pa /etc/login.conf.d/${ Ns Va class Ns } 65file exists, it will take precedence over the same login class 66defined in 67.Pa /etc/login.conf . 68.Pp 69Sites with very large 70.Pa /etc/login.conf 71files may wish to create a database version of the file, 72.Pa /etc/login.conf.db , 73for improved performance. 74Using a database version for small files does not result in a 75performance improvement. 76To build 77.Pa /etc/login.conf.db 78from 79.Pa /etc/login.conf 80the following command may be used: 81.Pp 82.Dl # cap_mkdb /etc/login.conf 83.Pp 84Note that 85.Xr cap_mkdb 1 86must be run after each edit of 87.Pa /etc/login.conf 88or the 89.Pa /etc/login.conf.d/${class} 90file to keep the database version in sync with the plain file. 91.Sh CAPABILITIES 92Refer to 93.Xr cgetent 3 94for a description of the file layout. 95All entries in the 96.Nm 97file are either boolean or use a 98.Ql = 99to separate the capability from the value. 100The types are described after the capability table. 101.Bl -column "approve-service" "program" "bcrypt,8" "Description" 102.It Sy Name Ta Sy Type Ta Sy Default Ta Sy Description 103.\" 104.It approve Ta program Ta "" Ta 105Default program to approve login. 106.\" 107.Pp 108.It approve- Ns Ar service Ta program Ta "" Ta 109Program to approve login for 110.Ar service . 111.\" 112.Pp 113.It auth Ta list Ta Dv passwd Ta 114Allowed authentication styles. 115The first value is the default style. 116.\" 117.Pp 118.It auth- Ns Ar type Ta list Ta "" Ta 119Allowed authentication styles for the authentication type 120.Ar type . 121.\" 122.Pp 123.It classify Ta program Ta "" Ta 124Classify type of login. 125.\" 126.Pp 127.It copyright Ta file Ta "" Ta 128File containing additional copyright information. 129.\" 130.Pp 131.It coredumpsize Ta size Ta "" Ta 132Maximum coredump size limit. 133.\" 134.Pp 135.It cputime Ta time Ta "" Ta 136CPU usage limit. 137.\" 138.Pp 139.It datasize Ta size Ta "" Ta 140Maximum data size limit. 141.\" 142.Pp 143.It expire-warn Ta time Ta Dv 2w Ta 144If the user's account will expire within this length of time then 145warn the user of this. 146.\" 147.Pp 148.It filesize Ta size Ta "" Ta 149Maximum file size limit. 150.\" 151.Pp 152.It hushlogin Ta bool Ta Dv false Ta 153Same as having a 154.Pa $HOME/.hushlogin 155file. 156See 157.Xr login 1 . 158.\" 159.Pp 160.It ignorenologin Ta bool Ta Dv false Ta 161Not affected by 162.Pa nologin 163files. 164See 165.Xr login 1 . 166.\" 167.Pp 168.It localcipher Ta string Ta bcrypt,a Ta 169The cipher to use for encrypting passwords. 170Refer to 171.Xr crypt_newhash 3 172for possible values. 173.\" 174.Pp 175.It login-backoff Ta number Ta 3 Ta 176After 177.Ar login-backoff 178unsuccessful login attempts during a single session, 179.Xr login 1 180will start sleeping a bit in between attempts. 181.\" 182.Pp 183.It login-timeout Ta time Ta 300 Ta 184Number of seconds before 185.Xr login 1 186times out at the password prompt. 187Note that this setting is only valid for the 188.Li default 189record. 190.\" 191.Pp 192.It login-tries Ta number Ta 10 Ta 193Number of tries a user gets to successfully login before 194.Xr login 1 195closes the connection. 196.\" 197.Pp 198.It stacksize Ta size Ta "" Ta 199Maximum stack size limit. 200.\" 201.Pp 202.It maxproc Ta number Ta "" Ta 203Maximum number of processes. 204.\" 205.Pp 206.It memorylocked Ta size Ta "" Ta 207Maximum locked in core memory size limit. 208.\" 209.Pp 210.It memoryuse Ta size Ta "" Ta 211Maximum in core memoryuse size limit. 212.\" 213.Pp 214.It minpasswordlen Ta number Ta 6 Ta 215The minimum length a local password may be. 216If a negative value or zero, no length restrictions are enforced. 217Used by the 218.Xr passwd 1 219utility. 220.\" 221.Pp 222.It nologin Ta file Ta "" Ta 223If the file exists, it will be displayed 224and the login session will be terminated. 225.\" 226.Pp 227.It openfiles Ta number Ta "" Ta 228Maximum number of open file descriptors per process. 229.\" 230.Pp 231.It password-dead Ta time Ta Dv 0 Ta 232Length of time a password may be expired but not quite dead yet. 233When set (for both the client and remote server machine when doing 234remote authentication), a user is allowed to log in just one more 235time after their password (but not account) has expired. 236This allows a grace period for updating their password. 237.\" 238.Pp 239.It password-warn Ta time Ta Dv 2w Ta 240If the user's password will expire within this length of time then 241warn the user of this. 242.\" 243.Pp 244.It passwordcheck Ta program Ta "" Ta 245An external program that checks the quality of the password. 246The password is passed to the program on 247.Pa stdin . 248An exit code of 0 indicates that the quality of the password is 249sufficient, an exit code of 1 signals that the password failed the check. 250.\" 251.Pp 252.It passwordtime Ta time Ta "" Ta 253The lifetime of a password in seconds, reset every time a user 254changes their password. 255When this value is exceeded, the user will no longer be able to 256login unless the 257.Li password-dead 258option has been specified. 259Used by the 260.Xr passwd 1 261utility. 262.\" 263.Pp 264.It passwordtries Ta number Ta 3 Ta 265The number of times the 266.Xr passwd 1 267utility enforces a check on the password. 268If 0, the new password will only be accepted if it passes the password 269quality check. 270.\" 271.Pp 272.It path Ta path Ta value of Dv _PATH_DEFPATH Ta 273.br 274Default search path. 275See 276.Pa /usr/include/paths.h . 277.\" 278.Pp 279.It priority Ta number Ta "" Ta 280Initial priority (nice) level. 281.\" 282.Pp 283.It requirehome Ta bool Ta Dv false Ta 284Require home directory to login. 285.\" 286.Pp 287.It rtable Ta number Ta "" Ta 288Rtable to be set for the class. 289.\" 290.Pp 291.It setenv Ta envlist Ta "" Ta 292A list of environment variables and associated values to be set for the class. 293.\" 294.Pp 295.It shell Ta program Ta "" Ta 296Session shell to execute rather than the shell specified in the password file. 297The 298.Ev SHELL 299environment variable will contain the shell specified in the password file. 300.\" 301.Pp 302.It tc Ta string Ta "" Ta 303Interpolate/expands records from corresponding 304.Pa login.conf . 305See 306.Xr cgetent 3 . 307.\" 308.Pp 309.It term Ta string Ta Dv su Ta 310Default terminal type if not able to determine from other means. 311.\" 312.Pp 313.It umask Ta number Ta Dv 022 Ta 314Initial umask. 315Should always have a leading 316.Li 0 317to ensure octal interpretation. 318See 319.Xr umask 2 . 320.\" 321.Pp 322.It vmemoryuse Ta size Ta "" Ta 323Maximum virtual memoryuse size limit. 324.\" 325.Pp 326.It welcome Ta file Ta Pa /etc/motd Ta 327File containing welcome message. 328.El 329.Pp 330The resource limit entries 331.Va ( cputime , filesize , datasize , stacksize , coredumpsize , 332.Va memoryuse , memorylocked , maxproc , 333and 334.Va openfiles ) 335actually specify both the maximum and current limits (see 336.Xr getrlimit 2 ) . 337The current limit is the one normally used, although the user is permitted 338to increase the current limit to the maximum limit. 339The maximum and current limits may be specified individually by appending a 340.Va \-max 341or 342.Va \-cur 343to the capability name (e.g., 344.Va openfiles-max 345and 346.Va openfiles-cur ) . 347.Pp 348.Ox 349will never define capabilities which start with 350.Li x- 351or 352.Li X- , 353these are reserved for external use (unless included through contributed 354software). 355.Pp 356The argument types are defined as: 357.Bl -tag -width programxx 358.\" 359.It envlist 360A comma-separated list of environment variables of the form 361.Ev variable Ns No = Ns value . 362If no value is specified, the 363.Sq = 364is optional. 365A 366.Li ~ 367in the path name is expanded to the user's home directory 368if it is at the end of a string or is followed by a slash 369.Pq Sq / 370or the user's login name. 371A 372.Li $ 373in the path name is expanded to the user's login name. 374.\" 375.It file 376Path name to a text file. 377.\" 378.It list 379A comma-separated list of values. 380.\" 381.It number 382A number. 383A leading 384.Li 0x 385implies the number is expressed in hexadecimal. 386A leading 387.Li 0 388implies the number is expressed in octal. 389Any other number is treated as decimal. 390.\" 391.It path 392A space-separated list of path names. 393Login name and directory are substituted as for 394.Em envlist . 395Additionally, a 396.Li ~ 397is only expanded at the beginning of a path name. 398.\" 399.It program 400A path name to program. 401.\" 402.It size 403A 404.Va number 405which expresses a size. 406By default, the size is specified in bytes. 407It may have a trailing 408.Li b , 409.Li k , 410.Li m , 411.Li g 412or 413.Li t 414to indicate that the value is in 512-byte blocks, 415kilobytes, megabytes, gigabytes, or terabytes, respectively. 416.\" 417.It time 418A time in seconds. 419A time may be expressed as a series of numbers which are added together. 420Each number may have a trailing character to represent time units: 421.Bl -tag -width xxx 422.\" 423.It y 424Indicates a number of 365 day years. 425.\" 426.It w 427Indicates a number of 7 day weeks. 428.\" 429.It d 430Indicates a number of 24 hour days. 431.\" 432.It h 433Indicates a number of 60 minute hours. 434.\" 435.It m 436Indicates a number of 60 second minutes. 437.\" 438.It s 439Indicates a number of seconds. 440.El 441.Pp 442For example, to indicate 1 and 1/2 hours, the following string could be used: 443.Li 1h30m . 444.El 445.\" 446.Sh AUTHENTICATION 447.Ox 448uses 449.Bx 450Authentication, which is made up of a variety of 451authentication styles. 452The authentication styles currently provided are: 453.Bl -tag -width lchpassxx 454.\" 455.It Li activ 456Authenticate using an ActivCard token. 457See 458.Xr login_activ 8 . 459.\" 460.It Li chpass 461Change user's password. 462See 463.Xr login_chpass 8 . 464.\" 465.It Li crypto 466Authenticate using a CRYPTOCard token. 467See 468.Xr login_crypto 8 . 469.\" 470.It Li lchpass 471Change user's local password. 472See 473.Xr login_lchpass 8 . 474.\" 475.It Li ldap 476Authenticate using an LDAP server. 477See 478.Xr login_ldap 8 . 479.\" 480.It Li passwd 481Request a password and check it against the password in the master.passwd file. 482See 483.Xr login_passwd 8 . 484.\" 485.It Li radius 486Normally linked to another authentication type, contact a RADIUS server 487to do authentication. 488See 489.Xr login_radius 8 . 490.\" 491.It Li reject 492Request a password and reject any request. 493See 494.Xr login_reject 8 . 495.\" 496.It Li skey 497Send a challenge and request a response, checking it 498with S/Key (tm) authentication. 499See 500.Xr login_skey 8 . 501.\" 502.It Li snk 503Authenticate using a SecureNet Key token. 504See 505.Xr login_snk 8 . 506.\" 507.It Li token 508Authenticate using a generic X9.9 token. 509See 510.Xr login_token 8 . 511.\" 512.It Li yubikey 513Authenticate using a Yubico YubiKey token. 514See 515.Xr login_yubikey 8 . 516.El 517.Pp 518Local authentication styles may be added by creating a login script 519for the style (see below). 520To prevent collisions with future official 521.Bx 522Authentication style names, all local style names should start with a dash (-). 523Current plans are for all official 524.Bx 525Authentication style names to begin 526with a lower case alphabetic character. 527For example, if you have a new style you refer to as 528.Li slick 529then you should create an authentication script named 530.Pa /usr/libexec/auth/login_-slick 531using the style name 532.Li -slick . 533When logging in via the 534.Xr login 1 535program, the syntax 536.Ar user Ns Li :-slick 537would be used. 538.Pp 539Authentication requires several pieces of information: 540.Bl -tag -width usernamexx 541.\" 542.It Ar class 543The login class being used. 544.It Ar service 545The type of service requesting authentication. 546The service type is used to determine what information the authentication 547program can provide to the user and what information the user can provide 548to the authentication program. 549.Pp 550The service type 551.Li login 552is appropriate for most situations. 553Two other service types, 554.Li challenge 555and 556.Li response , 557are provided for use by programs like 558.Xr ftpd 8 559and 560.Xr radiusd 8 . 561If no service type is specified, 562.Li login 563is used. 564.It Ar style 565The authentication style being used. 566.It Ar type 567The authentication type, 568used to determine the available authentication styles. 569.It Ar username 570The name of the user to authenticate. 571The name may contain an instance. 572If the authentication style being used does not support such instances, 573the request will fail. 574.El 575.Pp 576The program requesting authentication must specify a username and an 577authentication style. 578(For example, 579.Xr login 1 580requests a username from the user. 581Users may enter usernames of the form 582.Dq user:style 583to optionally specify the authentication style.) 584The requesting program may also specify the type of authentication 585that will be done. 586Most programs will only have a single type, if any at all, i.e., 587.Xr ftpd 8 588will always request the 589.Li ftp 590type authentication, and 591.Xr su 1 592will always request the 593.Li su 594type authentication. 595The 596.Xr login 1 597utility is special in that it may select an authentication type based 598on information found in the 599.Pa /etc/ttys 600file for the appropriate tty (see 601.Xr ttys 5 ) . 602.Pp 603The class to be used is normally determined by the 604.Li class 605field in the password file (see 606.Xr passwd 5 ) . 607.Pp 608The class is used to look up a corresponding entry in the 609.Pa login.conf 610file. 611If an authentication type is defined and a value for 612.Li auth- Ns Ar type 613exists in that entry, 614it will be used as a list of potential authentication styles. 615If an authentication type is not defined, or 616.Li auth- Ns Ar type 617is not specified for the class, 618the value of 619.Li auth 620is used as the list of available authentication styles. 621.Pp 622If the user did not specify an authentication style, the first style 623in the list of available styles is used. 624If the user did specify an authentication style and the style is in the 625list of available styles it will be used, otherwise the request is 626rejected. 627.Pp 628For any given style, the program 629.Pa /usr/libexec/auth/login_ Ns Va style 630is used to perform the authentication. 631The synopsis of this program is: 632.Pp 633.Li /usr/libexec/auth/login_ Ns Va style 634.Op Fl v Va name=value 635.Op Fl s Va service 636.Va username class 637.Pp 638The 639.Fl v 640option is used to specify arbitrary information to the authentication 641programs. 642Any number of 643.Fl v 644options may be used. 645The 646.Xr login 1 647program provides the following through the 648.Fl v 649option: 650.Bl -tag -width remote_addrxxx 651.It Li auth_type 652The type of authentication to use. 653.It Li fqdn 654The hostname provided to login by the 655.Fl h 656option. 657.It Li hostname 658The name 659.Xr login 1 660will place in the utmp file 661for the remote hostname. 662.It Li local_addr 663The local IP address given to 664.Xr login 1 665by the 666.Fl L 667option. 668.It Li lastchance 669Set to 670.Dq yes 671when a user's password has expired but the user is being given one last 672chance to login and update the password. 673.It Li login 674This is a new login session (as opposed to a simple identity check). 675.It Li remote_addr 676The remote IP address given to 677.Xr login 1 678by the 679.Fl R 680option. 681.It Li style 682The style of authentication used for this user 683(see approval scripts below). 684.El 685.Pp 686The 687.Xr su 1 688program provides the following through the 689.Fl v 690option: 691.Bl -tag -width remote_addrxxx 692.It Li wheel 693Set to either 694.Dq yes 695or 696.Dq no 697to indicate if the user is in group wheel when they are trying to become root. 698Some authentication types require the user to be in group wheel when using 699the 700.Xr su 1 701program to become super user. 702.El 703.Pp 704When the authentication program is executed, 705the environment will only contain the values 706.Ev PATH=/bin:/usr/bin 707and 708.Ev SHELL=/bin/sh . 709File descriptor 3 will be open for reading and writing. 710The authentication program should write one or more of the following 711strings to this file descriptor: 712.Bl -tag -width authorize 713.\" 714.It Li authorize 715The user has been authorized. 716.\" 717.It Li authorize secure 718The user has been authorized and root should be allowed to 719login even if this is not a secure terminal. 720This should only be sent by authentication styles that are secure 721over insecure lines. 722.\" 723.It Li reject 724Authorization is rejected. 725This overrides any indication that the user was authorized (though 726one would question the wisdom in sending both a 727.Va reject 728and an 729.Va authorize 730command). 731.\" 732.It Li reject challenge 733Authorization was rejected and a challenge has been made available 734via the value 735.Li challenge . 736.\" 737.It Li reject silent 738Authorization is rejected, but no error messages should be generated. 739.\" 740.It Li remove Va file 741If the login session fails for any reason, remove 742.Va file 743before termination. 744.\" 745.It Li setenv Va name Va value 746If the login session succeeds, the environment variable 747.Va name 748should be set to the specified 749.Va value . 750.\" 751.It Li unsetenv Va name 752If the login session succeeds, the environment variable 753.Va name 754should be removed. 755.\" 756.It Li value Va name Va value 757Set the internal variable 758.Va name 759to the specified 760.Va value . 761The 762.Va value 763should only contain printable characters. 764Several \e sequences may be used to introduce non printing characters. 765These are: 766.Bl -tag -width indent 767.It Li \en 768A newline. 769.It Li \er 770A carriage return. 771.It Li \et 772A tab. 773.It Li \e Ns Va xxx 774The character represented by the octal value 775.Va xxx . 776The value may be one, two, or three octal digits. 777.It Li \e Ns Va c 778The string is replaced by the value of 779.Va c . 780This allows quoting an initial space or the \e character itself. 781.El 782.Pp 783The following values are currently defined: 784.Bl -tag -width indent 785.It Li challenge 786See section on challenges below. 787.It Li errormsg 788If set, the value is the reason authentication failed. 789The calling program may choose to display this when rejecting the user, but 790display is not required. 791.El 792.El 793.Pp 794In order for authentication to be successful, 795the authentication program must exit with a value of 0 as well 796as provide an 797.Li authorize 798or 799.Li "authorize root" 800statement on file descriptor 3. 801.Pp 802An authentication program must not assume it will be called as root, 803nor must it assume it will not be called as root. 804If it needs special permissions to access files, it should be setuid or 805setgid to the appropriate user/group. 806See 807.Xr chmod 1 . 808.Sh CHALLENGES 809When an authentication program is called with a service of 810.Li challenge 811it should do one of three things: 812.Pp 813If this style of authentication supports challenge response, 814it should set the internal variable 815.Li challenge 816to be the appropriate challenge for the user. 817This is done by the 818.Li value 819command listed above. 820The program should also issue a 821.Li reject challenge 822and then exit with a 0 status. 823See the section on responses below. 824.Pp 825If this style of authentication does not support challenge response, 826but does support the 827.Li response 828service (described below) it should issue 829.Li reject silent 830and then exit with a 0 status. 831.Pp 832If this style of authentication does not support the 833.Li response 834service it should simply fail, complaining about an unknown service type. 835It should exit with a non-zero status. 836.Sh RESPONSES 837When an authentication program is called with a service of 838.Li response , 839and this style supports this mode of authentication, 840it should read two null terminated strings from file descriptor 3. 841The first string is a challenge that was issued to the user 842(obtained from the 843.Li challenge 844service above). 845The second string is the response the user gave (i.e., the password). 846If the response is correct for the specified challenge, the authentication 847should be accepted, else it should be rejected. 848It is possible for the challenge to be an empty string, which implies 849the calling program did first obtain a challenge prior to getting a 850response from the user. 851Not all authentication styles support empty challenges. 852.Sh APPROVAL 853An approval program has the synopsis of: 854.Bd -filled -offset indent 855.Va approve 856.Op Fl v Ar name=value 857.Va username class service 858.Ed 859.Pp 860Just as with an authentication program, file descriptor 3 will be 861open for writing when the approval program is executed. 862The 863.Fl v 864option is the same as in the authentication program. 865Unlike an authentication program, 866the approval program need not explicitly send an 867.Li authorize 868or 869.Li "authorize root" 870statement, 871it only need exit with a value of 0 or non-zero. 872An exit value of 0 is equivalent to an 873.Li authorize 874statement, and non-zero to a 875.Li reject 876statement. 877This allows for simple programs which have no information to provide 878other than approval or denial. 879.Sh CLASSIFICATION 880A classify program has the synopsis of: 881.Bd -filled -offset indent 882.Va classify 883.Op Fl v Ar name=value 884.Op Fl f 885.Op user 886.Ed 887.Pp 888See 889.Xr login 1 890for a description of the 891.Fl f , 892option. 893The 894.Fl v 895option is the same as for the authentication programs. 896The 897.Va user 898is the username passed to 899.Xr login 1 900login, if any. 901.Pp 902The typical job of the classify program is to determine what authentication 903type should actually be used, presumably based on the remote IP address. 904It might also re-specify the hostname to be included in the 905.Xr utmp 5 906file, reject the login attempt outright, 907or even print an additional login banner (e.g., 908.Pa /etc/issue ) . 909.Pp 910The classify entry is only valid for the 911.Li default 912class as it is used prior to knowing who the user is. 913The classify script may pass environment variables or other commands 914back to 915.Xr login 1 916on file descriptor 3, just as an authentication program does. 917The two variables 918.Nm AUTH_TYPE 919and 920.Nm REMOTE_NAME 921are used to specify a new authentication type (the type must have the 922form 923.Li auth- Ns Ar type ) 924and override the 925.Fl h 926option to login, respectively. 927.Sh FILES 928.Bl -tag -width "/etc/login.conf" 929.It Pa /etc/login.conf 930Login class capability database. 931.It Pa /etc/login.conf.d/${ Ns Va class Ns } 932Login class capability database for the specified 933login class. 934.El 935.Sh SEE ALSO 936.Xr cap_mkdb 1 , 937.Xr login 1 , 938.Xr auth_subr 3 , 939.Xr authenticate 3 , 940.Xr cgetent 3 , 941.Xr login_cap 3 , 942.Xr passwd 5 , 943.Xr ttys 5 , 944.Xr ftpd 8 945