1.\" 2.\" Copyright (c) 1995,1996,1997 Berkeley Software Design, Inc. 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. All advertising materials mentioning features or use of this software 14.\" must display the following acknowledgement: 15.\" This product includes software developed by Berkeley Software Design, 16.\" Inc. 17.\" 4. The name of Berkeley Software Design, Inc. may not be used to endorse 18.\" or promote products derived from this software without specific prior 19.\" written permission. 20.\" 21.\" THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND 22.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24.\" ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE 25.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.\" $OpenBSD: login.conf.5,v 1.14 2001/10/05 14:45:54 mpech Exp $ 34.\" BSDI $From: login.conf.5,v 2.20 2000/06/26 14:50:38 prb Exp $ 35.\" 36.Dd June 18, 2001 37.Dt LOGIN.CONF 5 38.Os 39.Sh NAME 40.Nm login.conf 41.Nd login class capability database 42.Sh SYNOPSIS 43.Nm /etc/login.conf 44.Sh DESCRIPTION 45The 46.Nm 47file describes the various attributes of login classes. 48A login class determines what styles of authentication are available 49as well as session resource limits and environment setup. 50While designed primarily for the 51.Xr login 8 52program, 53it is also used by other programs, e.g., 54.Xr ftpd 8 , 55to determine what means of authentication are available. 56It is also used by programs, e.g., 57.Xr rexecd 8 , 58which need to set up a user environment. 59.Pp 60A special record, 61.Dq default , 62in 63.Pa /etc/login.conf 64is used for any user without a valid login class in 65.Pa /etc/master.passwd . 66.Sh CAPABILITIES 67Refer to 68.Xr getcap 3 69for a description of the file layout. 70All entries in the 71.Nm 72file are either boolean or use a 73.Ql = 74to separate the capability from the value. 75The types are described after the capability table. 76.Bl -column alwaysuseklogin program xetcxmotd 77.Sy Name Type Default Description 78.\" 79.It alwaysuseklogin Ta bool Ta Dv false Ta 80Always check the 81.Pa .klogin 82file for kerberos style authentication. 83Normally this file is only checked if a non-null kerberos instance 84is provided (e.g., 85.Li user.root ) . 86.\" 87.sp 88.It approve Ta program Ta "" Ta 89Default program to approve login. 90.\" 91.sp 92.It approve- Ns Ar service Ta program Ta "" Ta 93Program to approve login for 94.Ar service . 95.\" 96.sp 97.It auth Ta list Ta Dv passwd Ta 98Allowed authentication styles. 99The first value is the default styles. 100.\" 101.sp 102.It auth- Ns Ar type Ta list Ta "" Ta 103Allowed authentication styles for the authentication type 104.Ar type . 105.\" 106.sp 107.It classify Ta program Ta "" Ta 108Classify type of login. 109.\" 110.sp 111.It copyright Ta file Ta "" Ta 112File containing additional copyright information. 113.\" 114.sp 115.It coredumpsize Ta size Ta "" Ta 116Maximum coredump size limit. 117.\" 118.sp 119.It cputime Ta time Ta "" Ta 120CPU usage limit. 121.\" 122.sp 123.It datasize Ta size Ta "" Ta 124Maximum data size limit. 125.\" 126.sp 127.It expire-warn Ta time Ta Dv 2w Ta 128If the user's account will expire within this length of time then 129warn the user of this. 130.\" 131.sp 132.It filesize Ta size Ta "" Ta 133Maximum file size limit. 134.\" 135.sp 136.It hushlogin Ta bool Ta Dv false Ta 137Same as having a 138.Pa $HOME/.hushlogin 139file. 140See 141.Xr login 1 . 142.\" 143.sp 144.It ignorenologin Ta bool Ta Dv false Ta 145Not affected by 146.Pa nologin 147files. 148See 149.Xr login 1 . 150.\" 151.sp 152.It localcipher Ta string Ta old Ta 153The cipher to use for local passwords. 154Possible values are: 155.Dq old , 156.Dq newsalt,<rounds> , 157.Dq md5 , 158and 159.Dq blowfish,<rounds> . 160For 161.Dq newsalt 162the value of rounds is a 24-bit integer with a minimum of 7250 rounds. 163For 164.Dq blowfish 165the value can be between 4 and 31. 166It specifies the base 2 logarithm of the number of rounds. 167.\" 168.sp 169.It ypcipher Ta string Ta old Ta 170The cipher to use for YP passwords. 171The possible values are the same as for localcipher. 172.\" 173.sp 174.It login-backoff Ta number Ta 3 Ta 175After 176.Ar login-backoff 177unsucessful login attempts during a single session, 178.Xr login 1 179will start sleeping a bit in between attempts. 180.\" 181.sp 182.It login-timeout Ta time Ta 300 Ta 183Number of seconds before 184.Xr login 1 185times out at the password prompt. 186Note that this setting is only valid for the 187.Li default 188record. 189.\" 190.sp 191.It login-tries Ta number Ta 10 Ta 192Number of tries a user gets to successfully login before 193.Xr login 1 194closes the connection. 195.\" 196.sp 197.It stacksize Ta size Ta "" Ta 198Maximum stack size limit. 199.\" 200.sp 201.It maxproc Ta number Ta "" Ta 202Maximum number of process. 203.\" 204.sp 205.It memorylocked Ta size Ta "" Ta 206Maximum locked in core memory size limit. 207.\" 208.sp 209.It memoryuse Ta size Ta "" Ta 210Maximum in core memoryuse size limit. 211.\" 212.sp 213.It minpasswordlen Ta number Ta 6 Ta 214The minimum length a local password may be. 215If a negative value or zero, no length restrictions are enforced. 216Used by the 217.Xr passwd 1 218utility. 219.\" 220.sp 221.It nologin Ta file Ta "" Ta 222If the file exists it will be displayed 223and the login session will be terminated. 224.\" 225.sp 226.It openfiles Ta number Ta "" Ta 227Maximum number of open files per process. 228.\" 229.sp 230.It password-dead Ta time Ta Dv 0 Ta 231Length of time a password may be expired but not quite dead yet. 232When set (for both the client and remote server machine when doing 233remote authentication), a user is allowed to log in just one more 234time after their password (but not account) has expired. 235This allows a grace period for updating their password. 236.\" 237.sp 238.It password-warn Ta time Ta Dv 2w Ta 239If the user's password will expire within this length of time then 240warn the user of this. 241.\" 242.sp 243.It passwordcheck Ta path Ta "" Ta 244An external program that checks the quality of the password. 245The password is passed to the program on 246.Pa stdin . 247An exit code of 0 indicates that the quality of the password is 248sufficient, an exit code of 1 signals that the password failed the check. 249.\" 250.sp 251.It passwordtime Ta time Ta "" Ta 252The lifetime of a password in seconds, reset every time a user 253changes their password. 254When this value is exceeded the user will no longer be able to 255login unless the 256.Li password-dead 257option has been specified. 258Used by the 259.Xr passwd 1 260utility. 261.\" 262.sp 263.It passwordtries Ta number Ta 3 Ta 264The number of times the 265.Xr passwd 1 266utility enforces a check on the password. 267If 0, the new password will only be accepted if it passes the password 268quality check. 269.\" 270.sp 271.It path Ta path Ta Dv "value of _PATH_DEFPATH" Ta 272.br 273Default search path. 274See 275.Pa /usr/include/paths.h . 276.\" 277.sp 278.It priority Ta number Ta "" Ta 279Initial priority (nice) level. 280.\" 281.sp 282.It requirehome Ta bool Ta Dv false Ta 283Require home directory to login. 284.\" 285.sp 286.It shell Ta program Ta "" Ta 287Session shell to execute rather than the shell specified in the password file. 288The 289.Ev SHELL 290environment variable will contain the shell specified in the password file. 291.\" 292.sp 293.It term Ta string Ta Dv su Ta 294Default terminal type if not able to determine from other means. 295.\" 296.sp 297.It umask Ta number Ta Dv 022 Ta 298Initial umask. 299Should always have a leading 300.Li 0 301to ensure octal interpretation. 302See 303.Xr umask 2 . 304.\" 305.sp 306.It welcome Ta file Ta Pa /etc/motd Ta 307File containing welcome message. 308.El 309.Pp 310The resource limit entries 311.No ( Ns Va cputime , filesize , datasize , stacksize , coredumpsize , 312.Va memoryuse , memorylocked , maxproc , 313and 314.Va openfiles ) 315actually specify both the maximum and current limits (see 316.Xr getrlimit 2 ) . 317The current limit is the one normally used, although the user is permitted 318to increase the current limit to the maximum limit. 319The maximum and current limits may be specified individually by appending a 320.Va \-max 321or 322.Va \-cur 323to the capability name (e.g., 324.Va openfiles-max 325and 326.Va openfiles-cur Ns No ). 327.Pp 328\*(oSwill never define capabilities which start with 329.Li x- 330or 331.Li X- , 332these are reserved for external use (unless included through contributed 333software). 334.Pp 335The argument types are defined as: 336.Bl -tag -width programxx 337.\" 338.It file 339Path name to a text file. 340.\" 341.It list 342A comma separated list of values. 343.\" 344.It number 345A number. 346A leading 347.Li 0x 348implies the number is expressed in hexadecimal. 349A leading 350.Li 0 351implies the number is expressed in octal. 352Any other number is treated as decimal. 353.\" 354.It path 355A space separated list of path names. 356If a 357.Li ~ 358is the first character in the path name, the 359.Li ~ 360is expanded to the user's home directory. 361.\" 362.It program 363A path name to program. 364.\" 365.It size 366A 367.Va number 368which expresses a size in bytes. 369It may have a trailing 370.Li b 371to multiply the value by 512, a 372.Li k 373to multiply the value by 1 K (1024), and a 374.Li m 375to multiply the value by 1 M (1048576). 376.\" 377.It time 378A time in seconds. 379A time may be expressed as a series of numbers which are added together. 380Each number may have a trailing character to represent time units: 381.Bl -tag -width xxx 382.\" 383.It y 384Indicates a number of 365 day years. 385.\" 386.It w 387Indicates a number of 7 day weeks. 388.\" 389.It d 390Indicates a number of 24 hour days. 391.\" 392.It h 393Indicates a number of 60 minute hours. 394.\" 395.It m 396Indicates a number of 60 second minutes. 397.\" 398.It s 399Indicates a number of seconds. 400.El 401.Pp 402For example, to indicate 1 and 1/2 hours, the following string could be used: 403.Li 1h30m . 404.El 405.\" 406.Sh AUTHENTICATION 407\*(oSuses BSD Authentication, which is made up of a variety of 408authentication styles. 409The authentication styles currently provided are: 410.Bl -tag -width kerberosxx 411.\" 412.It Li activ 413Authenticate using an ActivCard token. 414See 415.Xr login_activ 8 . 416.\" 417.It Li auth 418Authenticate using the remote authentication protocol. 419Normally linked to another authentication type. 420See 421.Xr login_auth 8 . 422.\" 423.It Li chpass 424Change user's password. 425See 426.Xr login_chpass 8 . 427.\" 428.It Li crypto 429Authenticate using a CRYPTOCard token. 430See 431.Xr login_crypto 8 . 432.\" 433.It Li kerberos 434Request a password and use it to request a ticket from the kerberos server. 435See 436.Xr kerberos 1 . 437.\" 438.It Li krb-or-pwd 439Request a password and first try the 440.Li kerberos 441authentication style and if that fails use the same password with the 442.Li passwd 443authentication style. 444See 445.Xr kerberos 1 . 446.\" 447.It Li lchpass 448Change user's local password. 449See 450.Xr login_chpass 8 . 451.\" 452.It Li passwd 453Request a password and check it against the password in the master.passwd file. 454.\" 455.It Li radius 456Normally linked to another authentication type, contact the radius server 457to do authentication. 458See 459.Xr login_radius 8 . 460.\" 461.It Li rchpass 462Change user's rpasswd password. 463See 464.Xr login_rchpass 8 . 465.\" 466.It Li reject 467Request a password and reject any request. 468See 469.Xr login_reject 8 . 470.\" 471.It Li rpasswd 472Request a password and check it against the password in the rpasswd.db file. 473.\" 474.It Li skey 475Send a challenge and request a response, checking it 476with S/Key\(tm authentication. 477See 478.Xr skey 1 . 479.\" 480.It Li snk 481Authenticate using a SecureNet Key token. 482See 483.Xr login_snk 8 . 484.\" 485.It Li token 486Authenticate using a generic X9.9 token. 487See 488.Xr login_token 8 . 489.El 490.Pp 491Local authentication styles may be added by creating the login script 492for the style (see below). 493To prevent collisions with future official BSD 494Authentication style names all local style names should start with a dash (-). 495Current plans are for all official BSD Authentication style names to begin 496with a lower case alphabetic character. 497For example, if you have a new style you refer to as 498.Li slick 499then you should create an authentication script named 500.Pa /usr/libexec/auth/login_-slick 501using the style name 502.Li -slick . 503When logging in via the 504.Xr login 8 505program, the syntax 506.Ar user Ns Li :-slick 507would be used. 508.Pp 509Authentication requires several pieces of information: 510.Bl -tag -width kerberosxx 511.\" 512.It Ar class 513The login class being used. 514.It Ar service 515The type of service requesting authentication. 516The service type is used to determine what information the authentication 517program can provide to the user and what information the user can provide 518to the authentication program. 519.Pp 520The service type 521.Li login 522is appropriate for most situations. 523Two other service types, 524.Li challenge 525and 526.Li response , 527are provided for use by programs like 528.Xr ftpd 8 529and 530.Xr radiusd 8 . 531If no service type is specified, 532.Li login 533is used. 534.It Ar style 535The authentication style being used. 536.It Ar type 537The authentication type, 538used to determine the available authentication styles. 539.It Ar username 540The name of the user to authenticate. 541The name may contain an instance, e.g. 542.Dq user.root , 543as used by Kerberos authentication. 544If the authentication style being used does not support such instances, 545the request will fail. 546.El 547.Pp 548The program requesting authentication must specify a username and an 549authentication style. 550(For example, 551.Xr login 8 552requests a username from the user. 553Users may enter usernames of the form 554.Dq user:style 555to optionally specify the authentication style.) 556The requesting program may also specify the type of authentication 557that will be done. 558Most programs will only have a single type, if any at all, i.e., 559.Xr ftpd 8 560will always request the 561.Li ftp 562type authentication, and 563.Xr su 1 564will always request the 565.Li su 566type authentication. 567The 568.Xr login 8 569utility is special in that it may select an authentication type based 570on information found in the 571.Pa /etc/ttys 572file for the appropriate tty (see 573.Xr ttys 5 ) . 574.Pp 575The class to be used is normally determined by the 576.Li class 577field in the password file (see 578.Xr passwd 5 ) . 579.Pp 580The class is used to look up a corresponding entry in the 581.Pa login.conf 582file. 583If an authentication type is defined and a value for 584.Li auth- Ns Ar type 585exists in that entry, 586it will be used as a list of potential authentication styles. 587If an authentication type is not defined, or 588.Li auth- Ns Ar type 589is not specified for the class, 590the value of 591.Li auth 592is used as the list of available authentication styles. 593.Pp 594If the user did not specify an authentication style the first style 595in the list of available styles is used. 596If the user did specify an authentication style and the style is in the 597list of available styles it will be used, otherwise the request is 598rejected. 599.Pp 600For any given style, the program 601.Pa /usr/libexec/auth/login_ Ns Va style 602is used to perform the authentication. 603The synopsis of this program is: 604.sp 605.ti +.5i 606.Li /usr/libexec/auth/login_ Ns Va style 607.Op Fl v Va name=value 608.Op Fl s Va service 609.Va username class 610.sp 611The 612.Fl v 613option is used to specify arbitrary information to the authentication 614programs. 615Any number of 616.Fl v 617options may be used. 618The 619.Xr login 8 620program provides the following through the 621.Fl v 622option: 623.Bl -tag -width remote_addrxxx 624.It Li auth_type 625The type of authentication to use. 626.It Li fqdn 627The hostname provided to login by the 628.Fl h 629option. 630.It Li hostname 631The name 632.Xr login 8 633will place in the utmp file 634for the remote hostname. 635.It Li local_addr 636The local ip address given to 637.Xr login 8 638by the 639.Fl L 640option. 641.It Li remote_addr 642The remote ip address given to 643.Xr login 8 644by the 645.Fl R 646option. 647.It Li style 648The style of authentication used for this user 649(see approval scripts below). 650.El 651.Pp 652The 653.Xr su 1 654program provides the following through the 655.Fl v 656option: 657.Bl -tag -width remote_addrxxx 658.It Li wheel 659Set to either 660.Dq yes 661or 662.Dq no 663to indicate if the user is in group wheel when they are trying to become root. 664Some authentication types require the user to be in group wheel when using 665the 666.Xr su 1 667program to become super user. 668.El 669.Pp 670When the authentication program is executed, 671the environment will only contain the values 672.Ev PATH=/bin:/usr/bin 673and 674.Ev SHELL=/bin/sh . 675File descriptor 3 will be open for reading and writing. 676The authentication program should write one or more of the following 677strings to this file descriptor: 678.Bl -tag -width authorize 679.\" 680.It Li authorize 681The user has been authorized. 682.\" 683.It Li authorize secure 684The user has been authorized and root should be allowed to 685login even if this is not a secure terminal. 686This should only be sent by authentication styles that are secure 687over insecure lines. 688.\" 689.It Li reject 690Authorization is rejected. 691This overrides any indication that the user was authorized (though 692one would question the wisdom in sending both a 693.Va reject 694and an 695.Va authorize 696command). 697.\" 698.It Li reject challenge 699Authorization was rejected and a challenge has been made available 700via the value 701.Li challenge . 702.\" 703.It Li reject silent 704Authorization is rejected, but no error messages should be generated. 705.\" 706.It Li remove Va file 707If the login session fails for any reason, remove 708.Va file 709before termination (a kerberos ticket file, for example). 710.\" 711.It Li setenv Va name Va value 712If the login session succeeds, the environment variable 713.Va name 714should be set to the specified 715.Va value . 716.\" 717.It Li unsetenv Va name 718If the login session succeeds, the environment variable 719.Va name 720should be removed. 721.\" 722.It Li value Va name Va value 723Set the internal variable 724.Va name 725to the specified 726.Va value . 727The 728.Va value 729should only contain printable characters. 730Several \e sequences may be used to introduce non printing characters. 731These are: 732.Bl -tag -width indent 733.It Li \en 734A newline 735.It Li \er 736A carriage return 737.It Li \et 738A tab 739.It Li \e Ns Va xxx 740The character represented by the octal value 741.Va xxx . 742The value may be one, two, or three octal digits. 743.It Li \e Ns Va c 744The string is replaced by the value of 745.Va c . 746This allows quoting an initial space or the \\ character itself. 747.El 748.Pp 749The following values are currently defined: 750.Bl -tag -width indent 751.It Li challenge 752See section on challenges below. 753.It Li errormsg 754If set, the value is the reason authentication failed. 755The calling program may choose to display this when rejecting the user, but 756display is not required. 757.El 758.El 759.Pp 760In order for authentication to be successful, 761the authentication program must exit with a value of 0 as well 762as provide an 763.Li authorize 764or 765.Li "authorize root" 766statement on file descriptor 3. 767.Pp 768An authentication program must not assume it will be called as root, 769nor must it assume it will not be called as root. 770If it needs special permissions to access files it should be setuid or 771setgid to the appropriate user/group. 772See 773.Xr chmod 1 . 774.Sh CHALLENGES 775When an authentication program is called with a service of 776.Li challenge 777it should do one of three things: 778.Pp 779If this style of authentication supports challenge response 780it should set the internal variable 781.Li challenge 782to be the appropriate challenge for the user. 783This is done by the 784.Li value 785command listed above. 786The program should also issue a 787.Li reject challenge 788and then exit with a 0 status. 789See the section on responses below. 790.Pp 791If this style of authentication does not support challenge response, 792but does support the 793.Li response 794service (described below) it should issue 795.Li reject silent 796and then exit with a 0 status. 797.Pp 798If this style of authentication does not support the 799.Li response 800service it should simply fail, complaining about an unknown service type. 801It should exit with a non-zero status. 802.Sh RESPONSES 803When an authentication program is called with a service of 804.Li response , 805and this style supports this mode of authentication, 806it should read two null terminated strings from file descriptor 3. 807The first string is a challenge that was issued to the user 808(obtained from the 809.Li challenge 810service above). 811The second string is the response the user gave (i.e., the password). 812If the response is correct for the specified challenge, the authentication 813should be accepted, else it should be rejected. 814It is possible for the challenge to be any empty string, which implies 815the calling program did first obtain a challenge prior to getting a 816response from the user. 817Not all authentication styles support empty challenges. 818.Sh APPROVAL 819An approval program has the synopsis of: 820.sp 821.ti +.5i 822.Va approve 823.Op Fl v Ar name=value 824.Va username class service 825.Pp 826Just as with an authentication program, file descriptor 3 will be 827open for writing when the approval program is executed. 828The 829.Fl v 830option is the same as in the authentication program. 831Unlike an authentication program, 832the approval program need not explicitly send an 833.Li authorize 834or 835.Li "authorize root" 836statement, 837it only need exit with a value of 0 or non-zero. 838An exit value of 0 is equivalent to an 839.Li authorize 840statement, and non-zero to a 841.Li reject 842statement. 843This allows for simple programs which have no information to provide 844other than approval or denial. 845.Sh CLASSIFICATION 846A classify program has the synopsis of: 847.sp 848.ti +.5i 849.Va classify 850.Op Fl v Ar name=value 851.Op Fl f 852.Op user 853.Pp 854See 855.Xr login 8 856for a description of the 857.Fl f , 858option. 859The 860.Fl v 861option is the same as for the authentication programs. 862The 863.Va user 864is the username passed to 865.Xr login 8 866login, if any. 867.Pp 868The typical job of the classify program is to determine what authentication 869type should actually be used, presumably based on the remote IP address. 870It might also re-specify the hostname to be included in the 871.Xr utmp 5 872file, reject the login attempt out right, 873or even print an additional login banner (e.g., 874.Pa /etc/issue ) . 875.Pp 876The classify entry is only valid for the 877.Li default 878class as it is used prior to knowing who the user is. 879The classify script may pass environment variables or other commands 880back to 881.Xr login 8 882on file descriptor 3, just as an authentication program does. 883The two variables 884.Nm AUTH_TYPE 885and 886.Nm REMOTE_NAME 887are used to specify a new authentication type (the type must have the 888form 889.Li auth- Ns Ar type ) 890and override the 891.Fl h 892option to login, respectively. 893.Sh SEE ALSO 894.Xr login 1 , 895.Xr authenticate 3 , 896.Xr bsd_auth 3 , 897.Xr getcap 3 , 898.Xr login_cap 3 , 899.Xr passwd 3 , 900.Xr ttys 5 , 901.Xr ftpd 8 902