Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
LOGIN.CONF(5)		  FreeBSD File Formats Manual		 LOGIN.CONF(5)

     login.conf	-- login class capability database

     The login.conf file describes the various attributes of login classes.  A
     login class determines what styles	of authentication are available	as
     well as session resource limits and environment setup.  While designed
     primarily for the login(1)	program, it is also used by other programs,
     such as ftpd(8), to determine what	means of authentication	are available.
     It	is also	used by	programs which need to set up a	user environment.

     A special record, "default", in /etc/login.conf is	used for any user
     without a valid login class in /etc/master.passwd.

     Sites with	very large /etc/login.conf files may wish to create a database
     version of	the file, /etc/login.conf.db, for improved performance.	 Using
     a database	version	for small files	does not result	in a performance im-
     provement.	 To build /etc/login.conf.db from /etc/login.conf the follow-
     ing command may be	used:

	   # cap_mkdb /etc/login.conf

     Note that cap_mkdb(1) must	be run after each edit of /etc/login.conf to
     keep the database version in sync with the	plain file.

     Refer to cgetent(3) for a description of the file layout.	All entries in
     the login.conf file are either boolean or use a `=' to separate the capa-
     bility from the value.  The types are described after the capability ta-

     Name		Type	   Default	 Description
     approve		program			 Default program to approve

     approve-service	program			 Program to approve login for

     auth		list	   passwd	 Allowed authentication
								styles.	 The
								first value is
								the default

     auth-type		list			 Allowed authentication	styles
								for the	au-
								type type.

     classify		program			 Classify type of login.

     copyright		file			 File containing additional
								copyright in-

     coredumpsize	size			 Maximum coredump size limit.

     cputime		time			 CPU usage limit.

     datasize		size			 Maximum data size limit.

     expire-warn	time	   2w		 If the	user's account will
								expire within
								this length of
								time then warn
								the user of

     filesize		size			 Maximum file size limit.

     hushlogin		bool	   false	 Same as having	a
								file.  See

     ignorenologin	bool	   false	 Not affected by nologin
								files.	See

     localcipher	string	   blowfish,a	 The cipher to use for en-
								crypting pass-
								words.	Refer
								for possible

     login-backoff	number	   3		 After login-backoff unsuc-
								cessful	login
								attempts dur-
								ing a single
								login(1) will
								start sleeping
								a bit in be-
								tween at-

     login-timeout	time	   300		 Number	of seconds before
								login(1) times
								out at the
								prompt.	 Note
								that this set-
								ting is	only
								valid for the

     login-tries	number	   10		 Number	of tries a user	gets
								to success-
								fully login
								closes the

     stacksize		size			 Maximum stack size limit.

     maxproc		number			 Maximum number	of processes.

     memorylocked	size			 Maximum locked	in core	memory
								size limit.

     memoryuse		size			 Maximum in core memoryuse
								size limit.

     minpasswordlen	number	   6		 The minimum length a local
								password may
								be.  If	a neg-
								ative value or
								zero, no
								length re-
								strictions are
								Used by	the

     nologin		file			 If the	file exists it will be
								displayed and
								the login ses-
								sion will be

     openfiles		number			 Maximum number	of open	file
								per process.

     password-dead	time	   0		 Length	of time	a password may
								be expired but
								not quite dead
								yet.  When set
								(for both the
								client and re-
								mote server
								machine	when
								doing remote
								tion), a user
								is allowed to
								log in just
								one more time
								after their
								password (but
								not account)
								has expired.
								This allows a
								grace period
								for updating
								their pass-

     password-warn	time	   2w		 If the	user's password	will
								expire within
								this length of
								time then warn
								the user of

     passwordcheck	program			 An external program that
								checks the
								quality	of the
								password.  The
								password is
								passed to the
								program	on
								stdin.	An
								exit code of 0
								indicates that
								the quality of
								the password
								is sufficient,
								an exit	code
								of 1 signals
								that the pass-
								word failed
								the check.

     passwordtime	time			 The lifetime of a password in
								seconds, reset
								every time a
								user changes
								their pass-
								word.  When
								this value is
								exceeded the
								user will no
								longer be able
								to login un-
								less the
								option has
								been speci-
								fied.  Used by
								the passwd(1)

     passwordtries	number	   3		 The number of times the
								utility	en-
								forces a check
								on the pass-
								word.  If 0,
								the new	pass-
								word will only
								be accepted if
								it passes the
								password qual-
								ity check.

     path		path	   value of _PATH_DEFPATH
								Default	search
								path.  See

     priority		number			 Initial priority (nice)

     requirehome	bool	   false	 Require home directory	to lo-

     setenv		envlist			 A list	of environment vari-
								ables and as-
								sociated val-
								ues to be set
								for the	class.

     shell		program			 Session shell to execute
								rather than
								the shell
								specified in
								the password
								file.  The
								SHELL environ-
								ment variable
								will contain
								the shell
								specified in
								the password

     tc			string			 Interpolate/expands records
								from corre-

     term		string	   su		 Default terminal type if not
								able to	deter-
								mine from
								other means.

     umask		number	   022		 Initial umask.	 Should	always
								have a leading
								0 to ensure
								octal inter-
								See umask(2).

     vmemoryuse		size			 Maximum virtual memoryuse
								size limit.

     welcome		file	   /etc/motd	 File containing welcome mes-

     The resource limit	entries	(cputime, filesize, datasize, stacksize,
     coredumpsize, memoryuse, memorylocked, maxproc, and openfiles) actually
     specify both the maximum and current limits (see getrlimit(2)).  The cur-
     rent limit	is the one normally used, although the user is permitted to
     increase the current limit	to the maximum limit.  The maximum and current
     limits may	be specified individually by appending a -max or -cur to the
     capability	name (e.g., openfiles-max and openfiles-cur).

     OpenBSD will never	define capabilities which start	with x-	or X-, these
     are reserved for external use (unless included through contributed	soft-

     The argument types	are defined as:

     envlist	A comma-separated list of environment variables	of the form
		variable=value.	 If no value is	specified, the `=' is op-
		tional.	 A ~ in	the path name is expanded to the user's	home
		directory if it	is at the end of a string or is	followed by a
		slash (`/') or the user's login	name.  A $ in the path name is
		expanded to the	user's login name.

     file	Path name to a text file.

     list	A comma-separated list of values.

     number	A number.  A leading 0x	implies	the number is expressed	in
		hexadecimal.  A	leading	0 implies the number is	expressed in
		octal.	Any other number is treated as decimal.

     path	A space-separated list of path names.  Login name and direc-
		tory are substituted as	for envlist.  Additionally, a ~	is
		only expanded at the beginning of a path name.

     program	A path name to program.

     size	A number which expresses a size.  By default, the size is
		specified in bytes.  It	may have a trailing b, k, m, g or t to
		indicate that the value	is in 512-byte blocks, kilobytes,
		megabytes, gigabytes, or terabytes, respectively.

     time	A time in seconds.  A time may be expressed as a series	of
		numbers	which are added	together.  Each	number may have	a
		trailing character to represent	time units:

		y    Indicates a number	of 365 day years.

		w    Indicates a number	of 7 day weeks.

		d    Indicates a number	of 24 hour days.

		h    Indicates a number	of 60 minute hours.

		m    Indicates a number	of 60 second minutes.

		s    Indicates a number	of seconds.

		For example, to	indicate 1 and 1/2 hours, the following	string
		could be used: 1h30m.

     OpenBSD uses BSD Authentication, which is made up of a variety of authen-
     tication styles.  The authentication styles currently provided are:

     activ	Authenticate using an ActivCard	token.	See login_activ(8).

     chpass	Change user's password.	 See login_chpass(8).

     crypto	Authenticate using a CRYPTOCard	token.	See login_crypto(8).

     lchpass	Change user's local password.  See login_lchpass(8).

     passwd	Request	a password and check it	against	the password in	the
		master.passwd file.  See login_passwd(8).

     radius	Normally linked	to another authentication type,	contact	the
		radius server to do authentication.  See login_radius(8).

     reject	Request	a password and reject any request.  See

     skey	Send a challenge and request a response, checking it with
		S/Key (tm) authentication.  See	login_skey(8).

     snk	Authenticate using a SecureNet Key token.  See login_snk(8).

     token	Authenticate using a generic X9.9 token.  See login_token(8).

     yubikey	Authenticate using a Yubico YubiKey token.  See

     Local authentication styles may be	added by creating a login script for
     the style (see below).  To	prevent	collisions with	future official	BSD
     Authentication style names, all local style names should start with a
     dash (-).	Current	plans are for all official BSD Authentication style
     names to begin with a lower case alphabetic character.  For example, if
     you have a	new style you refer to as slick	then you should	create an au-
     thentication script named /usr/libexec/auth/login_-slick using the	style
     name -slick.  When	logging	in via the login(1) program, the syntax
     user:-slick would be used.

     Authentication requires several pieces of information:

     class	 The login class being used.

     service	 The type of service requesting	authentication.	 The service
		 type is used to determine what	information the	authentication
		 program can provide to	the user and what information the user
		 can provide to	the authentication program.

		 The service type login	is appropriate for most	situations.
		 Two other service types, challenge and	response, are provided
		 for use by programs like ftpd(8) and radiusd(8).  If no ser-
		 vice type is specified, login is used.

     style	 The authentication style being	used.

     type	 The authentication type, used to determine the	available au-
		 thentication styles.

     username	 The name of the user to authenticate.	The name may contain
		 an instance.  If the authentication style being used does not
		 support such instances, the request will fail.

     The program requesting authentication must	specify	a username and an au-
     thentication style.  (For example,	login(1) requests a username from the
     user.  Users may enter usernames of the form "user:style" to optionally
     specify the authentication	style.)	 The requesting	program	may also spec-
     ify the type of authentication that will be done.	Most programs will
     only have a single	type, if any at	all, i.e., ftpd(8) will	always request
     the ftp type authentication, and su(1) will always	request	the su type
     authentication.  The login(1) utility is special in that it may select an
     authentication type based on information found in the /etc/ttys file for
     the appropriate tty (see ttys(5)).

     The class to be used is normally determined by the	class field in the
     password file (see	passwd(5)).

     The class is used to look up a corresponding entry	in the login.conf
     file.  If an authentication type is defined and a value for auth-type ex-
     ists in that entry, it will be used as a list of potential	authentication
     styles.  If an authentication type	is not defined,	or auth-type is	not
     specified for the class, the value	of auth	is used	as the list of avail-
     able authentication styles.

     If	the user did not specify an authentication style the first style in
     the list of available styles is used.  If the user	did specify an authen-
     tication style and	the style is in	the list of available styles it	will
     be	used, otherwise	the request is rejected.

     For any given style, the program /usr/libexec/auth/login_style is used to
     perform the authentication.  The synopsis of this program is:

     /usr/libexec/auth/login_style [-v name=value] [-s service]	username class

     The -v option is used to specify arbitrary	information to the authentica-
     tion programs.  Any number	of -v options may be used.  The	login(1) pro-
     gram provides the following through the -v	option:

     auth_type	     The type of authentication	to use.

     fqdn	     The hostname provided to login by the -h option.

     hostname	     The name login(1) will place in the utmp file for the re-
		     mote hostname.

     local_addr	     The local IP address given	to login(1) by the -L option.

     lastchance	     Set to "yes" when a user's	password has expired but the
		     user is being given one last chance to login and update
		     the password.

     login	     This is a new login session (as opposed to	a simple iden-
		     tity check).

     remote_addr     The remote	IP address given to login(1) by	the -R option.

     style	     The style of authentication used for this user (see ap-
		     proval scripts below).

     The su(1) program provides	the following through the -v option:

     wheel	     Set to either "yes" or "no" to indicate if	the user is in
		     group wheel when they are trying to become	root.  Some
		     authentication types require the user to be in group
		     wheel when	using the su(1)	program	to become super	user.

     When the authentication program is	executed, the environment will only
     contain the values	PATH=/bin:/usr/bin and SHELL=/bin/sh.  File descriptor
     3 will be open for	reading	and writing.  The authentication program
     should write one or more of the following strings to this file descrip-

     authorize	The user has been authorized.

     authorize secure
		The user has been authorized and root should be	allowed	to lo-
		gin even if this is not	a secure terminal.  This should	only
		be sent	by authentication styles that are secure over insecure

     reject	Authorization is rejected.  This overrides any indication that
		the user was authorized	(though	one would question the wisdom
		in sending both	a reject and an	authorize command).

     reject challenge
		Authorization was rejected and a challenge has been made
		available via the value	challenge.

     reject silent
		Authorization is rejected, but no error	messages should	be

     remove file
		If the login session fails for any reason, remove file before

     setenv name value
		If the login session succeeds, the environment variable	name
		should be set to the specified value.

     unsetenv name
		If the login session succeeds, the environment variable	name
		should be removed.

     value name	value
		Set the	internal variable name to the specified	value.	The
		value should only contain printable characters.	 Several \ se-
		quences	may be used to introduce non printing characters.
		These are:

		\n	A newline.

		\r	A carriage return.

		\t	A tab.

		\xxx	The character represented by the octal value xxx.  The
			value may be one, two, or three	octal digits.

		\c	The string is replaced by the value of c.  This	allows
			quoting	an initial space or the	\ character itself.

		The following values are currently defined:

			See section on challenges below.

			If set,	the value is the reason	authentication failed.
			The calling program may	choose to display this when
			rejecting the user, but	display	is not required.

     In	order for authentication to be successful, the authentication program
     must exit with a value of 0 as well as provide an authorize or authorize
     root statement on file descriptor 3.

     An	authentication program must not	assume it will be called as root, nor
     must it assume it will not	be called as root.  If it needs	special	per-
     missions to access	files it should	be setuid or setgid to the appropriate
     user/group.  See chmod(1).

     When an authentication program is called with a service of	challenge it
     should do one of three things:

     If	this style of authentication supports challenge	response it should set
     the internal variable challenge to	be the appropriate challenge for the
     user.  This is done by the	value command listed above.  The program
     should also issue a reject	challenge and then exit	with a 0 status.  See
     the section on responses below.

     If	this style of authentication does not support challenge	response, but
     does support the response service (described below) it should issue
     reject silent and then exit with a	0 status.

     If	this style of authentication does not support the response service it
     should simply fail, complaining about an unknown service type.  It	should
     exit with a non-zero status.

     When an authentication program is called with a service of	response, and
     this style	supports this mode of authentication, it should	read two null
     terminated	strings	from file descriptor 3.	 The first string is a chal-
     lenge that	was issued to the user (obtained from the challenge service
     above).  The second string	is the response	the user gave (i.e., the pass-
     word).  If	the response is	correct	for the	specified challenge, the au-
     thentication should be accepted, else it should be	rejected.  It is pos-
     sible for the challenge to	be an empty string, which implies the calling
     program did first obtain a	challenge prior	to getting a response from the
     user.  Not	all authentication styles support empty	challenges.

     An	approval program has the synopsis of:

	   approve [-v name=value] username class service

     Just as with an authentication program, file descriptor 3 will be open
     for writing when the approval program is executed.	 The -v	option is the
     same as in	the authentication program.  Unlike an authentication program,
     the approval program need not explicitly send an authorize	or authorize
     root statement, it	only need exit with a value of 0 or non-zero.  An exit
     value of 0	is equivalent to an authorize statement, and non-zero to a
     reject statement.	This allows for	simple programs	which have no informa-
     tion to provide other than	approval or denial.

     A classify	program	has the	synopsis of:

	   classify [-v	name=value] [-f] [user]

     See login(1) for a	description of the -f, option.	The -v option is the
     same as for the authentication programs.  The user	is the username	passed
     to	login(1) login,	if any.

     The typical job of	the classify program is	to determine what authentica-
     tion type should actually be used,	presumably based on the	remote IP ad-
     dress.  It	might also re-specify the hostname to be included in the
     utmp(5) file, reject the login attempt outright, or even print an addi-
     tional login banner (e.g.,	/etc/issue).

     The classify entry	is only	valid for the default class as it is used
     prior to knowing who the user is.	The classify script may	pass environ-
     ment variables or other commands back to login(1) on file descriptor 3,
     just as an	authentication program does.  The two variables	AUTH_TYPE and
     REMOTE_NAME are used to specify a new authentication type (the type must
     have the form auth-type) and override the -h option to login, respec-

     /etc/login.conf  Login class capability database.

     cap_mkdb(1), login(1), auth_subr(3), authenticate(3), cgetent(3),
     login_cap(3), passwd(5), ttys(5), ftpd(8)

FreeBSD	13.0		       September 2, 2019		  FreeBSD 13.0


Want to link to this manual page? Use this URL:

home | help