- Document the fact that we now use pam_passwdqc(8) to check
password quality, not login.conf(5). - Move warnexpire and warnpasswd from the ``Accounting Limits'' section to ``Authentication'', and nix everything else in the former section. The accounting knobs are not available in the base system, and the subset of them available in ports should be documented in the ports' manpages. PR: 47960 Reviewed by: mike (mentor), doc
This commit is contained in:
David Schultz
parent
797f247b51
commit
9f7b7e45d1
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=111791
@ -39,6 +39,8 @@ It is used by various programs in the system to set up a user's login
|
||||
environment and to enforce policy, accounting and administrative restrictions.
|
||||
It also provides the means by which users are able to be
|
||||
authenticated to the system and the types of authentication available.
|
||||
Attributes in addition to the ones described here are available with
|
||||
third-party packages.
|
||||
.Pp
|
||||
A special record "default" in the system user class capability database
|
||||
.Pa /etc/login.conf
|
||||
@ -205,7 +207,7 @@ ensure octal interpretation.
|
||||
.It "welcome file /etc/motd File containing welcome message.
|
||||
.El
|
||||
.Sh AUTHENTICATION
|
||||
.Bl -column minpasswordlen indent indent
|
||||
.Bl -column passwd_prompt indent indent
|
||||
.It Sy "Name Type Notes Description
|
||||
.\" .It "approve program Program to approve login.
|
||||
.It "copyright file File containing additional copyright information
|
||||
@ -215,11 +217,6 @@ the class may access.
|
||||
in the class may not access.
|
||||
.It "login_prompt string The login prompt given by
|
||||
.Xr login 1
|
||||
.It "minpasswordlen number 6 The minimum length a local password
|
||||
may be.
|
||||
.It "mixpasswordcase bool true Whether
|
||||
.Xr passwd 1
|
||||
will warn the user if an all lower case password is entered.
|
||||
.It "passwd_format string md5 The encryption format that new or
|
||||
changed passwords will use.
|
||||
Valid values include "des", "md5" and "blf".
|
||||
@ -236,6 +233,8 @@ disallowed.
|
||||
in the class may use for access.
|
||||
.It "ttys.deny list List of ttys and ttygroups which users
|
||||
in the class may not use for access.
|
||||
.It "warnexpire time Advance notice for pending account expiry.
|
||||
.It "warnpassword time Advance notice for pending password expiry.
|
||||
.\".It "widepasswords bool false Use the wide password format. The wide password
|
||||
.\" format allows up to 128 significant characters in the password.
|
||||
.El
|
||||
@ -324,60 +323,17 @@ is specified, then the user is prevented from using the specified devices or
|
||||
devices in the group.
|
||||
If both lists are given and are non-empty, the user is restricted to those
|
||||
devices allowed by ttys.allow that are not available by ttys.deny.
|
||||
.Sh ACCOUNTING LIMITS
|
||||
.Bl -column host.accounted indent indent
|
||||
.It Sy "Name Type Notes Description
|
||||
.It "accounted bool false Enable session time accounting for all users
|
||||
in this class.
|
||||
.It "autodelete time Time after expiry when account is auto-deleted.
|
||||
.It "bootfull bool false Enable 'boot only if ttygroup is full' strategy
|
||||
when terminating sessions.
|
||||
.It "daytime time Maximum login time per day.
|
||||
.It "expireperiod time Time for expiry allocation.
|
||||
.It "graceexpire time Grace days for expired account.
|
||||
.It "gracetime time Additional grace login time allowed.
|
||||
.It "host.accounted list List of remote host wildcards from which
|
||||
login sessions will be accounted.
|
||||
.It "host.exempt list List of remote host wildcards from which
|
||||
login session accounting is exempted.
|
||||
.It "idletime time Maximum idle time before logout.
|
||||
.It "monthtime time Maximum login time per month.
|
||||
.It "passwordtime time Used by
|
||||
.Xr passwd 1
|
||||
to set next password expiry date.
|
||||
.It "refreshtime time New time allowed on account refresh.
|
||||
.It "refreshperiod str How often account time is refreshed.
|
||||
.It "sessiontime time Maximum login time per session.
|
||||
.It "sessionlimit number Maximum number of concurrent
|
||||
login sessions on ttys in any group.
|
||||
.It "ttys.accounted list List of ttys and ttygroups for which
|
||||
login accounting is active.
|
||||
.It "ttys.exempt list List of ttys and ttygroups for which login accounting
|
||||
is exempt.
|
||||
.It "warnexpire time Advance notice for pending account expiry.
|
||||
.It "warnpassword time Advance notice for pending password expiry.
|
||||
.It "warntime time Advance notice for pending out-of-time.
|
||||
.It "weektime time Maximum login time per week.
|
||||
.El
|
||||
.Pp
|
||||
These fields are used by the time accounting system, which regulates,
|
||||
controls and records user login access.
|
||||
.Pp
|
||||
The
|
||||
.Em ttys.accounted
|
||||
.Em minpasswordlen
|
||||
and
|
||||
.Em ttys.exempt
|
||||
fields operate in a similar manner to
|
||||
.Em ttys.allow
|
||||
and
|
||||
.Em ttys.deny
|
||||
as explained
|
||||
above.
|
||||
Similarly with the
|
||||
.Em host.accounted
|
||||
and
|
||||
.Em host.exempt
|
||||
lists.
|
||||
.Em minpasswordcase
|
||||
facilities for enforcing restrictions on password quality, which used
|
||||
to be supported by
|
||||
.Nm ,
|
||||
have been superseded by the
|
||||
.Xr pam_passwdqc 8
|
||||
PAM module.
|
||||
.Sh SEE ALSO
|
||||
.Xr cap_mkdb 1 ,
|
||||
.Xr login 1 ,
|
||||
@ -385,5 +341,7 @@ lists.
|
||||
.Xr getttyent 3 ,
|
||||
.Xr login_cap 3 ,
|
||||
.Xr login_class 3 ,
|
||||
.Xr pam 3 ,
|
||||
.Xr passwd 5 ,
|
||||
.Xr ttys 5
|
||||
.Xr ttys 5 ,
|
||||
.Xr pam_passwdqc 8
|
||||
|
||||
Loading…
Reference in New Issue
Block a user