477b858b57
- encryption_method_nis.patch: drop, DES should really not be used anymore anywhere, even with NIS - shadow-login_defs-suse.patch: remove encryption NIS entry OBS-URL: https://build.opensuse.org/request/show/724580 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=76
155 lines
4.7 KiB
Diff
155 lines
4.7 KiB
Diff
Set login.defs defaults for SUSE Linux.
|
|
|
|
Index: etc/login.defs
|
|
===================================================================
|
|
--- etc/login.defs.orig
|
|
+++ etc/login.defs
|
|
@@ -3,6 +3,9 @@
|
|
# Some variables are used by login(1), su(1) and runuser(1) from util-linux
|
|
# package as well pam pam_unix(8) from pam package.
|
|
#
|
|
+# For more, see login.defs(5). Please note that SUSE supports only variables
|
|
+# listed here! Not listed variables from login.defs(5) have no effect.
|
|
+#
|
|
|
|
#
|
|
# Delay in seconds before being allowed another attempt after a login failure
|
|
@@ -47,8 +50,7 @@ CONSOLE /etc/securetty
|
|
# If defined, ":" delimited list of "message of the day" files to
|
|
# be displayed upon login.
|
|
#
|
|
-MOTD_FILE /etc/motd
|
|
-#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
|
|
+#MOTD_FILE /etc/motd:/usr/share/misc/motd
|
|
|
|
#
|
|
# If defined, file which maps tty line to TERM environment parameter.
|
|
@@ -62,8 +64,8 @@ MOTD_FILE /etc/motd
|
|
# user's name or shell are found in the file. If not a full pathname, then
|
|
# hushed mode will be enabled if the file exists in the user's home directory.
|
|
#
|
|
-HUSHLOGIN_FILE .hushlogin
|
|
-#HUSHLOGIN_FILE /etc/hushlogins
|
|
+#HUSHLOGIN_FILE .hushlogin
|
|
+HUSHLOGIN_FILE /etc/hushlogins
|
|
|
|
# If this variable is set to "yes", hostname will be suppressed in the
|
|
# login: prompt.
|
|
@@ -82,9 +84,9 @@ HUSHLOGIN_FILE .hushlogin
|
|
# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser
|
|
# (and falback for login).
|
|
#
|
|
-ENV_PATH /bin:/usr/bin
|
|
-ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin
|
|
-#ENV_SUPATH /sbin:/bin:/usr/sbin:/usr/bin
|
|
+ENV_PATH /usr/local/bin:/bin:/usr/bin
|
|
+ENV_ROOTPATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
|
+#ENV_SUPATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
|
|
|
# If this variable is set to "yes" (default is "no"), su will always set
|
|
# path. every su call will overwrite the PATH variable.
|
|
@@ -94,7 +96,7 @@ ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/b
|
|
# The recommended value is "yes". The default "no" behavior could have
|
|
# a security implication in applications that use commands without path.
|
|
#
|
|
-ALWAYS_SET_PATH no
|
|
+ALWAYS_SET_PATH yes
|
|
|
|
#
|
|
# Terminal permissions
|
|
@@ -108,7 +110,7 @@ ALWAYS_SET_PATH no
|
|
# set TTYPERM to either 622 or 600.
|
|
#
|
|
TTYGROUP tty
|
|
-TTYPERM 0600
|
|
+TTYPERM 0620
|
|
|
|
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
|
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
|
@@ -141,8 +143,8 @@ PASS_WARN_AGE 7
|
|
UID_MIN 1000
|
|
UID_MAX 60000
|
|
# System accounts
|
|
-SYS_UID_MIN 101
|
|
-SYS_UID_MAX 999
|
|
+SYS_UID_MIN 100
|
|
+SYS_UID_MAX 499
|
|
# Extra per user uids
|
|
SUB_UID_MIN 100000
|
|
SUB_UID_MAX 600100000
|
|
@@ -159,8 +161,8 @@ SUB_UID_COUNT 65536
|
|
GID_MIN 1000
|
|
GID_MAX 60000
|
|
# System accounts
|
|
-SYS_GID_MIN 101
|
|
-SYS_GID_MAX 999
|
|
+SYS_GID_MIN 100
|
|
+SYS_GID_MAX 499
|
|
# Extra per user group ids
|
|
SUB_GID_MIN 100000
|
|
SUB_GID_MAX 600100000
|
|
@@ -169,7 +171,7 @@ SUB_GID_COUNT 65536
|
|
#
|
|
# Max number of login(1) retries if password is bad
|
|
#
|
|
-LOGIN_RETRIES 5
|
|
+LOGIN_RETRIES 3
|
|
|
|
#
|
|
# Max time in seconds for login(1)
|
|
@@ -185,18 +187,9 @@ LOGIN_TIMEOUT 60
|
|
CHFN_RESTRICT rwh
|
|
|
|
#
|
|
-# If set to "yes", new passwords will be encrypted using the MD5-based
|
|
-# algorithm compatible with the one used by recent releases of FreeBSD.
|
|
-# It supports passwords of unlimited length and longer salt strings.
|
|
-# Set to "no" if you need to copy encrypted passwords to other systems
|
|
-# which don't understand the new algorithm. Default is "no".
|
|
-#
|
|
-# Note: If you use PAM, it is recommended to use a value consistent with
|
|
-# the PAM modules configuration.
|
|
-#
|
|
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
|
|
+# This variable is deprecated. Use ENCRYPT_METHOD instead!
|
|
#
|
|
-#MD5_CRYPT_ENAB no
|
|
+#MD5_CRYPT_ENAB DO_NOT_USE
|
|
|
|
#
|
|
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
|
@@ -210,7 +203,7 @@ CHFN_RESTRICT rwh
|
|
# Note: If you use PAM, it is recommended to use a value consistent with
|
|
# the PAM modules configuration.
|
|
#
|
|
-#ENCRYPT_METHOD DES
|
|
+ENCRYPT_METHOD SHA512
|
|
|
|
#
|
|
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
|
@@ -268,7 +261,7 @@ USERDEL_POSTCMD /usr/sbin/userde
|
|
#
|
|
# This also enables userdel(8) to remove user groups if no members exist.
|
|
#
|
|
-USERGROUPS_ENAB yes
|
|
+USERGROUPS_ENAB no
|
|
|
|
#
|
|
# If set to a non-zero number, the shadow utilities will make sure that
|
|
@@ -291,13 +284,13 @@ USERGROUPS_ENAB yes
|
|
# This option is overridden with the -M or -m flags on the useradd(8)
|
|
# command-line.
|
|
#
|
|
-#CREATE_HOME yes
|
|
+CREATE_HOME no
|
|
|
|
#
|
|
# Force use shadow, even if shadow passwd & shadow group files are
|
|
# missing.
|
|
#
|
|
-#FORCE_SHADOW yes
|
|
+FORCE_SHADOW no
|
|
|
|
#
|
|
# User/group names must match the following regex expression.
|