Remove variables that are present in login.defs, but shadow with the current configuration (e. g. with PAM) does not use them. shadow-login_defs-unused-check.sh makes possible to verify that it is still up to date. Index: etc/login.defs =================================================================== --- etc/login.defs.orig +++ etc/login.defs @@ -12,11 +12,6 @@ FAIL_DELAY 3 # -# Enable logging and display of /var/log/faillog login(1) failure info. -# -FAILLOG_ENAB yes - -# # Enable display of unknown usernames when login(1) failures are recorded. # LOG_UNKFAIL_ENAB no @@ -27,11 +22,6 @@ LOG_UNKFAIL_ENAB no LOG_OK_LOGINS no # -# Enable logging and display of /var/log/lastlog login(1) time info. -# -LASTLOG_ENAB yes - -# # Limit the highest user ID number for which the lastlog entries should # be updated. # @@ -41,29 +31,6 @@ LASTLOG_ENAB yes #LASTLOG_UID_MAX # -# Enable checking and display of mailbox status upon login. -# -# Disable if the shell startup files already check for mail -# ("mailx -e" or equivalent). -# -MAIL_CHECK_ENAB yes - -# -# Enable additional checks upon password changes. -# -OBSCURE_CHECKS_ENAB yes - -# -# Enable checking of time restrictions specified in /etc/porttime. -# -PORTTIME_CHECKS_ENAB yes - -# -# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. -# -QUOTAS_ENAB yes - -# # Enable "syslog" logging of su(1) activity - in addition to sulog file logging. # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). # @@ -91,46 +58,12 @@ MOTD_FILE /etc/motd #MOTD_FILE /etc/motd:/usr/lib/news/news-motd # -# If defined, this file will be output before each login(1) prompt. -# -#ISSUE_FILE /etc/issue - -# # If defined, file which maps tty line to TERM environment parameter. # Each line of the file is in a format similar to "vt100 tty01". # #TTYTYPE_FILE /etc/ttytype # -# If defined, login(1) failures will be logged here in a utmp format. -# last(1), when invoked as lastb(1), will read /var/log/btmp, so... -# -FTMP_FILE /var/log/btmp - -# -# If defined, name of file whose presence will inhibit non-root -# logins. The content of this file should be a message indicating -# why logins are inhibited. -# -NOLOGINS_FILE /etc/nologin - -# -# If defined, the command name to display when running "su -". For -# example, if this is defined as "su" then ps(1) will display the -# command as "-su". If not defined, then ps(1) will display the -# name of the shell actually being run, e.g. something like "-sh". -# -SU_NAME su - -# -# *REQUIRED* -# Directory where mailboxes reside, _or_ name of file, relative to the -# home directory. If you _do_ define both, MAIL_DIR takes precedence. -# -MAIL_DIR /var/spool/mail -#MAIL_FILE .mail - -# # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the # user's name or shell are found in the file. If not a full pathname, then @@ -140,21 +73,6 @@ HUSHLOGIN_FILE .hushlogin #HUSHLOGIN_FILE /etc/hushlogins # -# If defined, either a TZ environment parameter spec or the -# fully-rooted pathname of a file containing such a spec. -# -#ENV_TZ TZ=CST6CDT -#ENV_TZ /etc/tzname - -# -# If defined, an HZ environment parameter spec. -# -# for Linux/x86 -ENV_HZ HZ=100 -# For Linux/Alpha... -#ENV_HZ HZ=1024 - -# # *REQUIRED* The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) @@ -180,17 +98,13 @@ TTYPERM 0600 # # ERASECHAR Terminal ERASE character ('\010' = backspace). # KILLCHAR Terminal KILL character ('\025' = CTRL/U). -# ULIMIT Default "ulimit" value. # # The ERASECHAR and KILLCHAR are used only on System V machines. -# The ULIMIT is used only if the system supports it. -# (now it works with setrlimit too; ulimit is in 512-byte units) # # Prefix these values with "0" to get octal, "0x" to get hexadecimal. # ERASECHAR 0177 KILLCHAR 025 -#ULIMIT 2097152 # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. @@ -206,28 +120,13 @@ UMASK 022 # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. -# PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 -PASS_MIN_LEN 5 PASS_WARN_AGE 7 # -# If "yes", the user must be listed as a member of the first gid 0 group -# in /etc/group (called "root" on most Linux systems) to be able to "su" -# to uid 0 accounts. If the group doesn't exist or is empty, no one -# will be able to "su" to uid 0. -# -SU_WHEEL_ONLY no - -# -# If compiled with cracklib support, sets the path to the dictionaries -# -CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict - -# # Min/max values for automatic uid selection in useradd(8) # UID_MIN 1000 @@ -264,28 +163,6 @@ LOGIN_RETRIES 5 LOGIN_TIMEOUT 60 # -# Maximum number of attempts to change password if rejected (too easy) -# -PASS_CHANGE_TRIES 5 - -# -# Warn about weak passwords (but still allow them) if you are root. -# -PASS_ALWAYS_WARN yes - -# -# Number of significant characters in the password for crypt(). -# Default is 8, don't change unless your crypt() is better. -# Ignored if MD5_CRYPT_ENAB set to "yes". -# -#PASS_MAX_LEN 8 - -# -# Require password before chfn(1)/chsh(1) can make any changes. -# -CHFN_AUTH yes - -# # Which fields may be changed by regular users using chfn(1) - use # any combination of letters "frwh" (full name, room number, work # phone, home phone). If not defined, no changes are allowed. @@ -294,13 +171,6 @@ CHFN_AUTH yes CHFN_RESTRICT rwh # -# Password prompt (%s will be replaced by user name). -# -# XXX - it doesn't work correctly yet, for now leave it commented out -# to use the default which is just "Password: ". -#LOGIN_STRING "%s's Password: " - -# # Only works if compiled with MD5_CRYPT defined: # If set to "yes", new passwords will be encrypted using the MD5-based # algorithm compatible with the one used by recent releases of FreeBSD. @@ -361,29 +231,12 @@ CHFN_RESTRICT rwh #BCRYPT_MAX_ROUNDS 13 # -# List of groups to add to the user's supplementary group set -# when logging in from the console (as determined by the CONSOLE -# setting). Default is none. -# -# Use with caution - it is possible for users to gain permanent -# access to these groups, even when not logged in from the console. -# How to do it is left as an exercise for the reader... -# -#CONSOLE_GROUPS floppy:audio:cdrom - -# # Should login be allowed if we can't cd to the home directory? # Default is no. # DEFAULT_HOME yes # -# If this file exists and is readable, login environment will be -# read from it. Every line should be in the form name=value. -# -ENVIRON_FILE /etc/environment - -# # If defined, this command is run when removing a user. # It should remove any at/cron/print jobs etc. owned by # the user to be removed (passed as the first argument).