login.defs: remove CONSOLE_GROUPS, ignored with PAM

This commit is contained in:
Chris Hofstaedtler
2024-07-07 14:24:12 +02:00
parent 5f784b3ef3
commit d0c5da8cf1
+86 -98
View File
@@ -5,11 +5,11 @@ Subject: Adapt login.defs for Debian
Remove settings only applicable to shadow's su, which we do not use.
Remove settings only applicable without PAM support enabled.
---
etc/login.defs | 420 ++++++++++++++-------------------------------------------
1 file changed, 99 insertions(+), 321 deletions(-)
etc/login.defs | 413 +++++++++++++--------------------------------------------
1 file changed, 89 insertions(+), 324 deletions(-)
diff --git a/etc/login.defs b/etc/login.defs
index 33622c2..9711ad1 100644
index 33622c2..b27f72c 100644
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -1,24 +1,38 @@
@@ -233,7 +233,7 @@ index 33622c2..9711ad1 100644
TTYGROUP tty
TTYPERM 0600
@@ -180,113 +88,68 @@ TTYPERM 0600
@@ -180,143 +88,116 @@ TTYPERM 0600
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
@@ -334,43 +334,65 @@ index 33622c2..9711ad1 100644
#
-# Maximum number of attempts to change password if rejected (too easy)
-#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone). If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
#
-PASS_CHANGE_TRIES 5
-
-#
+CHFN_RESTRICT rwh
#
-# Warn about weak passwords (but still allow them) if you are root.
-#
+# Should login be allowed if we can't cd to the home directory?
+# Default is no.
#
-PASS_ALWAYS_WARN yes
-
-#
+DEFAULT_HOME yes
#
-# Number of significant characters in the password for crypt().
-# Default is 8, don't change unless your crypt() is better.
-# Ignored if MD5_CRYPT_ENAB set to "yes".
-#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
#
-#PASS_MAX_LEN 8
-
-#
+#USERDEL_CMD /usr/sbin/userdel_local
#
-# Require password before chfn(1)/chsh(1) can make any changes.
-#
+# If set to yes, userdel will remove the user's group if it contains no
+# more members, and useradd will create by default a group with the name
+# of the user.
#
-CHFN_AUTH yes
-
-#
-# Which fields may be changed by regular users using chfn(1) - use
+# Which fields may be changed by regular users using chfn - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
@@ -294,104 +157,73 @@ CHFN_AUTH yes
CHFN_RESTRICT rwh
-# any combination of letters "frwh" (full name, room number, work
-# phone, home phone). If not defined, no changes are allowed.
-# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+# Other former uses of this variable such as setting the umask when
+# user==primary group are not used in PAM environments, such as Debian
#
-CHFN_RESTRICT rwh
+USERGROUPS_ENAB yes
#
-# Password prompt (%s will be replaced by user name).
-#
+# Instead of the real user shell, the program specified by this parameter
+# will be launched, although its visible name (argv[0]) will be the shell's.
+# The program may do whatever it wants (logging, additional authentification,
+# banner, ...) before running the actual shell.
#
-# XXX - it doesn't work correctly yet, for now leave it commented out
-# to use the default which is just "Password: ".
-#LOGIN_STRING "%s's Password: "
-
-#
+# FAKE_SHELL /bin/fakeshell
#
-# Only works if compiled with MD5_CRYPT defined:
-# If set to "yes", new passwords will be encrypted using the MD5-based
-# algorithm compatible with the one used by recent releases of FreeBSD.
@@ -380,58 +402,50 @@ index 33622c2..9711ad1 100644
-#
-# Note: If you use PAM, it is recommended to use a value consistent with
-# the PAM modules configuration.
-#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names. Root logins will be allowed only
+# upon these devices.
#
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
+# Should login be allowed if we can't cd to the home directory?
+# Default is no.
+# This variable is used by login and su.
#
-#MD5_CRYPT_ENAB no
+DEFAULT_HOME yes
+#CONSOLE /etc/consoles
+#CONSOLE console:tty01:tty02:tty03:tty04
#
-# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
-# If set to MD5, MD5-based algorithm will be used for encrypting password
-# If set to SHA256, SHA256-based algorithm will be used for encrypting password
-# If set to SHA512, SHA512-based algorithm will be used for encrypting password
-# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
-# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
-# If set to DES, DES-based algorithm will be used for encrypting password (default)
-# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
-# Overrides the MD5_CRYPT_ENAB option
-#
# If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
@@ -326,72 +207,10 @@ CHFN_RESTRICT rwh
# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
# Overrides the MD5_CRYPT_ENAB option
#
-# Note: If you use PAM, it is recommended to use a value consistent with
-# the PAM modules configuration.
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+# Note: It is recommended to use a value consistent with
# the PAM modules configuration.
#
-#ENCRYPT_METHOD DES
+#USERDEL_CMD /usr/sbin/userdel_local
#
-
-#
-# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
-#
-# Define the number of SHA rounds.
-# With a lot of rounds, it is more difficult to brute-force the password.
-# However, more CPU resources will be needed to authenticate users if
-# this value is increased.
+# If set to yes, userdel will remove the user's group if it contains no
+# more members, and useradd will create by default a group with the name
+# of the user.
#
-#
-# If not specified, the libc will choose the default number of rounds (5000),
-# which is orders of magnitude too low for modern hardware.
-# The values must be within the 1000-999999999 range.
-# If only one of the MIN or MAX values is set, then this value will be used.
-# If MIN > MAX, the highest value will be used.
+# Other former uses of this variable such as setting the umask when
+# user==primary group are not used in PAM environments, such as Debian
#
-#
-#SHA_CRYPT_MIN_ROUNDS 5000
-#SHA_CRYPT_MAX_ROUNDS 5000
+USERGROUPS_ENAB yes
#
-
-#
-# Only works if ENCRYPT_METHOD is set to BCRYPT.
-#
-# Define the number of BCRYPT rounds.
@@ -442,70 +456,44 @@ index 33622c2..9711ad1 100644
-# If not specified, 13 rounds will be attempted.
-# If only one of the MIN or MAX values is set, then this value will be used.
-# If MIN > MAX, the highest value will be used.
+# Instead of the real user shell, the program specified by this parameter
+# will be launched, although its visible name (argv[0]) will be the shell's.
+# The program may do whatever it wants (logging, additional authentification,
+# banner, ...) before running the actual shell.
#
-#
-#BCRYPT_MIN_ROUNDS 13
-#BCRYPT_MAX_ROUNDS 13
+# FAKE_SHELL /bin/fakeshell
#
-
-#
-# Only works if ENCRYPT_METHOD is set to YESCRYPT.
-#
-# Define the YESCRYPT cost factor.
-# With a higher cost factor, it is more difficult to brute-force the password.
-# However, more CPU time and more memory will be needed to authenticate users
-# if this value is increased.
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names. Root logins will be allowed only
+# upon these devices.
#
-#
-# If not specified, a cost factor of 5 will be used.
-# The value must be within the 1-11 range.
+# This variable is used by login and su.
#
-#
-#YESCRYPT_COST_FACTOR 5
+#CONSOLE /etc/consoles
+#CONSOLE console:tty01:tty02:tty03:tty04
#
# List of groups to add to the user's supplementary group set
-
-#
-# List of groups to add to the user's supplementary group set
-# when logging in from the console (as determined by the CONSOLE
+# when logging in on the console (as determined by the CONSOLE
# setting). Default is none.
#
# Use with caution - it is possible for users to gain permanent
-# setting). Default is none.
-#
-# Use with caution - it is possible for users to gain permanent
-# access to these groups, even when not logged in from the console.
+# access to these groups, even when not logged in on the console.
# How to do it is left as an exercise for the reader...
#
+# This variable is used by login and su.
+#
#CONSOLE_GROUPS floppy:audio:cdrom
#
-# How to do it is left as an exercise for the reader...
-#
-#CONSOLE_GROUPS floppy:audio:cdrom
-
-#
-# Should login be allowed if we can't cd to the home directory?
-# Default is no.
+# If set to MD5, MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
+# Overrides the MD5_CRYPT_ENAB option
#
-#
-DEFAULT_HOME yes
+# Note: It is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+ENCRYPT_METHOD YESCRYPT
#
# The pwck(8) utility emits a warning for any system account with a home
@@ -401,67 +233,12 @@ DEFAULT_HOME yes
@@ -401,67 +220,12 @@ DEFAULT_HOME yes
#
NONEXISTENT /nonexistent
@@ -573,7 +561,7 @@ index 33622c2..9711ad1 100644
#
# Select the HMAC cryptography algorithm.
# Used in pam_timestamp module to calculate the keyed-hash message
@@ -471,3 +248,4 @@ PREVENT_NO_AUTH superuser
@@ -471,3 +235,4 @@ PREVENT_NO_AUTH superuser
# that are available in your system.
#
#HMAC_CRYPTO_ALGO SHA512