login.defs: remove CONSOLE_GROUPS, ignored with PAM
This commit is contained in:
+86
-98
@@ -5,11 +5,11 @@ Subject: Adapt login.defs for Debian
|
||||
Remove settings only applicable to shadow's su, which we do not use.
|
||||
Remove settings only applicable without PAM support enabled.
|
||||
---
|
||||
etc/login.defs | 420 ++++++++++++++-------------------------------------------
|
||||
1 file changed, 99 insertions(+), 321 deletions(-)
|
||||
etc/login.defs | 413 +++++++++++++--------------------------------------------
|
||||
1 file changed, 89 insertions(+), 324 deletions(-)
|
||||
|
||||
diff --git a/etc/login.defs b/etc/login.defs
|
||||
index 33622c2..9711ad1 100644
|
||||
index 33622c2..b27f72c 100644
|
||||
--- a/etc/login.defs
|
||||
+++ b/etc/login.defs
|
||||
@@ -1,24 +1,38 @@
|
||||
@@ -233,7 +233,7 @@ index 33622c2..9711ad1 100644
|
||||
TTYGROUP tty
|
||||
TTYPERM 0600
|
||||
|
||||
@@ -180,113 +88,68 @@ TTYPERM 0600
|
||||
@@ -180,143 +88,116 @@ TTYPERM 0600
|
||||
#
|
||||
# ERASECHAR Terminal ERASE character ('\010' = backspace).
|
||||
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
|
||||
@@ -334,43 +334,65 @@ index 33622c2..9711ad1 100644
|
||||
|
||||
#
|
||||
-# Maximum number of attempts to change password if rejected (too easy)
|
||||
-#
|
||||
+# Which fields may be changed by regular users using chfn - use
|
||||
+# any combination of letters "frwh" (full name, room number, work
|
||||
+# phone, home phone). If not defined, no changes are allowed.
|
||||
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
|
||||
#
|
||||
-PASS_CHANGE_TRIES 5
|
||||
-
|
||||
-#
|
||||
+CHFN_RESTRICT rwh
|
||||
|
||||
#
|
||||
-# Warn about weak passwords (but still allow them) if you are root.
|
||||
-#
|
||||
+# Should login be allowed if we can't cd to the home directory?
|
||||
+# Default is no.
|
||||
#
|
||||
-PASS_ALWAYS_WARN yes
|
||||
-
|
||||
-#
|
||||
+DEFAULT_HOME yes
|
||||
|
||||
#
|
||||
-# Number of significant characters in the password for crypt().
|
||||
-# Default is 8, don't change unless your crypt() is better.
|
||||
-# Ignored if MD5_CRYPT_ENAB set to "yes".
|
||||
-#
|
||||
+# If defined, this command is run when removing a user.
|
||||
+# It should remove any at/cron/print jobs etc. owned by
|
||||
+# the user to be removed (passed as the first argument).
|
||||
#
|
||||
-#PASS_MAX_LEN 8
|
||||
-
|
||||
-#
|
||||
+#USERDEL_CMD /usr/sbin/userdel_local
|
||||
|
||||
#
|
||||
-# Require password before chfn(1)/chsh(1) can make any changes.
|
||||
-#
|
||||
+# If set to yes, userdel will remove the user's group if it contains no
|
||||
+# more members, and useradd will create by default a group with the name
|
||||
+# of the user.
|
||||
#
|
||||
-CHFN_AUTH yes
|
||||
-
|
||||
-#
|
||||
-# Which fields may be changed by regular users using chfn(1) - use
|
||||
+# Which fields may be changed by regular users using chfn - use
|
||||
# any combination of letters "frwh" (full name, room number, work
|
||||
# phone, home phone). If not defined, no changes are allowed.
|
||||
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
|
||||
@@ -294,104 +157,73 @@ CHFN_AUTH yes
|
||||
CHFN_RESTRICT rwh
|
||||
-# any combination of letters "frwh" (full name, room number, work
|
||||
-# phone, home phone). If not defined, no changes are allowed.
|
||||
-# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
|
||||
+# Other former uses of this variable such as setting the umask when
|
||||
+# user==primary group are not used in PAM environments, such as Debian
|
||||
#
|
||||
-CHFN_RESTRICT rwh
|
||||
+USERGROUPS_ENAB yes
|
||||
|
||||
#
|
||||
-# Password prompt (%s will be replaced by user name).
|
||||
-#
|
||||
+# Instead of the real user shell, the program specified by this parameter
|
||||
+# will be launched, although its visible name (argv[0]) will be the shell's.
|
||||
+# The program may do whatever it wants (logging, additional authentification,
|
||||
+# banner, ...) before running the actual shell.
|
||||
#
|
||||
-# XXX - it doesn't work correctly yet, for now leave it commented out
|
||||
-# to use the default which is just "Password: ".
|
||||
-#LOGIN_STRING "%s's Password: "
|
||||
-
|
||||
-#
|
||||
+# FAKE_SHELL /bin/fakeshell
|
||||
|
||||
#
|
||||
-# Only works if compiled with MD5_CRYPT defined:
|
||||
-# If set to "yes", new passwords will be encrypted using the MD5-based
|
||||
-# algorithm compatible with the one used by recent releases of FreeBSD.
|
||||
@@ -380,58 +402,50 @@ index 33622c2..9711ad1 100644
|
||||
-#
|
||||
-# Note: If you use PAM, it is recommended to use a value consistent with
|
||||
-# the PAM modules configuration.
|
||||
-#
|
||||
+# If defined, either full pathname of a file containing device names or
|
||||
+# a ":" delimited list of device names. Root logins will be allowed only
|
||||
+# upon these devices.
|
||||
#
|
||||
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
|
||||
+# Should login be allowed if we can't cd to the home directory?
|
||||
+# Default is no.
|
||||
+# This variable is used by login and su.
|
||||
#
|
||||
-#MD5_CRYPT_ENAB no
|
||||
+DEFAULT_HOME yes
|
||||
+#CONSOLE /etc/consoles
|
||||
+#CONSOLE console:tty01:tty02:tty03:tty04
|
||||
|
||||
#
|
||||
-# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
|
||||
-# If set to MD5, MD5-based algorithm will be used for encrypting password
|
||||
-# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
||||
-# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
||||
-# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
|
||||
-# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
|
||||
-# If set to DES, DES-based algorithm will be used for encrypting password (default)
|
||||
-# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
|
||||
-# Overrides the MD5_CRYPT_ENAB option
|
||||
-#
|
||||
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
||||
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
||||
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
||||
@@ -326,72 +207,10 @@ CHFN_RESTRICT rwh
|
||||
# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
|
||||
# Overrides the MD5_CRYPT_ENAB option
|
||||
#
|
||||
-# Note: If you use PAM, it is recommended to use a value consistent with
|
||||
-# the PAM modules configuration.
|
||||
+# If defined, this command is run when removing a user.
|
||||
+# It should remove any at/cron/print jobs etc. owned by
|
||||
+# the user to be removed (passed as the first argument).
|
||||
+# Note: It is recommended to use a value consistent with
|
||||
# the PAM modules configuration.
|
||||
#
|
||||
-#ENCRYPT_METHOD DES
|
||||
+#USERDEL_CMD /usr/sbin/userdel_local
|
||||
|
||||
#
|
||||
-
|
||||
-#
|
||||
-# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
||||
-#
|
||||
-# Define the number of SHA rounds.
|
||||
-# With a lot of rounds, it is more difficult to brute-force the password.
|
||||
-# However, more CPU resources will be needed to authenticate users if
|
||||
-# this value is increased.
|
||||
+# If set to yes, userdel will remove the user's group if it contains no
|
||||
+# more members, and useradd will create by default a group with the name
|
||||
+# of the user.
|
||||
#
|
||||
-#
|
||||
-# If not specified, the libc will choose the default number of rounds (5000),
|
||||
-# which is orders of magnitude too low for modern hardware.
|
||||
-# The values must be within the 1000-999999999 range.
|
||||
-# If only one of the MIN or MAX values is set, then this value will be used.
|
||||
-# If MIN > MAX, the highest value will be used.
|
||||
+# Other former uses of this variable such as setting the umask when
|
||||
+# user==primary group are not used in PAM environments, such as Debian
|
||||
#
|
||||
-#
|
||||
-#SHA_CRYPT_MIN_ROUNDS 5000
|
||||
-#SHA_CRYPT_MAX_ROUNDS 5000
|
||||
+USERGROUPS_ENAB yes
|
||||
|
||||
#
|
||||
-
|
||||
-#
|
||||
-# Only works if ENCRYPT_METHOD is set to BCRYPT.
|
||||
-#
|
||||
-# Define the number of BCRYPT rounds.
|
||||
@@ -442,70 +456,44 @@ index 33622c2..9711ad1 100644
|
||||
-# If not specified, 13 rounds will be attempted.
|
||||
-# If only one of the MIN or MAX values is set, then this value will be used.
|
||||
-# If MIN > MAX, the highest value will be used.
|
||||
+# Instead of the real user shell, the program specified by this parameter
|
||||
+# will be launched, although its visible name (argv[0]) will be the shell's.
|
||||
+# The program may do whatever it wants (logging, additional authentification,
|
||||
+# banner, ...) before running the actual shell.
|
||||
#
|
||||
-#
|
||||
-#BCRYPT_MIN_ROUNDS 13
|
||||
-#BCRYPT_MAX_ROUNDS 13
|
||||
+# FAKE_SHELL /bin/fakeshell
|
||||
|
||||
#
|
||||
-
|
||||
-#
|
||||
-# Only works if ENCRYPT_METHOD is set to YESCRYPT.
|
||||
-#
|
||||
-# Define the YESCRYPT cost factor.
|
||||
-# With a higher cost factor, it is more difficult to brute-force the password.
|
||||
-# However, more CPU time and more memory will be needed to authenticate users
|
||||
-# if this value is increased.
|
||||
+# If defined, either full pathname of a file containing device names or
|
||||
+# a ":" delimited list of device names. Root logins will be allowed only
|
||||
+# upon these devices.
|
||||
#
|
||||
-#
|
||||
-# If not specified, a cost factor of 5 will be used.
|
||||
-# The value must be within the 1-11 range.
|
||||
+# This variable is used by login and su.
|
||||
#
|
||||
-#
|
||||
-#YESCRYPT_COST_FACTOR 5
|
||||
+#CONSOLE /etc/consoles
|
||||
+#CONSOLE console:tty01:tty02:tty03:tty04
|
||||
|
||||
#
|
||||
# List of groups to add to the user's supplementary group set
|
||||
-
|
||||
-#
|
||||
-# List of groups to add to the user's supplementary group set
|
||||
-# when logging in from the console (as determined by the CONSOLE
|
||||
+# when logging in on the console (as determined by the CONSOLE
|
||||
# setting). Default is none.
|
||||
#
|
||||
# Use with caution - it is possible for users to gain permanent
|
||||
-# setting). Default is none.
|
||||
-#
|
||||
-# Use with caution - it is possible for users to gain permanent
|
||||
-# access to these groups, even when not logged in from the console.
|
||||
+# access to these groups, even when not logged in on the console.
|
||||
# How to do it is left as an exercise for the reader...
|
||||
#
|
||||
+# This variable is used by login and su.
|
||||
+#
|
||||
#CONSOLE_GROUPS floppy:audio:cdrom
|
||||
|
||||
#
|
||||
-# How to do it is left as an exercise for the reader...
|
||||
-#
|
||||
-#CONSOLE_GROUPS floppy:audio:cdrom
|
||||
-
|
||||
-#
|
||||
-# Should login be allowed if we can't cd to the home directory?
|
||||
-# Default is no.
|
||||
+# If set to MD5, MD5-based algorithm will be used for encrypting password
|
||||
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
||||
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
||||
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
|
||||
+# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
|
||||
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
|
||||
+# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
|
||||
+# Overrides the MD5_CRYPT_ENAB option
|
||||
#
|
||||
-#
|
||||
-DEFAULT_HOME yes
|
||||
+# Note: It is recommended to use a value consistent with
|
||||
+# the PAM modules configuration.
|
||||
+#
|
||||
+ENCRYPT_METHOD YESCRYPT
|
||||
|
||||
#
|
||||
# The pwck(8) utility emits a warning for any system account with a home
|
||||
@@ -401,67 +233,12 @@ DEFAULT_HOME yes
|
||||
@@ -401,67 +220,12 @@ DEFAULT_HOME yes
|
||||
#
|
||||
NONEXISTENT /nonexistent
|
||||
|
||||
@@ -573,7 +561,7 @@ index 33622c2..9711ad1 100644
|
||||
#
|
||||
# Select the HMAC cryptography algorithm.
|
||||
# Used in pam_timestamp module to calculate the keyed-hash message
|
||||
@@ -471,3 +248,4 @@ PREVENT_NO_AUTH superuser
|
||||
@@ -471,3 +235,4 @@ PREVENT_NO_AUTH superuser
|
||||
# that are available in your system.
|
||||
#
|
||||
#HMAC_CRYPTO_ALGO SHA512
|
||||
|
||||
Reference in New Issue
Block a user