login.defs: remove CONSOLE, ignored with PAM
This commit is contained in:
Chris Hofstaedtler
@@ -5,11 +5,11 @@ Subject: Adapt login.defs for Debian
|
||||
Remove settings only applicable to shadow's su, which we do not use.
|
||||
Remove settings only applicable without PAM support enabled.
|
||||
---
|
||||
etc/login.defs | 413 +++++++++++++--------------------------------------------
|
||||
1 file changed, 89 insertions(+), 324 deletions(-)
|
||||
etc/login.defs | 411 ++++++++++++---------------------------------------------
|
||||
1 file changed, 83 insertions(+), 328 deletions(-)
|
||||
|
||||
diff --git a/etc/login.defs b/etc/login.defs
|
||||
index 33622c2..b27f72c 100644
|
||||
index 33622c2..a338dc9 100644
|
||||
--- a/etc/login.defs
|
||||
+++ b/etc/login.defs
|
||||
@@ -1,24 +1,38 @@
|
||||
@@ -233,7 +233,7 @@ index 33622c2..b27f72c 100644
|
||||
TTYGROUP tty
|
||||
TTYPERM 0600
|
||||
|
||||
@@ -180,143 +88,116 @@ TTYPERM 0600
|
||||
@@ -180,143 +88,106 @@ TTYPERM 0600
|
||||
#
|
||||
# ERASECHAR Terminal ERASE character ('\010' = backspace).
|
||||
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
|
||||
@@ -334,63 +334,58 @@ index 33622c2..b27f72c 100644
|
||||
|
||||
#
|
||||
-# Maximum number of attempts to change password if rejected (too easy)
|
||||
-#
|
||||
-PASS_CHANGE_TRIES 5
|
||||
-
|
||||
-#
|
||||
-# Warn about weak passwords (but still allow them) if you are root.
|
||||
+# Which fields may be changed by regular users using chfn - use
|
||||
+# any combination of letters "frwh" (full name, room number, work
|
||||
+# phone, home phone). If not defined, no changes are allowed.
|
||||
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
|
||||
#
|
||||
-PASS_CHANGE_TRIES 5
|
||||
+CHFN_RESTRICT rwh
|
||||
|
||||
#
|
||||
-# Warn about weak passwords (but still allow them) if you are root.
|
||||
+# Should login be allowed if we can't cd to the home directory?
|
||||
+# Default is no.
|
||||
#
|
||||
-PASS_ALWAYS_WARN yes
|
||||
+DEFAULT_HOME yes
|
||||
+CHFN_RESTRICT rwh
|
||||
|
||||
#
|
||||
-# Number of significant characters in the password for crypt().
|
||||
-# Default is 8, don't change unless your crypt() is better.
|
||||
-# Ignored if MD5_CRYPT_ENAB set to "yes".
|
||||
+# Should login be allowed if we can't cd to the home directory?
|
||||
+# Default is no.
|
||||
#
|
||||
-#PASS_MAX_LEN 8
|
||||
+DEFAULT_HOME yes
|
||||
|
||||
#
|
||||
-# Require password before chfn(1)/chsh(1) can make any changes.
|
||||
+# If defined, this command is run when removing a user.
|
||||
+# It should remove any at/cron/print jobs etc. owned by
|
||||
+# the user to be removed (passed as the first argument).
|
||||
#
|
||||
-#PASS_MAX_LEN 8
|
||||
-CHFN_AUTH yes
|
||||
+#USERDEL_CMD /usr/sbin/userdel_local
|
||||
|
||||
#
|
||||
-# Require password before chfn(1)/chsh(1) can make any changes.
|
||||
+# If set to yes, userdel will remove the user's group if it contains no
|
||||
+# more members, and useradd will create by default a group with the name
|
||||
+# of the user.
|
||||
#
|
||||
-CHFN_AUTH yes
|
||||
-
|
||||
-#
|
||||
-# Which fields may be changed by regular users using chfn(1) - use
|
||||
-# any combination of letters "frwh" (full name, room number, work
|
||||
-# phone, home phone). If not defined, no changes are allowed.
|
||||
-# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
|
||||
+# Other former uses of this variable such as setting the umask when
|
||||
+# user==primary group are not used in PAM environments, such as Debian
|
||||
+# If set to yes, userdel will remove the user's group if it contains no
|
||||
+# more members, and useradd will create by default a group with the name
|
||||
+# of the user.
|
||||
#
|
||||
-CHFN_RESTRICT rwh
|
||||
+USERGROUPS_ENAB yes
|
||||
|
||||
#
|
||||
-
|
||||
-#
|
||||
-# Password prompt (%s will be replaced by user name).
|
||||
+# Instead of the real user shell, the program specified by this parameter
|
||||
+# will be launched, although its visible name (argv[0]) will be the shell's.
|
||||
+# The program may do whatever it wants (logging, additional authentification,
|
||||
+# banner, ...) before running the actual shell.
|
||||
+# Other former uses of this variable such as setting the umask when
|
||||
+# user==primary group are not used in PAM environments, such as Debian
|
||||
#
|
||||
-# XXX - it doesn't work correctly yet, for now leave it commented out
|
||||
-# to use the default which is just "Password: ".
|
||||
-#LOGIN_STRING "%s's Password: "
|
||||
+# FAKE_SHELL /bin/fakeshell
|
||||
+USERGROUPS_ENAB yes
|
||||
|
||||
#
|
||||
-# Only works if compiled with MD5_CRYPT defined:
|
||||
@@ -399,26 +394,25 @@ index 33622c2..b27f72c 100644
|
||||
-# It supports passwords of unlimited length and longer salt strings.
|
||||
-# Set to "no" if you need to copy encrypted passwords to other systems
|
||||
-# which don't understand the new algorithm. Default is "no".
|
||||
-#
|
||||
+# Instead of the real user shell, the program specified by this parameter
|
||||
+# will be launched, although its visible name (argv[0]) will be the shell's.
|
||||
+# The program may do whatever it wants (logging, additional authentification,
|
||||
+# banner, ...) before running the actual shell.
|
||||
#
|
||||
-# Note: If you use PAM, it is recommended to use a value consistent with
|
||||
-# the PAM modules configuration.
|
||||
+# If defined, either full pathname of a file containing device names or
|
||||
+# a ":" delimited list of device names. Root logins will be allowed only
|
||||
+# upon these devices.
|
||||
#
|
||||
-#
|
||||
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
|
||||
+# This variable is used by login and su.
|
||||
#
|
||||
-#
|
||||
-#MD5_CRYPT_ENAB no
|
||||
+#CONSOLE /etc/consoles
|
||||
+#CONSOLE console:tty01:tty02:tty03:tty04
|
||||
+# FAKE_SHELL /bin/fakeshell
|
||||
|
||||
#
|
||||
-# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
|
||||
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
||||
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
||||
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
||||
@@ -326,72 +207,10 @@ CHFN_RESTRICT rwh
|
||||
@@ -326,72 +197,10 @@ CHFN_RESTRICT rwh
|
||||
# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
|
||||
# Overrides the MD5_CRYPT_ENAB option
|
||||
#
|
||||
@@ -493,7 +487,7 @@ index 33622c2..b27f72c 100644
|
||||
|
||||
#
|
||||
# The pwck(8) utility emits a warning for any system account with a home
|
||||
@@ -401,67 +220,12 @@ DEFAULT_HOME yes
|
||||
@@ -401,67 +210,12 @@ DEFAULT_HOME yes
|
||||
#
|
||||
NONEXISTENT /nonexistent
|
||||
|
||||
@@ -561,7 +555,7 @@ index 33622c2..b27f72c 100644
|
||||
#
|
||||
# Select the HMAC cryptography algorithm.
|
||||
# Used in pam_timestamp module to calculate the keyed-hash message
|
||||
@@ -471,3 +235,4 @@ PREVENT_NO_AUTH superuser
|
||||
@@ -471,3 +225,4 @@ PREVENT_NO_AUTH superuser
|
||||
# that are available in your system.
|
||||
#
|
||||
#HMAC_CRYPTO_ALGO SHA512
|
||||
|
||||
Reference in New Issue
Block a user