* Use <replaceable> for the values set by
users. (was sometimes <emphasis remap='I'>) * Use <option> vor the variable names. This makes the manpage much more readable. * (ENCRYPT_METHOD, MD5_CRYPT_ENAB, SHA_CRYPT_MIN_ROUNDS, SHA_CRYPT_MAX_ROUNDS): Mention that command line option may supersede the system setting. * Document the variables used by chpasswd and chgpasswd.
This commit is contained in:
parent
ba1e26e25f
commit
d316ba1b87
12
ChangeLog
12
ChangeLog
@ -1,3 +1,15 @@
|
|||||||
|
2007-11-22 Nicolas François <nicolas.francois@centraliens.net>
|
||||||
|
|
||||||
|
* man/login.defs.5.xml: Use <replaceable> for the values set by
|
||||||
|
users. (was sometimes <emphasis remap='I'>)
|
||||||
|
* man/login.defs.5.xml: Use <option> vor the variable names. This
|
||||||
|
makes the manpage much more readable.
|
||||||
|
* man/login.defs.5.xml (ENCRYPT_METHOD, MD5_CRYPT_ENAB,
|
||||||
|
SHA_CRYPT_MIN_ROUNDS, SHA_CRYPT_MAX_ROUNDS): Mention that command
|
||||||
|
line option may supersede the system setting.
|
||||||
|
* man/login.defs.5.xml: Document the variables used by chpasswd
|
||||||
|
and chgpasswd.
|
||||||
|
|
||||||
2007-11-22 Nicolas François <nicolas.francois@centraliens.net>
|
2007-11-22 Nicolas François <nicolas.francois@centraliens.net>
|
||||||
|
|
||||||
* lib/shadowmem.c, lib/groupmem.c, lib/pwmem.c:
|
* lib/shadowmem.c, lib/groupmem.c, lib/pwmem.c:
|
||||||
|
@ -31,11 +31,15 @@
|
|||||||
<para>
|
<para>
|
||||||
Parameter values may be of four types: strings, booleans, numbers, and
|
Parameter values may be of four types: strings, booleans, numbers, and
|
||||||
long numbers. A string is comprised of any printable characters. A
|
long numbers. A string is comprised of any printable characters. A
|
||||||
boolean should be either the value "yes" or "no". An undefined boolean
|
boolean should be either the value <replaceable>yes</replaceable> or
|
||||||
parameter or one with a value other than these will be given a "no"
|
<replaceable>no</replaceable>. An undefined boolean
|
||||||
|
parameter or one with a value other than these will be given a
|
||||||
|
<replaceable>no</replaceable>
|
||||||
value. Numbers (both regular and long) may be either decimal values,
|
value. Numbers (both regular and long) may be either decimal values,
|
||||||
octal values (precede the value with "0") or hexadecimal values
|
octal values (precede the value with <replaceable>0</replaceable>) or
|
||||||
(precede the value with "0x"). The maximum value of the regular and
|
hexadecimal values
|
||||||
|
(precede the value with <replaceable>0x</replaceable>).
|
||||||
|
The maximum value of the regular and
|
||||||
long numeric parameters is machine-dependent.
|
long numeric parameters is machine-dependent.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
@ -43,10 +47,10 @@
|
|||||||
|
|
||||||
<variablelist remap='IP'>
|
<variablelist remap='IP'>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>CHFN_AUTH (boolean)</term>
|
<term><option>CHFN_AUTH</option> (boolean)</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
If <emphasis remap='I'>yes</emphasis>, the
|
If <replaceable>yes</replaceable>, the
|
||||||
<command>chfn</command> and <command>chsh</command> programs
|
<command>chfn</command> and <command>chsh</command> programs
|
||||||
will require authentication before making any changes, unless
|
will require authentication before making any changes, unless
|
||||||
run by the superuser.
|
run by the superuser.
|
||||||
@ -54,45 +58,55 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>CHFN_RESTRICT (string)</term>
|
<term><option>CHFN_RESTRICT</option> (string)</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
This parameter specifies which values in the <emphasis
|
This parameter specifies which values in the <emphasis
|
||||||
remap='I'>gecos</emphasis> field of the
|
remap='I'>gecos</emphasis> field of the
|
||||||
<filename>/etc/passwd</filename> file may be changed by regular
|
<filename>/etc/passwd</filename> file may be changed by regular
|
||||||
users using the <command>chfn</command> program. It can be any
|
users using the <command>chfn</command> program. It can be any
|
||||||
combination of letters <emphasis remap='I'>f</emphasis>
|
combination of letters <replaceable>f</replaceable>,
|
||||||
,<emphasis remap='I'>r</emphasis>, <emphasis remap='I'>w</emphasis>,
|
<replaceable>r</replaceable>, <replaceable>w</replaceable>,
|
||||||
<emphasis remap='I'>h</emphasis>, for Full name, Room number,
|
<replaceable>h</replaceable>, for Full name, Room number,
|
||||||
Work phone, and Home phone, respectively. For backward
|
Work phone, and Home phone, respectively. For backward
|
||||||
compatibility, "yes" is equivalent to "rwh" and "no" is
|
compatibility, <replaceable>yes</replaceable> is equivalent to
|
||||||
equivalent to "frwh". If not specified, only the superuser can
|
<replaceable>rwh</replaceable> and
|
||||||
|
<replaceable>no</replaceable> is
|
||||||
|
equivalent to <replaceable>frwh</replaceable>. If not specified,
|
||||||
|
only the superuser can
|
||||||
make any changes. The most restrictive setting is better
|
make any changes. The most restrictive setting is better
|
||||||
achieved by not installing <filename>chfn</filename> SUID.
|
achieved by not installing <command>chfn</command> SUID.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>ENCRYPT_METHOD (string)</term>
|
<term><option>ENCRYPT_METHOD</option> (string)</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
If set to MD5, the MD5-based algorithm will be used for
|
This defines the system default encryption algorithm for
|
||||||
encrypting passwords.
|
encrypting passwords (if no algorithm are specified on the
|
||||||
|
command line).
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
If set to SHA256, the SHA256-based algorithm will be used for
|
It can take one of these values:
|
||||||
encrypting passwords.
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para><replaceable>DES</replaceable> (default)</para>
|
||||||
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para><replaceable>MD5</replaceable></para>
|
||||||
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para><replaceable>SHA256</replaceable></para>
|
||||||
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para><replaceable>SHA512</replaceable></para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
If set to SHA512, the SHA512-based algorithm will be used for
|
Note: this parameter overrides the
|
||||||
encrypting passwords.
|
<option>MD5_CRYPT_ENAB</option> variable.
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
If set to DES, the DES-based algorithm will be used for
|
|
||||||
encrypting passwords. It is the default algorithm.
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
Note: this parameter overrides the MD5_CRYPT_ENAB option.
|
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Note: if you use PAM, it is recommended to set this variable
|
Note: if you use PAM, it is recommended to set this variable
|
||||||
@ -101,8 +115,8 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>GID_MAX (number)</term>
|
<term><option>GID_MAX</option> (number)</term>
|
||||||
<term>GID_MIN (number)</term>
|
<term><option>GID_MIN</option> (number)</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Range of group IDs to choose from for the
|
Range of group IDs to choose from for the
|
||||||
@ -112,7 +126,7 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>MAIL_DIR (string)</term>
|
<term><option>MAIL_DIR</option> (string)</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
The mail spool directory. This is needed to manipulate the
|
The mail spool directory. This is needed to manipulate the
|
||||||
@ -122,11 +136,11 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>MAX_MEMBERS_PER_GROUP (number)</term>
|
<term><option>MAX_MEMBERS_PER_GROUP</option> (number)</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Maximum members per group entry. When the maximum is reached,
|
Maximum members per group entry. When the maximum is reached,
|
||||||
a new group entry (line) is started is
|
a new group entry (line) is started in
|
||||||
<filename>/etc/group</filename> (with the same name, same
|
<filename>/etc/group</filename> (with the same name, same
|
||||||
password, and same GID).
|
password, and same GID).
|
||||||
</para>
|
</para>
|
||||||
@ -146,25 +160,34 @@
|
|||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Note: split groups may not be supported by all tools (even in
|
Note: split groups may not be supported by all tools (even in
|
||||||
the Shadow toolsuite. Yous hould not use this variable unless
|
the Shadow toolsuite. You should not use this variable unless
|
||||||
you really need it.
|
you really need it.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>MD5_CRYPT_ENAB (boolean)</term>
|
<term><option>MD5_CRYPT_ENAB</option> (boolean)</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Indicate if passwords must be encrypted using the MD5-based
|
Indicate if passwords must be encrypted using the MD5-based
|
||||||
algorithm. If set to "yes", new passwords will be encrypted
|
algorithm. If set to <replaceable>yes</replaceable>, new
|
||||||
|
passwords will be encrypted
|
||||||
using the MD5-based algorithm compatible with the one used by
|
using the MD5-based algorithm compatible with the one used by
|
||||||
recent releases of FreeBSD. It supports passwords of
|
recent releases of FreeBSD. It supports passwords of
|
||||||
unlimited length and longer salt strings. Set to "no" if you
|
unlimited length and longer salt strings. Set to
|
||||||
|
<replaceable>no</replaceable> if you
|
||||||
need to copy encrypted passwords to other systems which don't
|
need to copy encrypted passwords to other systems which don't
|
||||||
understand the new algorithm. Default is "no".
|
understand the new algorithm. Default is
|
||||||
|
<replaceable>no</replaceable>.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
This variable is deprecated. You should use ENCRYPT_METHOD.
|
This variable is superceded by the
|
||||||
|
<option>ENCRYPT_METHOD</option> variable or by any command
|
||||||
|
line option used to configure the encryption algorithm.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
This variable is deprecated. You should use
|
||||||
|
<option>ENCRYPT_METHOD</option>.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Note: if you use PAM, it is recommended to set this variable
|
Note: if you use PAM, it is recommended to set this variable
|
||||||
@ -173,7 +196,7 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>PASS_MAX_DAYS (number)</term>
|
<term><option>PASS_MAX_DAYS</option> (number)</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
The maximum number of days a password may be used. If the
|
The maximum number of days a password may be used. If the
|
||||||
@ -184,7 +207,7 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>PASS_MIN_DAYS (number)</term>
|
<term><option>PASS_MIN_DAYS</option> (number)</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
The minimum number of days allowed between password changes.
|
The minimum number of days allowed between password changes.
|
||||||
@ -195,7 +218,7 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>PASS_WARN_AGE (number)</term>
|
<term><option>PASS_WARN_AGE</option> (number)</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
The number of days warning given before a password expires. A
|
The number of days warning given before a password expires. A
|
||||||
@ -208,18 +231,22 @@
|
|||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
PASS_MAX_DAYS, PASS_MIN_DAYS and PASS_WARN_AGE are only used at the
|
<option>PASS_MAX_DAYS</option>, <option>PASS_MIN_DAYS</option> and
|
||||||
|
<option>PASS_WARN_AGE</option> are only used at the
|
||||||
time of account creation. Any changes to these settings won't affect
|
time of account creation. Any changes to these settings won't affect
|
||||||
existing accounts.
|
existing accounts.
|
||||||
</para>
|
</para>
|
||||||
<variablelist remap='IP'>
|
<variablelist remap='IP'>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>SHA_CRYPT_MIN_ROUNDS (number)</term>
|
<term><option>SHA_CRYPT_MIN_ROUNDS</option> (number)</term>
|
||||||
<term>SHA_CRYPT_MAX_ROUNDS (number)</term>
|
<term><option>SHA_CRYPT_MAX_ROUNDS</option> (number)</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines
|
When <option>ENCRYPT_METHOD</option> is set to
|
||||||
the number of SHA rounds used by the encryption algorithm.
|
<replaceable>SHA256</replaceable> or
|
||||||
|
<replaceable>SHA512</replaceable>, this defines the number of
|
||||||
|
SHA rounds used by the encryption algorithm by default (when
|
||||||
|
the number of rounds is not specified on the command line).
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
With a lot of rounds, it is more difficult to brute forcing
|
With a lot of rounds, it is more difficult to brute forcing
|
||||||
@ -227,24 +254,27 @@
|
|||||||
needed to authenticate users.
|
needed to authenticate users.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
If not specified, the libc will choose the default number of rounds
|
If not specified, the libc will choose the default number of
|
||||||
(5000).
|
rounds (5000).
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
The values must be inside the 1000-999999999 range.
|
The values must be inside the 1000-999999999 range.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
If only one of the MIN or MAX values is set, then this value will be
|
If only one of the <option>SHA_CRYPT_MIN_ROUNDS</option> or
|
||||||
used.
|
<option>SHA_CRYPT_MAX_ROUNDS</option> values is set, then this
|
||||||
|
value will be used.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
If MIN > MAX, the highest value will be used.
|
If <option>SHA_CRYPT_MIN_ROUNDS</option> >
|
||||||
|
<option>SHA_CRYPT_MAX_ROUNDS</option>, the highest value will
|
||||||
|
be used.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>UID_MAX (number)</term>
|
<term><option>UID_MAX</option> (number)</term>
|
||||||
<term>UID_MIN (number)</term>
|
<term><option>UID_MIN</option> (number)</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Range of user IDs to choose from for the
|
Range of user IDs to choose from for the
|
||||||
@ -253,7 +283,7 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>UMASK (number)</term>
|
<term><option>UMASK</option> (number)</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
The permission mask is initialized to this value. If not
|
The permission mask is initialized to this value. If not
|
||||||
@ -262,7 +292,7 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>USERDEL_CMD (string)</term>
|
<term><option>USERDEL_CMD</option> (string)</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
If defined, this command is run when removing a user. It should
|
If defined, this command is run when removing a user. It should
|
||||||
@ -288,6 +318,24 @@
|
|||||||
<para>CHFN_AUTH CHFN_RESTRICT</para>
|
<para>CHFN_AUTH CHFN_RESTRICT</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term>chgpasswd</term>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
MD5_CRYPT_ENAB ENCRYPT_METHOD SHA_CRYPT_MIN_ROUNDS
|
||||||
|
SHA_CRYPT_MAX_ROUNDS MAX_MEMBERS_PER_GROUP
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term>chpasswd</term>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
MD5_CRYPT_ENAB ENCRYPT_METHOD SHA_CRYPT_MIN_ROUNDS
|
||||||
|
SHA_CRYPT_MAX_ROUNDS
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>chsh</term>
|
<term>chsh</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -303,8 +351,8 @@
|
|||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>newusers</term>
|
<term>newusers</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
|
<para>
|
||||||
UMASK
|
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE UMASK
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
Loading…
Reference in New Issue
Block a user