Options of login.defs file

#
# /etc/login.defs - Configuration control definitions for the login package.
#
#	$Id: login.defs.linux,v 1.11 1999/08/27 19:02:50 marekm Exp $
#
# Three items must be defined:  MAIL_DIR, ENV_SUPATH, and ENV_PATH.
# If unspecified, some arbitrary (and possibly incorrect) value will
# be assumed.  All other items are optional - if not specified then
# the described action or option will be inhibited.
#
# Comment lines (lines beginning with "#") and blank lines are ignored.
#
# Modified for Linux.  --marekm

#
# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail (or any maildir-compatible MTA, such as Exim or
#   Postfix when suitably configured).
#
#   Essentially, MAIL_DIR defines the $MAIL environmental variable
#   (for mbox use) by appending the username to MAIL_DIR as defined
#   below.  MAIL_FILE defines the $MAIL environment variable as the
#   fully-qualified filename obtained by prepending the user home
#   directory before $MAIL_FILE, and QMAIL_DIR defines the MAIL
#   environment variable as the fully-qualified directory name
#   obtained by prepending the user home directory before $QMAIL_DIR.
#
# NOTE: This is used to setup your MAIL environment variable, and also
# used by userdel to determine if any mail spools need to be removed when
# removing a user. If you change this, you should also change the
# pam_mail.so module setup in /etc/pam.d/login, which affects the "You
# have mail" message on login, and, in default setup, overrides this setting
# in determining the $MAIL environmental variable.
#
#QMAIL_DIR      Maildir/
MAIL_DIR        /var/mail
#MAIL_FILE      .mail

#
# Delay in seconds before being allowed another attempt after a login failure
#
FAIL_DELAY		3

#
# Enable logging and display of /var/log/faillog login failure info.
#
FAILLOG_ENAB		yes

#
# Enable display of unknown usernames when login failures are recorded.
#
LOG_UNKFAIL_ENAB	no

#
# Enable logging of successful logins
#
LOG_OK_LOGINS		no

#
# Enable setting of ulimit, umask, and niceness from passwd gecos field.
#
QUOTAS_ENAB		yes

#
# Enable "syslog" logging of su activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp and sg.
#
SYSLOG_SU_ENAB		yes
SYSLOG_SG_ENAB		yes

#
# If defined, all su activity is logged to this file.
#
#SULOG_FILE	/var/log/sulog

#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format something like "vt100  tty01".
#
#TTYTYPE_FILE	/etc/ttytype

#
# If defined, login failures will be logged here in a utmp format.
# last, when invoked as lastb, will read /var/log/btmp, so...
#
FTMP_FILE	/var/log/btmp

#
# If defined, the command name to display when running "su -".  For
# example, if this is defined as "su" then a "ps" will display the
# command is "-su".  If not defined, then "ps" would display the
# name of the shell actually being run, e.g. something like "-sh".
#
SU_NAME		su

#
# If defined, file which inhibits all the usual chatter during the login
# sequence.  If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file.  If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
HUSHLOGIN_FILE	.hushlogin
#HUSHLOGIN_FILE	/etc/hushlogins

#
# If defined, the presence of this value in an /etc/passwd "shell" field will
# disable logins for that user, although "su" will still be allowed.
#
# XXX this does not seem to be implemented yet...  --marekm
# no, it was implemented but I ripped it out   -- jfh
NOLOGIN_STR	NOLOGIN

#
# If defined, either a TZ environment parameter spec or the
# fully-rooted pathname of a file containing such a spec.
#
#ENV_TZ		TZ=CST6CDT
#ENV_TZ		/etc/tzname

#
# If defined, an HZ environment parameter spec.
#
# for Linux/x86
ENV_HZ		HZ=100
# For Linux/Alpha...
#ENV_HZ		HZ=1024

#
# *REQUIRED*  The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin
ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games

#
# Terminal permissions
#
#	TTYGROUP	Login tty will be assigned this group ownership.
#	TTYPERM		Login tty will be set to this permission.
#
# If you have a "write" program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP to the group number and
# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
# TTYPERM to either 622 or 600.
#
TTYGROUP	tty
TTYPERM		0600

#
# Login configuration initializations:
#
#	ERASECHAR	Terminal ERASE character ('10' = backspace).
#	KILLCHAR	Terminal KILL character ('25' = CTRL/U).
#	UMASK		Default "umask" value.
#	ULIMIT		Default "ulimit" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
# The ULIMIT is used only if the system supports it.
# (now it works with setrlimit too; ulimit is in 512-byte units)
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR	0177
KILLCHAR	025
UMASK		022
#ULIMIT		2097152

#
# Password aging controls:
#
#	PASS_MAX_DAYS	Maximum number of days a password may be used.
#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
#	PASS_WARN_AGE	Number of days warning given before a password expires.
#
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN			 1000
UID_MAX			60000

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN			  100
GID_MAX			60000

#
# Max number of login retries if password is bad. This will most likely be
# overriden by PAM, since the default pam_unix module has it's own built
# in of 3 retries However, this is a safe fallback in case you are using
# and authentication module that does not enforce PAM_MAXTRIES.
#
LOGIN_RETRIES		5

#
# Max time in seconds for login
#
LOGIN_TIMEOUT		60

#
# Number of significant characters in the password for crypt().
# Default is 8, don't change unless your crypt() is better.
# If using MD5 in your PAM configuration, set this higher.
#
PASS_MAX_LEN		8

#
# Require password before chfn/chsh can make any changes.
#
CHFN_AUTH		yes

#
# Which fields may be changed by regular users using chfn - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone).  If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
#
CHFN_RESTRICT		rwh

#
# Password prompt (%s will be replaced by user name).
#
# XXX - it doesn't work correctly yet, for now leave it commented out
# to use the default which is just "Password: ".
#LOGIN_STRING		"%s's Password: "

#
# Should login be allowed if we can't cd to the home directory?
# Default in no.
#
DEFAULT_HOME	yes

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD	/usr/sbin/userdel_local

#
# If defined, either full pathname of a file containing device names or
# a ":" delimited list of device names.  No password is required to log in
# as a non-root user on these devices.
#
#NO_PASSWORD_CONSOLE tty1:tty2:tty3:tty4:tty5:tty6

#
# When prompting for password without echo, getpass() can optionally
# display a random number (in the range 1 to GETPASS_ASTERISKS) of '*'
# characters for each character typed.  This feature is designed to
# confuse people looking over your shoulder when you enter a password  .
# Also, the new getpass() accepts both Backspace (8) and Delete (127)
# keys to delete previous character (to cope with different terminal
# types), Control-U to delete all characters, and beeps when there are
# no more characters to delete, or too many characters entered.
#
# Setting GETPASS_ASTERISKS to 1 results in more traditional behaviour -
# exactly one '*' displayed for each character typed.
#
# Setting GETPASS_ASTERISKS to 0 disables the '*' characters (Backspace,
# Delete, Control-U and beep continue to work as described above).
#
# Setting GETPASS_ASTERISKS to -1 reverts to the traditional getpass()
# without any new features.  This is the default.
#
#GETPASS_ASTERISKS 1

#
# Enable setting of the umask group bits to be the same as owner bits
# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
# the same as gid, and username is the same as the primary group name.
#
# This also enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

#
# Instead of the real user shell, the program specified by this parameter
# will be launched, although its visible name (argv[0]) will be the shell's.
# The program may do whatever it wants (logging, additional authentification,
# banner, ...) before running the actual shell.
#
# FAKE_SHELL /bin/fakeshell

#
# Enable pam_close_session() calling. When using normal (pam_unix.so)
# session handling modules, this is not needed. However with modules
# (such as kerberos or other persistent session models), login and su
# need to fork and wait for the shell to exit so that sessions can be
# cleaned up.
#
#CLOSE_SESSIONS no

################# OBSOLETED BY PAM ##############
#						#
# These options are now handled by PAM. Please	#
# edit the appropriate file in /etc/pam.d/ to	#
# enable the equivelants of them.
#
###############

#MOTD_FILE
#DIALUPS_CHECK_ENAB
#LASTLOG_ENAB
#MAIL_CHECK_ENAB
#OBSCURE_CHECKS_ENAB
#PORTTIME_CHECKS_ENAB
#CONSOLE
#SU_WHEEL_ONLY
#CRACKLIB_DICTPATH
#PASS_CHANGE_TRIES
#PASS_ALWAYS_WARN
#MD5_CRYPT_ENAB
#CONSOLE_GROUPS
#ENVIRON_FILE
#NOLOGINS_FILE
#ISSUE_FILE
#PASS_MIN_LEN

Setup proxy setting in a text based linux machine

Reference:

http://kryptoz.wordpress.com/2007/09/19/the-http_proxy-environment-variable-setup-proxy-setting-in-a-linux-machine/

If you need to use proxy server to access http/https from a linux machine in the office LAN, set the environment variable http_proxy. This will allow wget and python’s urllib modules and other applications (yum, apt-get etc) to use this environment variable and access http/https using the settings assigned to the variable http_proxy.

The below would be the ideal way of assigning values for http_proxy variable.

$export http_proxy=”http://<proxy-server-ip>:<port>”

I have added this to my ~/.bashrc so that I don’t have to export this variable every time I reboot my machine !

And then there is the “ftp_proxy” …..

up2date command to update Redhat enterprise Linux (RHEL) how to

From: http://www.cyberciti.biz (Source)

For Redhat enterprise Linux operating systems, we need to get updates from RHN via Redhat Network Satellite/proxy servers (usually used by big hosting/ISPs or larget RHEL installation setups) to install critical and non-critical security updates as well as binary packages.

To register the system with RHN type the following command and just follow on screen instructions:

# up2date --register

WARNING! These examples only works with RHEL version 2.x, 3.x and 4.x only. RHEL version 5.x comes with yum utility to update and install packages.

Task: Display list of updated software (security fix)

Type the following command at shell prompt:# up2date -l

Task: Patch up system by applying all updates

To download all update type the following command:# up2date -u

Task: Forcefully update or patching

Sometime you need to forcefully apply updates. By default RHN does not install new kernel, so you need to run updates using following command:# up2date -uf

Task: Install new software/rpm

Use up2date command to install new RPM from RHN:# up2date httpd

Task: Update installed software

To fix latest bugs or to apply a patch use up2date command as follows for php package:# up2date php

Task: Download source RPM files

Download source packages only but don’t install:# up2date -d --src Package-Name

Task: Display the list of available packages

# up2date --showall
# up2date --showall | grep httpd

Task: Install particular architecture package

If you are using 64 bit RHEL version it is possible to install 32 packages:# up2date --arch=i386 mysql

Above command will install mysql 32 bit version instead of 64 bit version.

Task: Display what package provides the file

You can easily find out what RPM package provides the file. For example find out what provides the /etc/passwd file:# up2date --whatprovides "/etc/passwd"Output:

setup-2.5.37-1.3.noarch

It queries the RHN servers to resolve the comma separated list of dependencies. It will return a list of packages that will satisfy these dependencies.

Task: Display list of group software

Option –show-groups displays all the component groups that are installable via up2date command. This is good to install entire set of software such as development environment.
# up2date --show-groupsOutput:

Administration Tools
Arabic Support
Assamese Support
Authoring and Publishing
GNOME
GNOME Desktop Environment
GNOME Software Development
Games and Entertainment
Windows File Server
Workstation Common
X Software Development
X Window System
XEmacs

To install group X Software Development just type the command:
# up2date -i "@ X Software Development "

Read man page of up2date command for more information:
man up2date

How To Auto Logout User In Linux After Certain Minutes Of Idle

Almost everyone are forgetful and used to leave the Linux/Unix login session open without logging out.

So, how to make sure all the Linux servers will automatically logout users after idle for certain minutes?

In fact, the simplest way is to configure the TMOUT environment variable!

For example, this export command

export TMOUT=60

will immediately get the Linux OS to automatically logout a user after his/her login session being idle for 60 seconds or 1 minute!

The TMOUT environment variable is applied to a command line console login session only.

For X-window or GUI login, you can easily turn on any pretty auto-lock screen-saver, that works very much like those in Windows.

For testing purpose, you can set a lower limit. While login to Linux, su to another user ID and execute

export TMOUT=10

After being idle for 10 seconds, you’ll likely see this warning message appears and the su login session will be terminated or log out immediately.

timed out waiting for input: auto-logout

In order the apply TMOUT to all Linux login accounts, you can put that export command to the login scripts or login profile (.bash_profile or .profile) in respective user home directory.

But, the easiest way is to write the export command in the system profile instead of respective user’s profile!

That’s to say, you can append the export TMOUT=60 command to /etc/profile (i.e. the system profile)!

Bear in mind that any login user can simply overwrite this TMOUT setting!

For example, he or she can easily disable or extend the time-out value before auto-logout feature triggered. To disable the Linux auto-logout user feature, just set the TMOUT to zero, i.e.

export TMOUT=0

In addition, the Linux TMOUT environment variable will not effective if the user has an active or open document. For example, if the VI editor is open, the Linux auto-logout feature in command console will not working!