LOGIN.CONF(5)             NetBSD File Formats Manual             LOGIN.CONF(5)

     login.conf -- login class capability data base


     The login.conf file describes the various attributes of login classes.  A
     login class determines what styles of authentication are available as
     well as session resource limits and environment setup.  While designed
     primarily for the login(1) program, it is also used by other programs,
     e.g., rexecd(8), which need to set up a user environment.

     The class to be used is normally determined by the class field in the
     password file (see passwd(5)).  The class is used to look up a corre-
     sponding entry in the login.conf file.  A special class called
     ``default'' will be used (if it exists) if the field in the password file
     is empty.

     Refer to capfile(5) for a description of the file layout.  An example
     entry is:

           classname|Description entry:\

     All entries in the login.conf file are either boolean or use a `=' to
     separate the capability from the value.  The types are described after
     the capability table.

     Name              Type       Default    Description

     copyright         file                  File containing additional copy-
                                             right information.  (If the file
                                             exists, login(1) displays it
                                             before the welcome message.)

     coredumpsize      size                  Maximum coredump size limit.

     cputime           time                  CPU usage limit.

     datasize          size                  Maximum data size limit.

     filesize          size                  Maximum file size limit.

     host.allow        string                A comma-separated list of host
                                             name or IP address patterns from
                                             which a class is allowed access.
                                             Access is instead denied from any
                                             hosts preceded by `!'.  Patterns
                                             can contain the sh(1)-style `*'
                                             and `?' wildcards.  The host.deny
                                             entry is checked before
                                             host.allow.  (Currently used only
                                             by sshd(8).)

     host.deny         string                A comma-separated list of host
                                             name or IP address patterns from
                                             which a class is denied access.
                                             Patterns as per host.allow,
                                             although a matched pattern that
                                             has been negated with `!' is
                                             ignored.  (Currently used only by

     hushlogin         bool       false      Same as having a $HOME/.hushlogin
                                             file.  See login(1).

     ignorenologin     bool       false      Not affected by nologin files.

     login-retries     number     10         Maximum number of login attempts

     login-backoff     number     3          Number of login attempts after
                                             which to start random back-off.

     maxproc           number                Maximum number of processes.

     maxthread         number                Maximum number of threads.  The
                                             first thread of each process is
                                             not counted against this.

     memorylocked      size                  Maximum locked in core memory
                                             size limit.

     memoryuse         size                  Maximum in core memoryuse size

     minpasswordlen    number                The minimum length a local pass-
                                             word may be.  Used by the
                                             passwd(1) utility.

     nologin           file                  If the file exists it will be
                                             displayed and the login session
                                             will be terminated.

     openfiles         number                Maximum number of open file
                                             descriptors per process.

     passwordtime      time                  Used by passwd(1) to set next
                                             password expiry date.

     password-warn     time       2w         If the user's password will
                                             expire within this length of time
                                             then warn the user of this.

     path              path       /bin /usr/bin
                                             Default search path.

     priority          number                Initial priority (nice) level.

     requirehome       bool       false      Require home directory to login.

     sbsize            size                  Maximum socket buffer size limit.

     setenv            list                  Comma or whitespace separated
                                             list of environment variables and
                                             values to be set.  Commas and
                                             whitespace can be escaped using

     shell             program               Session shell to execute rather
                                             than the shell specified in the
                                             password file.  The SHELL envi-
                                             ronment variable will contain the
                                             shell specified in the password

     stacksize         size                  Maximum stack size limit.

     tc                string                A "continuation" entry, which
                                             must be the last capability pro-
                                             vided.  More capabilities are
                                             read from the named entry.  The
                                             capabilities given before tc
                                             override those in the entry
                                             invoked by tc.

     term              string     su         Default terminal type if not able
                                             to determine from other means.

     umask             number     022        Initial umask.  Should always
                                             have a leading 0 to assure octal
                                             interpretation.  See umask(2).

     welcome           file       /etc/motd  File containing welcome message.
                                             login(1) displays this and
                                             sshd(8) sends this.

     The resource limit entries (coredumpsize, cputime, datasize, filesize,
     maxproc, memorylocked, memoryuse, openfiles, sbsize, and stacksize) actu-
     ally specify both the maximum and current limits (see getrlimit(2)).  The
     current limit is the one normally used, although the user is permitted to
     increase the current limit to the maximum limit.  The maximum and current
     limits may be specified individually by appending a `-max' or `-cur' to
     the capability name (e.g., openfiles-max and openfiles-cur).

     NetBSD will never define capabilities which start with x- or X-; these
     are reserved for external use (unless included through contributed soft-

     The argument types are defined as:

     bool       If the name is present, then the boolean value is true; other-
                wise, it is false.

     file       Path name to a text file.

     list       A comma or whitespace separated list of values.

     number     A number.  A leading 0x implies the number is expressed in
                hexadecimal.  A leading 0 implies the number is expressed in
                octal.  Any other number is treated as decimal.

     path       A space separated list of path names.  If a `~' is the first
                character in the path name, the `~' is expanded to the user's
                home directory.

     program    A path name to program.

     size       A number which expresses a size in bytes.  It may have a
                trailing b to multiply the value by 512, a k to multiply the
                value by 1 K (1024), and a m to multiply the value by 1 M

     time       A time in seconds.  A time may be expressed as a series of
                numbers which are added together.  Each number may have a
                trailing character to represent time units:

                y    Indicates a number of 365 day years.

                w    Indicates a number of 7 day weeks.

                d    Indicates a number of 24 hour days.

                h    Indicates a number of 60 minute hours.

                m    Indicates a number of 60 second minutes.

                s    Indicates a number of seconds.

                For example, to indicate 1 and 1/2 hours, the following string
                could be used: 1h30m.

     /etc/login.conf     login class capability database
     /etc/login.conf.db  hashed database built with cap_mkdb(1)

     cap_mkdb(1), login(1), login_cap(3), capfile(5), ttys(5), ftpd(8),

     The login.conf configuration file appeared in NetBSD 1.5.

NetBSD 7.0                       June 29, 2013                      NetBSD 7.0

You can also request any man page by name and (optionally) by section:


Use the DEFAULT collection to view manual pages for third-party software.

©1994 Man-cgi 1.15, Panagiotis Christias
©1996-2019 Modified for NetBSD by Kimmo Suominen