A Puppet module for managing and configuring /etc/login.defs on CentOS, Debian, RedHat, Ubuntu, Rocky and AlmaLinux.

Source available on GitHub

Example Usage

Include the class and explicitly define the ownership:

class { 'login_defs':
owner => 0,
group => 0,
mode => '0644',
}

This will manage /etc/login.defs using the default configuration supplied by supported distributions.

Example Hiera configuration using rules commonly referred to in CIS benchmarks:

login_defs::options:
UID_MIN:
value: 1000
comment: Min/max values for automatic uid selection in useradd

UMASK:
value: '022'

PASS_MAX_DAYS:
value: 60
comment: |-
Password aging controls:

PASS_MAX_DAYS Maximum number of days a password may be used.
PASS_MIN_DAYS Minimum number of days allowed between password changes.
PASS_WARN_AGE Number of days warning given before a password expires.
PASS_MIN_DAYS:
value: 1
PASS_WARN_AGE:
value: 14

USERGROUPS_ENAB:
value: 'yes'
comment: |-
Enable setting of the umask group bits to be the same as owner bits
(examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
the same as gid, and username is the same as the primary group name.

If set to yes, userdel will remove the user's group if it contains no
more members, and useradd will create by default a group with the name
of the user.

Default Configuration

---
lookup_options:
'login_defs::^(.*)$':
merge:
strategy: deep

login_defs::package_manage: false
---
login_defs::package_name: login
---
login_defs::options:
MAIL_DIR:
value: /var/mail
comment: |-
This is a temporary situation: setting these variables will soon
move to /etc/default/useradd and the variables will then be
no more supported

MAIL_FILE:
value: .mail
enabled: false

FAILLOG_ENAB:
value: 'yes'
comment: |-
Enable logging and display of /var/log/faillog login failure info.
This option conflicts with the pam_tally PAM module.

LOG_UNKFAIL_ENAB:
value: 'no'
comment: |-
Enable display of unknown usernames when login failures are recorded.

WARNING: Unknown usernames may become world readable.
See #290803 and #298773 for details about how this could become a security
concern

LOG_OK_LOGINS:
value: 'no'
comment: |-
Enable logging of successful logins

SYSLOG_SU_ENAB:
value: 'yes'
comment: |-
Enable "syslog" logging of su activity - in addition to sulog file logging.
SYSLOG_SG_ENAB does the same for newgrp and sg.
SYSLOG_SG_ENAB:
value: 'yes'

SULOG_FILE:
value: /var/log/sulog
enabled: false
comment: |-
If defined, all su activity is logged to this file.

TTYTYPE_FILE:
value: /etc/ttytype
enabled: false
comment: |-
If defined, file which maps tty line to TERM environment parameter.
Each line of the file is in a format something like "vt100 tty01".

FTMP_FILE:
value: /var/log/btmp
comment: |-
If defined, login failures will be logged here in a utmp format
last, when invoked as lastb, will read /var/log/btmp, so...

SU_NAME:
value: su
comment: |-
If defined, the command name to display when running "su -". For
example, if this is defined as "su" then a "ps" will display the
command is "-su". If not defined, then "ps" would display the
name of the shell actually being run, e.g. something like "-sh".

HUSHLOGIN_FILE:
value: .hushlogin
comment: |-
If defined, file which inhibits all the usual chatter during the login
sequence. If a full pathname, then hushed mode will be enabled if the
user's name or shell are found in the file. If not a full pathname, then
hushed mode will be enabled if the file exists in the user's home directory.

ENV_SUPATH:
value: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
comment: |-
*REQUIRED* The default PATH settings, for superuser and normal users.

(they are minimal, add the rest in the shell startup files)
ENV_PATH:
value: PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

TTYGROUP:
value: tty
comment: |-
Terminal permissions

TTYGROUP Login tty will be assigned this group ownership.
TTYPERM Login tty will be set to this permission.

If you have a "write" program which is "setgid" to a special group
which owns the terminals, define TTYGROUP to the group number and
TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
TTYPERM to either 622 or 600.

In Debian /usr/bin/bsd-write or similar programs are setgid tty
However, the default and recommended value for TTYPERM is still 0600
to not allow anyone to write to anyone else console or terminal

Users can still allow other people to write them by issuing
the "mesg y" command.
TTYPERM:
value: '0600'

ERASECHAR:
value: '0177'
comment: |-
Login configuration initializations:

ERASECHAR Terminal ERASE character ('\010' = backspace).
KILLCHAR Terminal KILL character ('\025' = CTRL/U).
UMASK Default "umask" value.

The ERASECHAR and KILLCHAR are used only on System V machines.

UMASK is the default umask value for pam_umask and is used by
useradd and newusers to set the mode of the new home directories.
022 is the "historical" value in Debian for UMASK
027, or even 077, could be considered better for privacy
There is no One True Answer here : each sysadmin must make up his/her
mind.

If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
for private user groups, i. e. the uid is the same as gid, and username is
the same as the primary group name: for these, the user permissions will be
used as group permissions, e. g. 022 will become 002.

Prefix these values with "0" to get octal, "0x" to get hexadecimal.
KILLCHAR:
value: '025'
UMASK:
value: '022'

PASS_MAX_DAYS:
value: 99999
comment: |-
Password aging controls:

PASS_MAX_DAYS Maximum number of days a password may be used.
PASS_MIN_DAYS Minimum number of days allowed between password changes.
PASS_WARN_AGE Number of days warning given before a password expires.
PASS_MIN_DAYS:
value: 0
PASS_WARN_AGE:
value: 7

UID_MIN:
value: 1000
comment: Min/max values for automatic uid selection in useradd
UID_MAX:
value: 60000

SYS_UID_MIN:
value: 100
enabled: false
comment: System accounts
SYS_UID_MAX:
value: 999
enabled: false

GID_MIN:
value: 1000
comment: Min/max values for automatic gid selection in groupadd
GID_MAX:
value: 60000

SYS_GID_MIN:
value: 100
enabled: false
comment: System accounts
SYS_GID_MAX:
value: 999
enabled: false

LOGIN_RETRIES:
value: 5
comment: |-
Max number of login retries if password is bad. This will most likely be
overriden by PAM, since the default pam_unix module has it's own built
in of 3 retries. However, this is a safe fallback in case you are using
an authentication module that does not enforce PAM_MAXTRIES.

LOGIN_TIMEOUT:
value: 60
comment: Max time in seconds for login

CHFN_RESTRICT:
value: rwh
comment: |-
Which fields may be changed by regular users using chfn - use
any combination of letters "frwh" (full name, room number, work
phone, home phone). If not defined, no changes are allowed.
For backward compatibility, "yes" = "rwh" and "no" = "frwh".

DEFAULT_HOME:
value: 'yes'
comment: |-
Should login be allowed if we can't cd to the home directory?
Default in no.

USERDEL_CMD:
value: /usr/sbin/userdel_local
enabled: false
comment: |-
If defined, this command is run when removing a user.
It should remove any at/cron/print jobs etc. owned by
the user to be removed (passed as the first argument).

USERGROUPS_ENAB:
value: 'yes'
comment: |-
If set to yes, userdel will remove the user's group if it contains no
more members, and useradd will create by default a group with the name
of the user.

Other former uses of this variable such as setting the umask when
user==primary group are not used in PAM environments, such as Debian

FAKE_SHELL:
value: /bin/fakeshell
enabled: false
comment: |-
Instead of the real user shell, the program specified by this parameter
will be launched, although its visible name (argv[0]) will be the shell's.
The program may do whatever it wants (logging, additional authentification,
banner, ...) before running the actual shell.

CONSOLE:
value: /etc/consoles
enabled: false
comment: |-
If defined, either full pathname of a file containing device names or
a ":" delimited list of device names. Root logins will be allowed only
upon these devices.

This variable is used by login and su.

CONSOLE_GROUPS:
value: 'floppy:audio:cdrom'
enabled: false
comment: |-
List of groups to add to the user's supplementary group set
when logging in on the console (as determined by the CONSOLE
setting). Default is none.

Use with caution - it is possible for users to gain permanent
access to these groups, even when not logged in on the console.
How to do it is left as an exercise for the reader...

This variable is used by login and su.

MD5_CRYPT_ENAB:
value: 'no'
enabled: false
comment: |-
If set to "yes", new passwords will be encrypted using the MD5-based
algorithm compatible with the one used by recent releases of FreeBSD.
It supports passwords of unlimited length and longer salt strings.
Set to "no" if you need to copy encrypted passwords to other systems
which don't understand the new algorithm. Default is "no".

This variable is deprecated. You should use ENCRYPT_METHOD.

ENCRYPT_METHOD:
value: SHA512
comment: |-
If set to MD5 , MD5-based algorithm will be used for encrypting password
If set to SHA256, SHA256-based algorithm will be used for encrypting password
If set to SHA512, SHA512-based algorithm will be used for encrypting password
If set to DES, DES-based algorithm will be used for encrypting password (default)
Overrides the MD5_CRYPT_ENAB option

Note: It is recommended to use a value consistent with
the PAM modules configuration.

SHA_CRYPT_MIN_ROUNDS:
value: 5000
enabled: false
comment: |-
Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.

Define the number of SHA rounds.
With a lot of rounds, it is more difficult to brute forcing the password.
But note also that it more CPU resources will be needed to authenticate
users.

If not specified, the libc will choose the default number of rounds (5000).
The values must be inside the 1000-999999999 range.
If only one of the MIN or MAX values is set, then this value will be used.
If MIN > MAX, the highest value will be used.
SHA_CRYPT_MAX_ROUNDS:
value: 5000
enabled: false
---
login_defs::options:
MAIL_DIR:
value: /var/mail
comment: |-
This is a temporary situation: setting these variables will soon
move to /etc/default/useradd and the variables will then be
no more supported

MAIL_FILE:
value: .mail
enabled: false

FAILLOG_ENAB:
value: 'yes'
comment: |-
Enable logging and display of /var/log/faillog login failure info.
This option conflicts with the pam_tally PAM module.

LOG_UNKFAIL_ENAB:
value: 'no'
comment: |-
Enable display of unknown usernames when login failures are recorded.

WARNING: Unknown usernames may become world readable.
See #290803 and #298773 for details about how this could become a security
concern

LOG_OK_LOGINS:
value: 'no'
comment: |-
Enable logging of successful logins

SYSLOG_SU_ENAB:
value: 'yes'
comment: |-
Enable "syslog" logging of su activity - in addition to sulog file logging.
SYSLOG_SG_ENAB does the same for newgrp and sg.
SYSLOG_SG_ENAB:
value: 'yes'

SULOG_FILE:
value: /var/log/sulog
enabled: false
comment: |-
If defined, all su activity is logged to this file.

TTYTYPE_FILE:
value: /etc/ttytype
enabled: false
comment: |-
If defined, file which maps tty line to TERM environment parameter.
Each line of the file is in a format something like "vt100 tty01".

FTMP_FILE:
value: /var/log/btmp
comment: |-
If defined, login failures will be logged here in a utmp format
last, when invoked as lastb, will read /var/log/btmp, so...

SU_NAME:
value: su
comment: |-
If defined, the command name to display when running "su -". For
example, if this is defined as "su" then a "ps" will display the
command is "-su". If not defined, then "ps" would display the
name of the shell actually being run, e.g. something like "-sh".

HUSHLOGIN_FILE:
value: .hushlogin
comment: |-
If defined, file which inhibits all the usual chatter during the login
sequence. If a full pathname, then hushed mode will be enabled if the
user's name or shell are found in the file. If not a full pathname, then
hushed mode will be enabled if the file exists in the user's home directory.

ENV_SUPATH:
value: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
comment: |-
*REQUIRED* The default PATH settings, for superuser and normal users.

(they are minimal, add the rest in the shell startup files)
ENV_PATH:
value: PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

TTYGROUP:
value: tty
comment: |-
Terminal permissions

TTYGROUP Login tty will be assigned this group ownership.
TTYPERM Login tty will be set to this permission.

If you have a "write" program which is "setgid" to a special group
which owns the terminals, define TTYGROUP to the group number and
TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
TTYPERM to either 622 or 600.

In Debian /usr/bin/bsd-write or similar programs are setgid tty
However, the default and recommended value for TTYPERM is still 0600
to not allow anyone to write to anyone else console or terminal

Users can still allow other people to write them by issuing
the "mesg y" command.
TTYPERM:
value: '0600'

ERASECHAR:
value: '0177'
comment: |-
Login configuration initializations:

ERASECHAR Terminal ERASE character ('\010' = backspace).
KILLCHAR Terminal KILL character ('\025' = CTRL/U).
UMASK Default "umask" value.

The ERASECHAR and KILLCHAR are used only on System V machines.

UMASK is the default umask value for pam_umask and is used by
useradd and newusers to set the mode of the new home directories.
022 is the "historical" value in Debian for UMASK
027, or even 077, could be considered better for privacy
There is no One True Answer here : each sysadmin must make up his/her
mind.

If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
for private user groups, i. e. the uid is the same as gid, and username is
the same as the primary group name: for these, the user permissions will be
used as group permissions, e. g. 022 will become 002.

Prefix these values with "0" to get octal, "0x" to get hexadecimal.
KILLCHAR:
value: '025'
UMASK:
value: '022'

PASS_MAX_DAYS:
value: 99999
comment: |-
Password aging controls:

PASS_MAX_DAYS Maximum number of days a password may be used.
PASS_MIN_DAYS Minimum number of days allowed between password changes.
PASS_WARN_AGE Number of days warning given before a password expires.
PASS_MIN_DAYS:
value: 0
PASS_WARN_AGE:
value: 7

UID_MIN:
value: 1000
comment: Min/max values for automatic uid selection in useradd
UID_MAX:
value: 60000

SYS_UID_MIN:
value: 100
enabled: false
comment: System accounts
SYS_UID_MAX:
value: 999
enabled: false

GID_MIN:
value: 1000
comment: Min/max values for automatic gid selection in groupadd
GID_MAX:
value: 60000

SYS_GID_MIN:
value: 100
enabled: false
comment: System accounts
SYS_GID_MAX:
value: 999
enabled: false

LOGIN_RETRIES:
value: 5
comment: |-
Max number of login retries if password is bad. This will most likely be
overriden by PAM, since the default pam_unix module has it's own built
in of 3 retries. However, this is a safe fallback in case you are using
an authentication module that does not enforce PAM_MAXTRIES.

LOGIN_TIMEOUT:
value: 60
comment: Max time in seconds for login

CHFN_RESTRICT:
value: rwh
comment: |-
Which fields may be changed by regular users using chfn - use
any combination of letters "frwh" (full name, room number, work
phone, home phone). If not defined, no changes are allowed.
For backward compatibility, "yes" = "rwh" and "no" = "frwh".

DEFAULT_HOME:
value: 'yes'
comment: |-
Should login be allowed if we can't cd to the home directory?
Default in no.

USERDEL_CMD:
value: /usr/sbin/userdel_local
enabled: false
comment: |-
If defined, this command is run when removing a user.
It should remove any at/cron/print jobs etc. owned by
the user to be removed (passed as the first argument).

USERGROUPS_ENAB:
value: 'yes'
comment: |-
If set to yes, userdel will remove the user's group if it contains no
more members, and useradd will create by default a group with the name
of the user.

Other former uses of this variable such as setting the umask when
user==primary group are not used in PAM environments, such as Debian

FAKE_SHELL:
value: /bin/fakeshell
enabled: false
comment: |-
Instead of the real user shell, the program specified by this parameter
will be launched, although its visible name (argv[0]) will be the shell's.
The program may do whatever it wants (logging, additional authentification,
banner, ...) before running the actual shell.

CONSOLE:
value: /etc/consoles
enabled: false
comment: |-
If defined, either full pathname of a file containing device names or
a ":" delimited list of device names. Root logins will be allowed only
upon these devices.

This variable is used by login and su.

CONSOLE_GROUPS:
value: 'floppy:audio:cdrom'
enabled: false
comment: |-
List of groups to add to the user's supplementary group set
when logging in on the console (as determined by the CONSOLE
setting). Default is none.

Use with caution - it is possible for users to gain permanent
access to these groups, even when not logged in on the console.
How to do it is left as an exercise for the reader...

This variable is used by login and su.

MD5_CRYPT_ENAB:
value: 'no'
enabled: false
comment: |-
If set to "yes", new passwords will be encrypted using the MD5-based
algorithm compatible with the one used by recent releases of FreeBSD.
It supports passwords of unlimited length and longer salt strings.
Set to "no" if you need to copy encrypted passwords to other systems
which don't understand the new algorithm. Default is "no".

This variable is deprecated. You should use ENCRYPT_METHOD.

ENCRYPT_METHOD:
value: SHA512
comment: |-
If set to MD5 , MD5-based algorithm will be used for encrypting password
If set to SHA256, SHA256-based algorithm will be used for encrypting password
If set to SHA512, SHA512-based algorithm will be used for encrypting password
If set to DES, DES-based algorithm will be used for encrypting password (default)
Overrides the MD5_CRYPT_ENAB option

Note: It is recommended to use a value consistent with
the PAM modules configuration.

SHA_CRYPT_MIN_ROUNDS:
value: 5000
enabled: false
comment: |-
Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.

Define the number of SHA rounds.
With a lot of rounds, it is more difficult to brute forcing the password.
But note also that it more CPU resources will be needed to authenticate
users.

If not specified, the libc will choose the default number of rounds (5000).
The values must be inside the 1000-999999999 range.
If only one of the MIN or MAX values is set, then this value will be used.
If MIN > MAX, the highest value will be used.
SHA_CRYPT_MAX_ROUNDS:
value: 5000
enabled: false
---
login_defs::options:
MAIL_DIR:
value: /var/mail
comment: |-
This is a temporary situation: setting these variables will soon
move to /etc/default/useradd and the variables will then be
no more supported

MAIL_FILE:
value: .mail
enabled: false

FAILLOG_ENAB:
value: 'yes'
comment: |-
Enable logging and display of /var/log/faillog login failure info.
This option conflicts with the pam_tally PAM module.

LOG_UNKFAIL_ENAB:
value: 'no'
comment: |-
Enable display of unknown usernames when login failures are recorded.

WARNING: Unknown usernames may become world readable.
See #290803 and #298773 for details about how this could become a security
concern

LOG_OK_LOGINS:
value: 'no'
comment: |-
Enable logging of successful logins

SYSLOG_SU_ENAB:
value: 'yes'
comment: |-
Enable "syslog" logging of su activity - in addition to sulog file logging.
SYSLOG_SG_ENAB does the same for newgrp and sg.
SYSLOG_SG_ENAB:
value: 'yes'

SULOG_FILE:
value: /var/log/sulog
enabled: false
comment: |-
If defined, all su activity is logged to this file.

TTYTYPE_FILE:
value: /etc/ttytype
enabled: false
comment: |-
If defined, file which maps tty line to TERM environment parameter.
Each line of the file is in a format something like "vt100 tty01".

FTMP_FILE:
value: /var/log/btmp
comment: |-
If defined, login failures will be logged here in a utmp format
last, when invoked as lastb, will read /var/log/btmp, so...

SU_NAME:
value: su
comment: |-
If defined, the command name to display when running "su -". For
example, if this is defined as "su" then a "ps" will display the
command is "-su". If not defined, then "ps" would display the
name of the shell actually being run, e.g. something like "-sh".

HUSHLOGIN_FILE:
value: .hushlogin
comment: |-
If defined, file which inhibits all the usual chatter during the login
sequence. If a full pathname, then hushed mode will be enabled if the
user's name or shell are found in the file. If not a full pathname, then
hushed mode will be enabled if the file exists in the user's home directory.

ENV_SUPATH:
value: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
comment: |-
*REQUIRED* The default PATH settings, for superuser and normal users.

(they are minimal, add the rest in the shell startup files)
ENV_PATH:
value: PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

TTYGROUP:
value: tty
comment: |-
Terminal permissions

TTYGROUP Login tty will be assigned this group ownership.
TTYPERM Login tty will be set to this permission.

If you have a "write" program which is "setgid" to a special group
which owns the terminals, define TTYGROUP to the group number and
TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
TTYPERM to either 622 or 600.

In Debian /usr/bin/bsd-write or similar programs are setgid tty
However, the default and recommended value for TTYPERM is still 0600
to not allow anyone to write to anyone else console or terminal

Users can still allow other people to write them by issuing
the "mesg y" command.
TTYPERM:
value: '0600'

ERASECHAR:
value: '0177'
comment: |-
Login configuration initializations:

ERASECHAR Terminal ERASE character ('\010' = backspace).
KILLCHAR Terminal KILL character ('\025' = CTRL/U).
UMASK Default "umask" value.

The ERASECHAR and KILLCHAR are used only on System V machines.

UMASK is the default umask value for pam_umask and is used by
useradd and newusers to set the mode of the new home directories.
022 is the "historical" value in Debian for UMASK
027, or even 077, could be considered better for privacy
There is no One True Answer here : each sysadmin must make up his/her
mind.

If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
for private user groups, i. e. the uid is the same as gid, and username is
the same as the primary group name: for these, the user permissions will be
used as group permissions, e. g. 022 will become 002.

Prefix these values with "0" to get octal, "0x" to get hexadecimal.
KILLCHAR:
value: '025'
UMASK:
value: '022'

PASS_MAX_DAYS:
value: 99999
comment: |-
Password aging controls:

PASS_MAX_DAYS Maximum number of days a password may be used.
PASS_MIN_DAYS Minimum number of days allowed between password changes.
PASS_WARN_AGE Number of days warning given before a password expires.
PASS_MIN_DAYS:
value: 0
PASS_WARN_AGE:
value: 7

UID_MIN:
value: 1000
comment: Min/max values for automatic uid selection in useradd
UID_MAX:
value: 60000

SYS_UID_MIN:
value: 100
enabled: false
comment: System accounts
SYS_UID_MAX:
value: 999
enabled: false

GID_MIN:
value: 1000
comment: Min/max values for automatic gid selection in groupadd
GID_MAX:
value: 60000

SYS_GID_MIN:
value: 100
enabled: false
comment: System accounts
SYS_GID_MAX:
value: 999
enabled: false

LOGIN_RETRIES:
value: 5
comment: |-
Max number of login retries if password is bad. This will most likely be
overriden by PAM, since the default pam_unix module has it's own built
in of 3 retries. However, this is a safe fallback in case you are using
an authentication module that does not enforce PAM_MAXTRIES.

LOGIN_TIMEOUT:
value: 60
comment: Max time in seconds for login

CHFN_RESTRICT:
value: rwh
comment: |-
Which fields may be changed by regular users using chfn - use
any combination of letters "frwh" (full name, room number, work
phone, home phone). If not defined, no changes are allowed.
For backward compatibility, "yes" = "rwh" and "no" = "frwh".

DEFAULT_HOME:
value: 'yes'
comment: |-
Should login be allowed if we can't cd to the home directory?
Default in no.

USERDEL_CMD:
value: /usr/sbin/userdel_local
enabled: false
comment: |-
If defined, this command is run when removing a user.
It should remove any at/cron/print jobs etc. owned by
the user to be removed (passed as the first argument).

USERGROUPS_ENAB:
value: 'yes'
comment: |-
Enable setting of the umask group bits to be the same as owner bits
(examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
the same as gid, and username is the same as the primary group name.

If set to yes, userdel will remove the user's group if it contains no
more members, and useradd will create by default a group with the name
of the user.

FAKE_SHELL:
value: /bin/fakeshell
enabled: false
comment: |-
Instead of the real user shell, the program specified by this parameter
will be launched, although its visible name (argv[0]) will be the shell's.
The program may do whatever it wants (logging, additional authentification,
banner, ...) before running the actual shell.

CONSOLE:
value: /etc/consoles
enabled: false
comment: |-
If defined, either full pathname of a file containing device names or
a ":" delimited list of device names. Root logins will be allowed only
upon these devices.

This variable is used by login and su.

CONSOLE_GROUPS:
value: 'floppy:audio:cdrom'
enabled: false
comment: |-
List of groups to add to the user's supplementary group set
when logging in on the console (as determined by the CONSOLE
setting). Default is none.

Use with caution - it is possible for users to gain permanent
access to these groups, even when not logged in on the console.
How to do it is left as an exercise for the reader...

This variable is used by login and su.

MD5_CRYPT_ENAB:
value: 'no'
enabled: false
comment: |-
If set to "yes", new passwords will be encrypted using the MD5-based
algorithm compatible with the one used by recent releases of FreeBSD.
It supports passwords of unlimited length and longer salt strings.
Set to "no" if you need to copy encrypted passwords to other systems
which don't understand the new algorithm. Default is "no".

This variable is deprecated. You should use ENCRYPT_METHOD.

ENCRYPT_METHOD:
value: SHA512
comment: |-
If set to MD5 , MD5-based algorithm will be used for encrypting password
If set to SHA256, SHA256-based algorithm will be used for encrypting password
If set to SHA512, SHA512-based algorithm will be used for encrypting password
If set to DES, DES-based algorithm will be used for encrypting password (default)
Overrides the MD5_CRYPT_ENAB option

Note: It is recommended to use a value consistent with
the PAM modules configuration.

SHA_CRYPT_MIN_ROUNDS:
value: 5000
enabled: false
comment: |-
Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.

Define the number of SHA rounds.
With a lot of rounds, it is more difficult to brute forcing the password.
But note also that it more CPU resources will be needed to authenticate
users.

If not specified, the libc will choose the default number of rounds (5000).
The values must be inside the 1000-999999999 range.
If only one of the MIN or MAX values is set, then this value will be used.
If MIN > MAX, the highest value will be used.
SHA_CRYPT_MAX_ROUNDS:
value: 5000
enabled: false
---
login_defs::options:
MAIL_DIR:
value: /var/mail
comment: |-
This is a temporary situation: setting these variables will soon
move to /etc/default/useradd and the variables will then be
no more supported

MAIL_FILE:
value: .mail
enabled: false

FAILLOG_ENAB:
value: 'yes'
comment: |-
Enable logging and display of /var/log/faillog login failure info.
This option conflicts with the pam_tally PAM module.

LOG_UNKFAIL_ENAB:
value: 'no'
comment: |-
Enable display of unknown usernames when login failures are recorded.

WARNING: Unknown usernames may become world readable.
See #290803 and #298773 for details about how this could become a security
concern

LOG_OK_LOGINS:
value: 'no'
comment: |-
Enable logging of successful logins

SYSLOG_SU_ENAB:
value: 'yes'
comment: |-
Enable "syslog" logging of su activity - in addition to sulog file logging.
SYSLOG_SG_ENAB does the same for newgrp and sg.
SYSLOG_SG_ENAB:
value: 'yes'

SULOG_FILE:
value: /var/log/sulog
enabled: false
comment: |-
If defined, all su activity is logged to this file.

TTYTYPE_FILE:
value: /etc/ttytype
enabled: false
comment: |-
If defined, file which maps tty line to TERM environment parameter.
Each line of the file is in a format something like "vt100 tty01".

FTMP_FILE:
value: /var/log/btmp
comment: |-
If defined, login failures will be logged here in a utmp format
last, when invoked as lastb, will read /var/log/btmp, so...

SU_NAME:
value: su
comment: |-
If defined, the command name to display when running "su -". For
example, if this is defined as "su" then a "ps" will display the
command is "-su". If not defined, then "ps" would display the
name of the shell actually being run, e.g. something like "-sh".

HUSHLOGIN_FILE:
value: .hushlogin
comment: |-
If defined, file which inhibits all the usual chatter during the login
sequence. If a full pathname, then hushed mode will be enabled if the
user's name or shell are found in the file. If not a full pathname, then
hushed mode will be enabled if the file exists in the user's home directory.

ENV_SUPATH:
value: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
comment: |-
*REQUIRED* The default PATH settings, for superuser and normal users.

(they are minimal, add the rest in the shell startup files)
ENV_PATH:
value: PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

TTYGROUP:
value: tty
comment: |-
Terminal permissions

TTYGROUP Login tty will be assigned this group ownership.
TTYPERM Login tty will be set to this permission.

If you have a "write" program which is "setgid" to a special group
which owns the terminals, define TTYGROUP to the group number and
TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
TTYPERM to either 622 or 600.

In Debian /usr/bin/bsd-write or similar programs are setgid tty
However, the default and recommended value for TTYPERM is still 0600
to not allow anyone to write to anyone else console or terminal

Users can still allow other people to write them by issuing
the "mesg y" command.
TTYPERM:
value: '0600'

ERASECHAR:
value: '0177'
comment: |-
Login configuration initializations:

ERASECHAR Terminal ERASE character ('\010' = backspace).
KILLCHAR Terminal KILL character ('\025' = CTRL/U).
UMASK Default "umask" value.

The ERASECHAR and KILLCHAR are used only on System V machines.

UMASK is the default umask value for pam_umask and is used by
useradd and newusers to set the mode of the new home directories.
022 is the "historical" value in Debian for UMASK
027, or even 077, could be considered better for privacy
There is no One True Answer here : each sysadmin must make up his/her
mind.

If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
for private user groups, i. e. the uid is the same as gid, and username is
the same as the primary group name: for these, the user permissions will be
used as group permissions, e. g. 022 will become 002.

Prefix these values with "0" to get octal, "0x" to get hexadecimal.
KILLCHAR:
value: '025'
UMASK:
value: '022'

PASS_MAX_DAYS:
value: 99999
comment: |-
Password aging controls:

PASS_MAX_DAYS Maximum number of days a password may be used.
PASS_MIN_DAYS Minimum number of days allowed between password changes.
PASS_WARN_AGE Number of days warning given before a password expires.
PASS_MIN_DAYS:
value: 0
PASS_WARN_AGE:
value: 7

UID_MIN:
value: 1000
comment: Min/max values for automatic uid selection in useradd
UID_MAX:
value: 60000

SYS_UID_MIN:
value: 100
enabled: false
comment: System accounts
SYS_UID_MAX:
value: 999
enabled: false

GID_MIN:
value: 1000
comment: Min/max values for automatic gid selection in groupadd
GID_MAX:
value: 60000

SYS_GID_MIN:
value: 100
enabled: false
comment: System accounts
SYS_GID_MAX:
value: 999
enabled: false

LOGIN_RETRIES:
value: 5
comment: |-
Max number of login retries if password is bad. This will most likely be
overriden by PAM, since the default pam_unix module has it's own built
in of 3 retries. However, this is a safe fallback in case you are using
an authentication module that does not enforce PAM_MAXTRIES.

LOGIN_TIMEOUT:
value: 60
comment: Max time in seconds for login

CHFN_RESTRICT:
value: rwh
comment: |-
Which fields may be changed by regular users using chfn - use
any combination of letters "frwh" (full name, room number, work
phone, home phone). If not defined, no changes are allowed.
For backward compatibility, "yes" = "rwh" and "no" = "frwh".

DEFAULT_HOME:
value: 'yes'
comment: |-
Should login be allowed if we can't cd to the home directory?
Default in no.

USERDEL_CMD:
value: /usr/sbin/userdel_local
enabled: false
comment: |-
If defined, this command is run when removing a user.
It should remove any at/cron/print jobs etc. owned by
the user to be removed (passed as the first argument).

USERGROUPS_ENAB:
value: 'yes'
comment: |-
Enable setting of the umask group bits to be the same as owner bits
(examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
the same as gid, and username is the same as the primary group name.

If set to yes, userdel will remove the user's group if it contains no
more members, and useradd will create by default a group with the name
of the user.

FAKE_SHELL:
value: /bin/fakeshell
enabled: false
comment: |-
Instead of the real user shell, the program specified by this parameter
will be launched, although its visible name (argv[0]) will be the shell's.
The program may do whatever it wants (logging, additional authentification,
banner, ...) before running the actual shell.

CONSOLE:
value: /etc/consoles
enabled: false
comment: |-
If defined, either full pathname of a file containing device names or
a ":" delimited list of device names. Root logins will be allowed only
upon these devices.

This variable is used by login and su.

CONSOLE_GROUPS:
value: 'floppy:audio:cdrom'
enabled: false
comment: |-
List of groups to add to the user's supplementary group set
when logging in on the console (as determined by the CONSOLE
setting). Default is none.

Use with caution - it is possible for users to gain permanent
access to these groups, even when not logged in on the console.
How to do it is left as an exercise for the reader...

This variable is used by login and su.

MD5_CRYPT_ENAB:
value: 'no'
enabled: false
comment: |-
If set to "yes", new passwords will be encrypted using the MD5-based
algorithm compatible with the one used by recent releases of FreeBSD.
It supports passwords of unlimited length and longer salt strings.
Set to "no" if you need to copy encrypted passwords to other systems
which don't understand the new algorithm. Default is "no".

This variable is deprecated. You should use ENCRYPT_METHOD.

ENCRYPT_METHOD:
value: SHA512
comment: |-
If set to MD5 , MD5-based algorithm will be used for encrypting password
If set to SHA256, SHA256-based algorithm will be used for encrypting password
If set to SHA512, SHA512-based algorithm will be used for encrypting password
If set to DES, DES-based algorithm will be used for encrypting password (default)
Overrides the MD5_CRYPT_ENAB option

Note: It is recommended to use a value consistent with
the PAM modules configuration.

SHA_CRYPT_MIN_ROUNDS:
value: 5000
enabled: false
comment: |-
Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.

Define the number of SHA rounds.
With a lot of rounds, it is more difficult to brute forcing the password.
But note also that it more CPU resources will be needed to authenticate
users.

If not specified, the libc will choose the default number of rounds (5000).
The values must be inside the 1000-999999999 range.
If only one of the MIN or MAX values is set, then this value will be used.
If MIN > MAX, the highest value will be used.
SHA_CRYPT_MAX_ROUNDS:
value: 5000
enabled: false
---
login_defs::package_name: shadow-utils
login_defs::options:
QMAIL_DIR:
value: Maildir
enabled: false
comment: |-
*REQUIRED*
Directory where mailboxes reside, _or_ name of file, relative to the
home directory. If you _do_ define both, MAIL_DIR takes precedence.
QMAIL_DIR is for Qmail
MAIL_DIR:
value: /var/spool/mail
MAIL_FILE:
value: .mail
enabled: false

UMASK:
value: '022'
comment: |-
Default initial "umask" value used by login(1) on non-PAM enabled systems.
Default "umask" value for pam_umask(8) on PAM enabled systems.
UMASK is also used by useradd(8) and newusers(8) to set the mode for new
home directories if HOME_MODE is not set.
022 is the default value, but 027, or even 077, could be considered
for increased privacy. There is no One True Answer here: each sysadmin
must make up their mind.

HOME_MODE:
value: '0700'
comment: |-
HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
home directories.
If HOME_MODE is not set, the value of UMASK is used to create the mode.

PASS_MAX_DAYS:
value: 99999
comment: |-
Password aging controls:

PASS_MAX_DAYS Maximum number of days a password may be used.
PASS_MIN_DAYS Minimum number of days allowed between password changes.
PASS_MIN_LEN Minimum acceptable password length.
PASS_WARN_AGE Number of days warning given before a password expires.
PASS_MIN_DAYS:
value: 0
PASS_MIN_LEN:
value: 5
PASS_WARN_AGE:
value: 7

UID_MIN:
value: 1000
comment: Min/max values for automatic uid selection in useradd
UID_MAX:
value: 60000

SYS_UID_MIN:
value: 201
comment: System accounts
SYS_UID_MAX:
value: 999

GID_MIN:
value: 1000
comment: Min/max values for automatic gid selection in groupadd
GID_MAX:
value: 60000

SYS_GID_MIN:
value: 201
comment: System accounts
SYS_GID_MAX:
value: 999

USERDEL_CMD:
value: /usr/sbin/userdel_local
enabled: false
comment: |-
If defined, this command is run when removing a user.
It should remove any at/cron/print jobs etc. owned by
the user to be removed (passed as the first argument).

CREATE_HOME:
value: 'yes'
comment: |-
If useradd should create home directories for users by default
On RH systems, we do. This option is overridden with the -m flag on
useradd command line.

USERGROUPS_ENAB:
value: 'yes'
comment: This enables userdel to remove user groups if no members exist.

ENCRYPT_METHOD:
value: 'SHA512'
comment: Use SHA512 to encrypt password
---
login_defs::options:
QMAIL_DIR:
value: Maildir
enabled: false
comment: |-
*REQUIRED*
Directory where mailboxes reside, _or_ name of file, relative to the
home directory. If you _do_ define both, MAIL_DIR takes precedence.
QMAIL_DIR is for Qmail
MAIL_DIR:
value: /var/spool/mail
MAIL_FILE:
value: .mail
enabled: false

PASS_MAX_DAYS:
value: 99999
comment: |-
Password aging controls:

PASS_MAX_DAYS Maximum number of days a password may be used.
PASS_MIN_DAYS Minimum number of days allowed between password changes.
PASS_MIN_LEN Minimum acceptable password length.
PASS_WARN_AGE Number of days warning given before a password expires.
PASS_MIN_DAYS:
value: 0
PASS_MIN_LEN:
value: 5
PASS_WARN_AGE:
value: 7

UID_MIN:
value: 1000
comment: Min/max values for automatic uid selection in useradd
UID_MAX:
value: 60000

SYS_UID_MIN:
value: 201
comment: System accounts
SYS_UID_MAX:
value: 999

GID_MIN:
value: 1000
comment: Min/max values for automatic gid selection in groupadd
GID_MAX:
value: 60000

SYS_GID_MIN:
value: 201
comment: System accounts
SYS_GID_MAX:
value: 999

USERDEL_CMD:
value: /usr/sbin/userdel_local
enabled: false
comment: |-
If defined, this command is run when removing a user.
It should remove any at/cron/print jobs etc. owned by
the user to be removed (passed as the first argument).

CREATE_HOME:
value: 'yes'
comment: |-
If useradd should create home directories for users by default
On RH systems, we do. This option is overridden with the -m flag on
useradd command line.

UMASK:
value: '077'
comment: |-
The permission mask is initialized to this value. If not specified,
the permission mask will be initialized to 022.

USERGROUPS_ENAB:
value: 'yes'
comment: This enables userdel to remove user groups if no members exist.

ENCRYPT_METHOD:
value: 'SHA512'
comment: Use SHA512 to encrypt password

Change log

v1.1.0 (2022-11-24)

Full Changelog

Added

  • Add Ubuntu 22.04 support #6 (gibbs)

v1.0.0 (2022-07-13)

Full Changelog

Fixed

  • Explicitly set lint checks #5 (gibbs)

0.2.0 (2022-03-02)

Full Changelog

Added

  • Add hiera merge strategy and merge options for easier management #4 (gibbs)

0.1.0 (2022-03-01)

Full Changelog

Added

  • Add support for RedHat 8, CentOS 7, AlmaLinux 8 and Rocky 8. #3 (gibbs)
  • Add Debian 10/11 support #2 (gibbs)
  • Add Ubuntu 18.04 support #1 (gibbs)

Reference

Table of Contents

Classes

  • login_defs: Manage the configuration control definitions for the login package

Data types

Classes

login_defs

Manage the configuration control definitions for the login package

Parameters

The following parameters are available in the login_defs class:

options

Data type: Hash[String, Login_Defs::Option]

A hash of options to configure /etc/login.defs

Default value: undef

package_ensure

Data type: String

The login/shadow util package state to use when using $package_manage

Default value: 'installed'

package_manage

Data type: Boolean

Set to true to manage the login/shadow utility package

Default value: false

package_name

Data type: String[1]

The package name to use when managing the login/shadow utility package

Default value: undef

owner

Data type: Variant[String[1], Integer]

The owner to set on /etc/login.defs

Default value: 'root'

group

Data type: Variant[String[1], Integer]

The group to set on /etc/login.defs

Default value: 0

mode

Data type: String[3,4]

The mode to set on /etc/login.defs

Default value: '0644'

Data types

Login_Defs::Option

login.defs option

Alias of

Struct[{
Optional['comment'] => String,
Optional['enabled'] => Boolean,
'value' => Variant[String, Integer],
}]