Updated: 2022/Sep/29

Please read Privacy Policy. It's for your privacy.

LOGIN.CONF(5)                 File Formats Manual                LOGIN.CONF(5)

     login.conf - login class capability data base


     The login.conf file describes the various attributes of login classes.  A
     login class determines what styles of authentication are available as
     well as session resource limits and environment setup.  While designed
     primarily for the login(1) program, it is also used by other programs,
     e.g., rexecd(8), which need to set up a user environment.

     The class to be used is normally determined by the class field in the
     password file (see passwd(5)).  The class is used to look up a
     corresponding entry in the login.conf file.  A special class called
     "default" will be used (if it exists) if the field in the password file
     is empty.

     Refer to capfile(5) for a description of the file layout.  An example
     entry is:

           classname|Description entry:\

     All entries in the login.conf file are either boolean or use a `=' to
     separate the capability from the value.  The types are described after
     the capability table.

     Name              Type       Default    Description

     copyright         file                  File containing additional
                                             copyright information.  (If the
                                             file exists, login(1) displays it
                                             before the welcome message.)

     coredumpsize      size                  Maximum coredump size.

     cputime           time                  CPU usage limit.

     datasize          size                  Maximum data size.

     filesize          size                  Maximum file size.

     host.allow        string                A comma-separated list of host
                                             name or IP address patterns from
                                             which a class is allowed access.
                                             Access is instead denied from any
                                             hosts preceded by `!'.  Patterns
                                             can contain the sh(1)-style `*'
                                             and `?' wildcards.  The host.deny
                                             entry is checked before
                                             host.allow.  (Currently used only
                                             by sshd(8).)

     host.deny         string                A comma-separated list of host
                                             name or IP address patterns from
                                             which a class is denied access.
                                             Patterns as per host.allow,
                                             although a matched pattern that
                                             has been negated with `!' is
                                             ignored.  (Currently used only by

     hushlogin         bool       false      Same as having a $HOME/.hushlogin
                                             file.  See login(1).

     ignorenologin     bool       false      Not affected by nologin files.

     login-retries     number     10         Maximum number of login attempts

     login-backoff     number     3          Number of login attempts after
                                             which to start random back-off.

     maxproc           number                Maximum number of processes.

     maxthread         number                Maximum number of threads.  The
                                             first thread of each process is
                                             not counted against this.

     memorylocked      size                  Maximum locked in core memory

     memoryuse         size                  Maximum in core memoryuse size.

     minpasswordlen    number                The minimum length a local
                                             password may be.  Used by the
                                             passwd(1) utility.

     nologin           file                  If the file exists it will be
                                             displayed and the login session
                                             will be terminated.

     openfiles         number                Maximum number of open file
                                             descriptors per process.

     passwordtime      time                  Used by passwd(1) to set next
                                             password expiry date.

     password-warn     time       2w         If the user's password will
                                             expire within this length of time
                                             then warn the user of this.

     path              path       /bin /usr/bin
                                             Default search path.

     priority          number                Initial priority (nice) level.

     requirehome       bool       false      Require home directory to login.

     sbsize            size                  Maximum socket buffer size.

     setenv            list                  Comma or whitespace separated
                                             list of environment variables and
                                             values to be set.  Commas and
                                             whitespace can be escaped using

     shell             program               Session shell to execute rather
                                             than the shell specified in the
                                             password file.  The SHELL
                                             environment variable will contain
                                             the shell specified in the
                                             password file.

     stacksize         size                  Maximum stack size.

     tc                string                A "continuation" entry, which
                                             must be the last capability
                                             provided.  More capabilities are
                                             read from the named entry.  The
                                             capabilities given before tc
                                             override those in the entry
                                             invoked by tc.

     term              string     su         Default terminal type if not able
                                             to determine from other means.

     umask             number     022        Initial umask.  Should always
                                             have a leading 0 to assure octal
                                             interpretation.  See umask(2).

     vmemoryuse        size                  Maximum virtual address space

     welcome           file       /etc/motd  File containing welcome message.
                                             login(1) displays this and
                                             sshd(8) sends this.

     The resource limit entries (coredumpsize, cputime, datasize, filesize,
     maxproc, memorylocked, memoryuse, openfiles, sbsize, stacksize and
     vmemoryuse) actually specify both the maximum and current limits (see
     getrlimit(2)).  The current limit is the one normally used, although the
     user is permitted to increase the current limit to the maximum limit.
     The maximum and current limits may be specified individually by appending
     a `-max' or `-cur' to the capability name (e.g., openfiles-max and

     NetBSD will never define capabilities which start with x- or X-; these
     are reserved for external use (unless included through contributed

     The argument types are defined as:

     bool       If the name is present, then the boolean value is true;
                otherwise, it is false.

     file       Path name to a text file.

     list       A comma or whitespace separated list of values.

     number     A number.  A leading 0x implies the number is expressed in
                hexadecimal.  A leading 0 implies the number is expressed in
                octal.  Any other number is treated as decimal.

     path       A space separated list of path names.  If a `~' is the first
                character in the path name, the `~' is expanded to the user's
                home directory.

     program    A path name to program.

     size       A number which expresses a size in bytes.  It may have a
                trailing b to multiply the value by 512, a k to multiply the
                value by 1 K (1024), and a m to multiply the value by 1 M

     time       A time in seconds.  A time may be expressed as a series of
                numbers which are added together.  Each number may have a
                trailing character to represent time units:

                y    Indicates a number of 365 day years.

                w    Indicates a number of 7 day weeks.

                d    Indicates a number of 24 hour days.

                h    Indicates a number of 60 minute hours.

                m    Indicates a number of 60 second minutes.

                s    Indicates a number of seconds.

                For example, to indicate 1 and 1/2 hours, the following string
                could be used: 1h30m.

     /etc/login.conf     login class capability database
     /etc/login.conf.db  hashed database built with cap_mkdb(1)

     cap_mkdb(1), login(1), login_cap(3), capfile(5), ttys(5), ftpd(8),

     The login.conf configuration file appeared in NetBSD 1.5.

NetBSD 10.99                     July 11, 2015                    NetBSD 10.99