- NetBSD Manual Pages
LOGIN.CONF(5) NetBSD File Formats Manual LOGIN.CONF(5)
Powered by man-cgi (2021-06-01).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.
login.conf -- login class capability data base
The login.conf file describes the various attributes of login classes. A
login class determines what styles of authentication are available as
well as session resource limits and environment setup. While designed
primarily for the login(1) program, it is also used by other programs,
e.g., rexecd(8), which need to set up a user environment.
The class to be used is normally determined by the class field in the
password file (see passwd(5)). The class is used to look up a corre-
sponding entry in the login.conf file. A special class called
``default'' will be used (if it exists) if the field in the password file
Refer to capfile(5) for a description of the file layout. An example
All entries in the login.conf file are either boolean or use a `=' to
separate the capability from the value. The types are described after
the capability table.
Name Type Default Description
copyright file File containing additional copy-
right information. (If the file
exists, login(1) displays it
before the welcome message.)
coredumpsize size Maximum coredump size.
cputime time CPU usage limit.
datasize size Maximum data size.
filesize size Maximum file size.
host.allow string A comma-separated list of host
name or IP address patterns from
which a class is allowed access.
Access is instead denied from any
hosts preceded by `!'. Patterns
can contain the sh(1)-style `*'
and `?' wildcards. The host.deny
entry is checked before
host.allow. (Currently used only
host.deny string A comma-separated list of host
name or IP address patterns from
which a class is denied access.
Patterns as per host.allow,
although a matched pattern that
has been negated with `!' is
ignored. (Currently used only by
hushlogin bool false Same as having a $HOME/.hushlogin
file. See login(1).
ignorenologin bool false Not affected by nologin files.
login-retries number 10 Maximum number of login attempts
login-backoff number 3 Number of login attempts after
which to start random back-off.
maxproc number Maximum number of processes.
maxthread number Maximum number of threads. The
first thread of each process is
not counted against this.
memorylocked size Maximum locked in core memory
memoryuse size Maximum in core memoryuse size.
minpasswordlen number The minimum length a local pass-
word may be. Used by the
nologin file If the file exists it will be
displayed and the login session
will be terminated.
openfiles number Maximum number of open file
descriptors per process.
passwordtime time Used by passwd(1) to set next
password expiry date.
password-warn time 2w If the user's password will
expire within this length of time
then warn the user of this.
path path /bin /usr/bin
Default search path.
priority number Initial priority (nice) level.
requirehome bool false Require home directory to login.
sbsize size Maximum socket buffer size.
setenv list Comma or whitespace separated
list of environment variables and
values to be set. Commas and
whitespace can be escaped using
shell program Session shell to execute rather
than the shell specified in the
password file. The SHELL envi-
ronment variable will contain the
shell specified in the password
stacksize size Maximum stack size.
tc string A "continuation" entry, which
must be the last capability pro-
vided. More capabilities are
read from the named entry. The
capabilities given before tc
override those in the entry
invoked by tc.
term string su Default terminal type if not able
to determine from other means.
umask number 022 Initial umask. Should always
have a leading 0 to assure octal
interpretation. See umask(2).
vmemoryuse size Maximum virtual address space
welcome file /etc/motd File containing welcome message.
login(1) displays this and
sshd(8) sends this.
The resource limit entries (coredumpsize, cputime, datasize, filesize,
maxproc, memorylocked, memoryuse, openfiles, sbsize, stacksize and
vmemoryuse) actually specify both the maximum and current limits (see
getrlimit(2)). The current limit is the one normally used, although the
user is permitted to increase the current limit to the maximum limit.
The maximum and current limits may be specified individually by appending
a `-max' or `-cur' to the capability name (e.g., openfiles-max and
NetBSD will never define capabilities which start with x- or X-; these
are reserved for external use (unless included through contributed soft-
The argument types are defined as:
bool If the name is present, then the boolean value is true; other-
wise, it is false.
file Path name to a text file.
list A comma or whitespace separated list of values.
number A number. A leading 0x implies the number is expressed in
hexadecimal. A leading 0 implies the number is expressed in
octal. Any other number is treated as decimal.
path A space separated list of path names. If a `~' is the first
character in the path name, the `~' is expanded to the user's
program A path name to program.
size A number which expresses a size in bytes. It may have a
trailing b to multiply the value by 512, a k to multiply the
value by 1 K (1024), and a m to multiply the value by 1 M
time A time in seconds. A time may be expressed as a series of
numbers which are added together. Each number may have a
trailing character to represent time units:
y Indicates a number of 365 day years.
w Indicates a number of 7 day weeks.
d Indicates a number of 24 hour days.
h Indicates a number of 60 minute hours.
m Indicates a number of 60 second minutes.
s Indicates a number of seconds.
For example, to indicate 1 and 1/2 hours, the following string
could be used: 1h30m.
/etc/login.conf login class capability database
/etc/login.conf.db hashed database built with cap_mkdb(1)
cap_mkdb(1), login(1), login_cap(3), capfile(5), ttys(5), ftpd(8),
The login.conf configuration file appeared in NetBSD 1.5.
NetBSD 9.3 July 11, 2015 NetBSD 9.3