aboutsummaryrefslogtreecommitdiffstats
path: root/deployment/shadow
diff options
context:
space:
mode:
Diffstat (limited to 'deployment/shadow')
-rw-r--r--deployment/shadow/files/login.defs193
-rw-r--r--deployment/shadow/manifests/init.pp8
2 files changed, 201 insertions, 0 deletions
diff --git a/deployment/shadow/files/login.defs b/deployment/shadow/files/login.defs
new file mode 100644
index 00000000..b689cb2e
--- /dev/null
+++ b/deployment/shadow/files/login.defs
@@ -0,0 +1,193 @@
+# *REQUIRED*
+# Directory where mailboxes reside, _or_ name of file, relative to the
+# home directory. If you _do_ define both, MAIL_DIR takes precedence.
+# QMAIL_DIR is for Qmail
+#
+#QMAIL_DIR Maildir
+MAIL_DIR /var/spool/mail
+#MAIL_FILE .mail
+
+# Password aging controls:
+#
+# PASS_MAX_DAYS Maximum number of days a password may be used.
+# PASS_MIN_DAYS Minimum number of days allowed between password changes.
+# PASS_MIN_LEN Minimum acceptable password length.
+# PASS_WARN_AGE Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS 99999
+PASS_MIN_DAYS 0
+#PASS_MIN_LEN 5
+PASS_WARN_AGE 7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN 500
+UID_MAX 60000
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN 500
+GID_MAX 60000
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+# USERDEL_CMD /usr/sbin/userdel_local
+
+#
+# If useradd should create home directories for users by default
+# On RH systems, we do. This option is ORed with the -m flag on
+# useradd command line.
+#
+CREATE_HOME yes
+
+#
+# The password hashing method and iteration count to use for group
+# passwords that may be set with gpasswd(1).
+#
+CRYPT_PREFIX $2a$
+CRYPT_ROUNDS 8
+
+#
+# Whether to use tcb password shadowing scheme. Use 'yes' if using
+# tcb and 'no' if using /etc/shadow
+#
+USE_TCB no
+
+#
+# Whether newly created tcb-style shadow files should be readable by
+# group "auth".
+#
+TCB_AUTH_GROUP yes
+
+#
+# Whether useradd should create symlinks rather than directories under
+# /etc/tcb for newly created accounts with UIDs over 1000. See tcb(5)
+# for information on why this may be needed.
+#
+TCB_SYMLINKS no
+
+#
+# Delay in seconds before being allowed another attempt after a login failure
+#
+FAIL_DELAY 3
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+LOG_UNKFAIL_ENAB no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS no
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB yes
+SYSLOG_SG_ENAB yes
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names. Root logins will be allowed only
+# upon these devices.
+#
+CONSOLE /etc/securetty
+#CONSOLE console:tty01:tty02:tty03:tty04
+
+#
+# If defined, the command name to display when running "su -". For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su". If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME su
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence. If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file. If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE .hushlogin
+#HUSHLOGIN_FILE /etc/hushlogins
+
+#
+# *REQUIRED* The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
+ENV_PATH PATH=/bin:/usr/bin
+
+#
+# Terminal permissions
+#
+# TTYGROUP Login tty will be assigned this group ownership.
+# TTYPERM Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+TTYGROUP tty
+TTYPERM 0600
+
+#
+# Login configuration initializations:
+#
+# ERASECHAR Terminal ERASE character ('\010' = backspace).
+# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
+# UMASK Default "umask" value.
+# ULIMIT Default "ulimit" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# The ULIMIT is used only if the system supports it.
+# (now it works with setrlimit too; ulimit is in 512-byte units)
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR 0177
+KILLCHAR 025
+UMASK 022
+#ULIMIT 2097152
+
+#
+# Max number of login retries if password is bad
+#
+LOGIN_RETRIES 5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT 60
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone). If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT rwh
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
+#
+DEFAULT_HOME yes
+
+#
+# Enable setting of the umask group bits to be the same as owner bits
+# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+# the same as gid, and username is the same as the primary group name.
+#
+# This also enables userdel to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
diff --git a/deployment/shadow/manifests/init.pp b/deployment/shadow/manifests/init.pp
new file mode 100644
index 00000000..1205c085
--- /dev/null
+++ b/deployment/shadow/manifests/init.pp
@@ -0,0 +1,8 @@
+class shadow {
+ file {"/etc/login.defs":
+ owner => 'root',
+ group => 'shadow',
+ mode => 640,
+ source => 'shadow/login.defs',
+ }
+}