From owner-freebsd-doc  Mon Feb 24 14:37:24 2003
Delivered-To: freebsd-doc@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 832E837B401
	for <doc@FreeBSD.ORG>; Mon, 24 Feb 2003 14:37:20 -0800 (PST)
Received: from HAL9000.homeunix.com (12-233-57-224.client.attbi.com [12.233.57.224])
	by mx1.FreeBSD.org (Postfix) with ESMTP id ED77D43FBF
	for <doc@FreeBSD.ORG>; Mon, 24 Feb 2003 14:37:19 -0800 (PST)
	(envelope-from das@FreeBSD.ORG)
Received: from HAL9000.homeunix.com (localhost [127.0.0.1])
	by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id h1OMbJ3W009883
	for <doc@FreeBSD.ORG>; Mon, 24 Feb 2003 14:37:19 -0800 (PST)
	(envelope-from das@FreeBSD.ORG)
Received: (from das@localhost)
	by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id h1OMbJt8009882
	for doc@FreeBSD.ORG; Mon, 24 Feb 2003 14:37:19 -0800 (PST)
	(envelope-from das@FreeBSD.ORG)
Date: Mon, 24 Feb 2003 14:37:18 -0800
From: David Schultz <das@FreeBSD.ORG>
To: doc@FreeBSD.ORG
Subject: removing unimplemented options from login.conf.5
Message-ID: <20030224223718.GB9747@HAL9000.homeunix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: owner-freebsd-doc@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-doc.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-doc>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-doc>
X-Loop: FreeBSD.org

This has been a thorn in my side for some time now.  A large chunk
of the options listed in the login.conf(5) manpage are poorly
documented, and aren't even supported in the base system.  My
original intent was to add a sentence saying that some of them are
supported in ports, but referring to ports from a system manpage
is kludgy, and I could only find one option supported in ports
anyway.  So my new plan is to simply nix from login.conf(5) all of
the options that don't work.  What do people think of the
following patch (which has some other stuff in it as well)?


- Document the fact that we now use pam_passwdqc(8) to check
  password quality, not login.conf(5).
- Move warnexpire and warnpasswd from the ``Accounting Limits''
  section to ``Authentication'', and nix everything else in the
  former section.  The accounting knobs are not available in
  the base system, and the subset of them available in ports
  should be documented in the ports' manpages.

Index: login.conf.5
===================================================================
RCS file: /cvs/src/lib/libutil/login.conf.5,v
retrieving revision 1.44
diff -u -u -r1.44 login.conf.5
--- login.conf.5	2002/11/22 22:22:10	1.44
+++ login.conf.5	2003/02/24 13:07:45
@@ -39,6 +39,8 @@
 environment and to enforce policy, accounting and administrative restrictions.
 It also provides the means by which users are able to be
 authenticated to the system and the types of authentication available.
+Attributes in addition to the ones described here are available with
+third-party packages.
 .Pp
 A special record "default" in the system user class capability database
 .Pa /etc/login.conf
@@ -205,7 +207,7 @@
 .It "welcome	file	/etc/motd	File containing welcome message.
 .El
 .Sh AUTHENTICATION
-.Bl -column minpasswordlen indent indent
+.Bl -column passwd_prompt indent indent
 .It Sy "Name	Type	Notes	Description
 .\" .It "approve	program 	Program to approve login.
 .It "copyright	file		File containing additional copyright information
@@ -215,11 +217,6 @@
 in the class may not access.
 .It "login_prompt	string		The login prompt given by
 .Xr login 1
-.It "minpasswordlen	number	6	The minimum length a local password
-may be.
-.It "mixpasswordcase	bool	true	Whether
-.Xr passwd 1
-will warn the user if an all lower case password is entered.
 .It "passwd_format	string	md5	The encryption format that new or
 changed passwords will use.
 Valid values include "des", "md5" and "blf".
@@ -236,6 +233,8 @@
 in the class may use for access.
 .It "ttys.deny	list		List of ttys and ttygroups which users
 in the class may not use for access.
+.It "warnexpire	time		Advance notice for pending account expiry.
+.It "warnpassword	time		Advance notice for pending password expiry.
 .\".It "widepasswords	bool	false	Use the wide password format. The wide password
 .\" format allows up to 128 significant characters in the password.
 .El
@@ -324,60 +323,17 @@
 devices in the group.
 If both lists are given and are non-empty, the user is restricted to those
 devices allowed by ttys.allow that are not available by ttys.deny.
-.Sh ACCOUNTING LIMITS
-.Bl -column host.accounted indent indent
-.It Sy "Name	Type	Notes	Description
-.It "accounted	bool	false	Enable session time accounting for all users
-in this class.
-.It "autodelete	time		Time after expiry when account is auto-deleted.
-.It "bootfull	bool	false	Enable 'boot only if ttygroup is full' strategy
-when terminating sessions.
-.It "daytime	time		Maximum login time per day.
-.It "expireperiod	time		Time for expiry allocation.
-.It "graceexpire 	time		Grace days for expired account.
-.It "gracetime	time		Additional grace login time allowed.
-.It "host.accounted	list		List of remote host wildcards from which
-login sessions will be accounted.
-.It "host.exempt 	list		List of remote host wildcards from which
-login session accounting is exempted.
-.It "idletime	time		Maximum idle time before logout.
-.It "monthtime 	time		Maximum login time per month.
-.It "passwordtime	time		Used by
-.Xr passwd 1
-to set next password expiry date.
-.It "refreshtime 	time		New time allowed on account refresh.
-.It "refreshperiod	str		How often account time is refreshed.
-.It "sessiontime 	time		Maximum login time per session.
-.It "sessionlimit	number		Maximum number of concurrent
-login sessions on ttys in any group.
-.It "ttys.accounted	list		List of ttys and ttygroups for which
-login accounting is active.
-.It "ttys.exempt	list		List of ttys and ttygroups for which login accounting
-is exempt.
-.It "warnexpire	time		Advance notice for pending account expiry.
-.It "warnpassword	time		Advance notice for pending password expiry.
-.It "warntime	time		Advance notice for pending out-of-time.
-.It "weektime	time		Maximum login time per week.
-.El
-.Pp
-These fields are used by the time accounting system, which regulates,
-controls and records user login access.
 .Pp
 The
-.Em ttys.accounted
-and
-.Em ttys.exempt
-fields operate in a similar manner to
-.Em ttys.allow
+.Em minpasswordlen
 and
-.Em ttys.deny
-as explained
-above.
-Similarly with the
-.Em host.accounted
-and
-.Em host.exempt
-lists.
+.Em minpasswordcase
+facilities for enforcing restrictions on password quality, which used
+to be supported by
+.Nm ,
+have been superseded by the
+.Xr pam_passwdqc 8
+PAM module.
 .Sh SEE ALSO
 .Xr cap_mkdb 1 ,
 .Xr login 1 ,
@@ -385,5 +341,7 @@
 .Xr getttyent 3 ,
 .Xr login_cap 3 ,
 .Xr login_class 3 ,
+.Xr pam 3 ,
 .Xr passwd 5 ,
-.Xr ttys 5
+.Xr ttys 5 ,
+.Xr pam_passwdqc 8

----- End forwarded message -----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message