  Password setting policies
  Introduction


  [1m1.  Policies[0m


  [1m1.1.  Policies for password[0m

  You can define here what is acceptable as a password. You control the
  minimum length and the number of non-alpha characters. By forcing
  passwords made with other characters, you encourage the choice of
  better passwords (which are hard to guess and crack).

  Note that this is not effective on PAM aware systems such as [4mRed[24m [4mHat[24m.
  The PAM library has its own set of rules for accepting or rejecting a
  new password.


  [1m1.2.  Private group[0m

  When this feature is enabled, Linuxconf will create a group with the
  same name as the user account, unless a group is specified. The dialog
  for a new account appears with the group field empty.

  When disabled, Linuxconf assigns a default group to new accounts
  (users).

  This feature is not effective for special accounts such as POP and PPP
  accounts since those accounts are assigned to a specific group
  (popusers and pppusers).

  Note also that this feature does not prevent you from assigning the
  group you want to an account. If the group does not exist, you will
  have the opportunity to create it on the fly.


  [1m1.3.  Default base directory for homes[0m

  Specify the base directory which will be used to create new user
  accounts. It defaults to /home.


  [1m1.4.  Creation permissions[0m

  This controls how the home directory are created. You must enter an
  octal number representing three triplets. Each triplet represents the
  bits for read, write and execute(lookup). The first triplet sets the
  owner access and we generally enter 7 there (the owner has full access
  in his home directory. The second triplet represents the group access.
  The last triplet represents the access for everybody else.

  In general, a value of 750 is suitable. This means that the owner has
  full access and members of his group have read  and lookup access.


  [1m1.5.  Visibility flags[0m

  The following check-box control the visibility of some area of the
  user account dialog. This is intend to remove seldom used field to
  help casual co-administrators.

  These check-box have no effect when Linuxconf is run by root directly.


  [1m1.5.1.  Show the shadow parameters[0m

  This controls the visibility of the parameters defined in /etc/shadow.
  A complete section of a user account is either shown or hidden.

  The check-box is there to simplify the user account dialog, since the
  shadow parameters are seldom used.


  [1m1.5.2.  Show the expiration date[0m

  This controls the visibility of one parameter defined in /etc/shadow.
  This fields specify the expiration date of the account. It is
  optional.


  [1m1.5.3.  May change the HOME directory path[0m

  This check-box controls the visibility of the home directory field in
  the user account dialog. When this check-box is UN-set, the field is
  not accessible anymore. New accounts are always created in the default
  directory (you can setup one defaults directory per group) and can't
  be changed from Linuxconf.

  The check-box is there to simplify the user account dialog, since the
  home directory is seldom changed on a per user basis.

  Note that the account numerical id visibility is also controlled by
  this check-box.


  [1m1.5.4.  May change the login shell[0m

  This check-box controls the visibility of the login shell field.  This
  is there to simplify the user account dialog, especially in the case
  where the administrator has defined only one available shell.


  [1m1.5.5.  May edit the disk quotas[0m

  This check-box controls the visibility of the disk quota section.


  [1m1.5.6.  May edit the scheduled tasks[0m

  This controls the availability of the "tasks" button. This button lets
  you configure the crontab settings of the user accounts.


  [1m2.  Account defaults[0m

  When using shadow passwords, you have control of both the password
  expiration date and also of the account expiration date.  You can set
  defaults here. They will be used to set up new accounts.

  Note that this section only shows up if you have enabled shadow
  passwords. Some Linux distributions do not support shadow passwords.
  Others do not install them by default. Linuxconf adapts to this
  situation on the fly.


  [1m3.  User defined account management commands[0m

  When Linuxconf creates or deletes user accounts, it calls various
  scripts. You can override these scripts by entering the path to your
  own versions. You can also disable this process by erasing the path.
  Linuxconf provides default values for some of these scripts.


  [1m3.1.  Command line arguments[0m

  Linuxconf always calls the scripts with the same command line. It is
  built with the following arguments.


  +o  --uid userid

     This is the userid of the new account

  +o  --name full name

     This is the full name (the gecos field) of the account.

  +o  --basehome dir

     This is the directory where new accounts are created. This can be
     used by archiving commands to create archives. The sample
     accountarchive.sh (see pre-delete command below) is using that to
     reach the oldaccounts subdirectory.

  +o  --home home_directory

     This is the home directory of the account. Note that the home is
     supplied without the first /. It is supplied as a relative path.
     This helps commands such as tar which complain when supplied with
     an absolute path. So doing a cd / at the beginning of your command
     is recommended.

  +o  --domain domain

     This is either / or the virtual e-mail domain. From this, the
     proper in-box mail file may be computed.


  [1m3.2.  Delete account command[0m

  This command (if non-empty) is used to delete the account data: the
  HOME directory and the mail inbox folder. When you delete an account,
  a pop-up dialog lets you pick the proper action: archive the data,
  delete or leave in place.  A default delete command is supplied, but
  you can define a new one.


  [1m3.3.  Archive account command[0m

  A default archiving command is supplied. It preserves the HOME
  directory and the mail inbox folder in a compressed tar file. This
  file is stored in /home/oldaccounts. The name of the file has the
  following format:


               user-YYYY-MM-DD-PID.tar.gz


  The PID is simply the process ID of the archive command. This is used
  to make the name completely unique.

  Files archived in /home/oldaccounts are left there forever. You may
  want to clean out the old ones from time to time, according to the
  administration policies applying to your organization.

  You can use this field to specify your own archiving command.


  [1m3.4.  Post-create command[0m

  Each time you create a user account, a command may be executed. You
  must specify here the absolute path of the command as well as any
  arguments.

  Note that this command is called after the account has been created
  and committed in the password database (/etc/passwd). The output and
  error codes of the command are logged in the "Linuxconf logs."


  [1m3.5.  Pre-delete command[0m

  You can specify a command which is executed before the account is
  removed from the password database (/etc/passwd).  Output and error
  codes are also logged. If any error is detected, the user will be
  allowed to see the logs and will be asked if the accounts should be
  deleted.


  [1m3.6.  Admin password generator[0m

  To help select a new password, an external utility may be used to
  generate easy to use, yet secure, passwords. One such command is apg
  available at http://www.adel.nursat.kz/apg/

  A sample password generator, /usr/lib/linuxconf/lib/genpassword is
  also supplied.


  [1m3.7.  End user password generator[0m

  Enter the command for the end user dialog (changing his password).
  The command is usually /usr/bin/apg.


  [1m3.8.  Users must select auto generated password[0m

  The end user is forced to use one of the generated password. He is not
  allowed to enter a new password manually.