# login.conf

### Login Class

Login classes allow you to control how many resources are allocated for each user. The limits can be edited in [/etc/login.conf](/https://man.openbsd.org/login.conf). For example, here is a login class created for network services:

    service:\
    	:openfiles-cur=4096:\
    	:openfiles-max=8182:\
    	:openfiles=4096:\
    	:stacksize-cur=48M:\
    	:stacksize-max=48M:\
    	:maxproc-max=infinity:\
    	:maxproc-cur=4096:\
    	:tc=daemon:


**WARNING**: Use tabs and not spaces in login.conf. Spaces are not parsed correctly so that services will not get the file resources they need.

Each time a network service creates a new connection for a user, it requires at least one file descriptor. So, if your file descriptor limit is set too low, the service will be unable to make new connections to networks. openfiles sets the maximum number of open file descriptors per process. -cur specifies the current limit and -max specifies the maximum limit.

The current and maximum stack size controls how much stack memory a user can use. We set it at 48M to give each service plenty of room.

`maxproc` limits how many processes a user in this class can create. We set the maximum to infinity and the current amount to 4096. `tc=daemon` means that the default values will come from the `daemon` login class.

Now we will change `username`'s default login class to `service`:

    $ doas usermod -L service username


This can also be edited with a text editor using [[openbsd/vipw]].

To confirm that the login class has been changed, check [/etc/master.passwd](/https://man.openbsd.org/man5/passwd.5).

    $ doas grep '^username' /etc/master.passwd
    username:*:1001:1001:service:0:0:groupname:/home/username:/sbin/nologin


[grep](grep/usage) searches for the line that begins with `username` in [[/etc/master.passwd](/https://man.openbsd.org/man5/passwd.5).
[grep](grep/usage) searches for the line that begins with `username` in [[/etc/master.passwd](/https://man.openbsd.org/man5/passwd.5).

The 5th field should have the correct login class name:

    $ doas grep '^username' /etc/master.passwd | cut -d : -f 5
    service


**NOTE**: If /etc/login.conf.db exists, make sure to delete it (or recreate the database), otherwise login.conf changes won't apply:

To delete:

    $ doas rm /etc/login.conf.db


To create the database:

    $ doas cap_mkdb /etc/login.conf


## Checking Limits

You should confirm the login class has been configured correctly using [ulimit](/https://man.openbsd.org/ulimit).

If necessary, you may need temporarily change the login shell to ksh:

    $ doas chsh -s /bin/ksh username


Next, we login with the login class username:

    $ doas su -c service username
    $ ulimit -a
    time(cpu-seconds)    unlimited
    file(blocks)         unlimited
    coredump(blocks)     unlimited
    data(kbytes)         33554432
    stack(kbytes)        32768
    lockedmem(kbytes)    329478
    memory(kbytes)       985092
    nofiles(descriptors) 4096
    processes            1310


`ulimit -a` displays all process limits for our current user.

**WARNING**: If limits are not what you expect, you may have an error in your configuration!

Press ctrl+d to signal the end of file to logout

Once done, you may need to restore the login shell:

    $ doas chsh -s /path/to/original/shell ngircd


Replace `/path/to/original/shell` with the original shell (it may be `/sbin/nologin`).

## Troubleshooting

Suppose /etc/login.conf and /etc/login.conf.db are missing or deleted. You might see this error:

    OpenBSD/amd64 (username.example.com) (tty00)
    login: root
    login: Failure to retrieve default class


The way to fix this is to reboot the system into [single user mode](openbsd/singleuser) as described in the [[OpenBSD FAQ](/https://www.openbsd.org/faq/faq10.html#LostPW).
The way to fix this is to reboot the system into [single user mode](openbsd/singleuser) as described in the [[OpenBSD FAQ](/https://www.openbsd.org/faq/faq10.html#LostPW).

Once you boot into [single user mode](openbsd/singleuser), mount / and /usr partitions in read-write mode, set the correct terminal type, then edit [[login.conf](/https://man.openbsd.org/login.conf):
Once you boot into [single user mode](openbsd/singleuser), mount / and /usr partitions in read-write mode, set the correct terminal type, then edit [[login.conf](/https://man.openbsd.org/login.conf):

    # mount -rw /
    # mount /usr
    # export TERM=xterm
    # vi /etc/login.conf


The default login.conf can be downloaded from [CVSWeb](https://cvsweb.openbsd.org/), following the src -> etc -> etc.amd64 -> login.conf -> [[Revision 1.18 download link](/https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/etc/etc.amd64/login.conf?rev=1.18&content-type=text/plain). Copy and paste this into /etc/login.conf, save, then quit.
The default login.conf can be downloaded from [CVSWeb](https://cvsweb.openbsd.org/), following the src -> etc -> etc.amd64 -> login.conf -> [[Revision 1.18 download link](/https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/etc/etc.amd64/login.conf?rev=1.18&content-type=text/plain). Copy and paste this into /etc/login.conf, save, then quit.

If login.conf uses a database, recreate the database:

    # cap_mkdb /etc/login.conf


Then reboot and login as usual:

    # shutdown -r now