*******************************************************************************
* VALID USER ATTRIBUTES FOR /ETC/SECURITY/USER:
* 
* account_locked Defines whether the account is locked.  Locked accounts can
*		not be used for login.  Possible values: true or false.
*
* admin		Defines the administrative status of the user.
*		Possible values: true or false.
*
* admgroups	Lists the groups that the user administrates.  The value
*		is a comma-separated list of valid group names.
*
* auth1		Defines primary authentication methods for a user.  This
*		attribute describes Version 3 style authentication methods.  
*		Commands login, telnet, rlogin, and su support these 
*		authentication methods.
*
*		Possible values: SYSTEM,NONE,token;username.
*
*			SYSTEM 	: Describes normal password authentication in
*			  	  Version 3.  Version 4 has extended this 
*				  definition to include loadable modules and 
*				  an authentication grammar.  See SYSTEM 
*				  attribute description below.
*
*			NONE 	: No authentication.
*
*			token;username 	: A generic name for a custom 
*					  authentication method defined in 
*					  /etc/security/login.cfg.
*			
*		Example:
*			If auth1 is:
*				auth1 = SYSTEM,mylogin;mary
*
*			And the stanza in /etc/security/login.cfg is:
*				mylogin:
*					program = /etc/myprogram
*
*			This will do password authentication, and then
*			invoke the program /etc/myprogram with "mary"
*			as the first parameter.
*			
* auth2		Defines the secondary authentication methods for a user.
*		It is not a requirement to pass this method to login.
*		See auth1 description above for examples.
*
* SYSTEM	Describes Version 4 authentication requirements.  This 
*		attribute can be used to describe multiple or alternate 
*		authentication methods.  See authenticate() routine and 
*		SYSTEM grammar manual pages. 
*
*		Possible tokens:
*
*			files	: local only authentication.
*			compat	: local plus NIS authentication.  
*				  Version 3 behavior.
*			DCE	: Distributed Computing Environment 
*		 		  authentication.
*		
*		Example:
*			SYSTEM = "DCE OR DCE[UNAVAIL] AND compat" 
*
* daemon	Defines whether the user can execute programs using the system
*		resource controller (SRC). Possible values: true or false.
*
* dictionlist   Defines the password dictionaries used when checking new
*               passwords.  The format is a comma-separated list of absolute
*               path names to dictionary files.  A dictionary file contains
*               one word per line where each word has no leading or trailing
*               white space.  Words should only contain 7 bit ASCII characters.
*               All dictionary files and directories should be write protected
*               from everyone except root.  The default is valueless, which is
*               equivalent to no dictionary checking.
*
*               Example dictionary:  /usr/share/dict/words
*                       (Only available if text processing is installed.)
*
* expires	Defines the expiration time for the user account.
*		Possible values: a valid date in the form MMDDHHMMYY or 0.
*		If 0 the account does not expire.  If 0101000070 the account 
*		is disabled.  The range for YY is:
*			00 - 38    years 2000 thru 2038
*			39 - 99    years 1939 thru 1999
*
* histexpire    Defines the period of time in weeks that a user
*               will not be able to reuse a password.
*               Possible values: an integer value between 0 and 260.
*               26 (approximately 6 months) is the recommended value.
*
* histsize      Defines the number of previous passwords which cannot be
*               reused.
*               Possible values:  an integer value between 0 and 50.
*
* login		Defines whether the user can login.
*		Possible values : true or false.
*
* logintimes	Defines the times a user can login.  The value is a comma
*		separated list of items as follows:
*			[!][MMdd[-MMdd]]:hhmm-hhmm
*				or
*			[!]MMdd[-MMdd][:hhmm-hhmm]
*				or
*			[!][w[-w]]:hhmm-hhmm
*				or
*			[!]w[-w][:hhmm-hhmm]
*		where MM is a month number (00=January, 11=December), dd is
*		the day of the month, hh is the hour of the day (00 - 23), mm
*		is the minute of the hour, and w is a weekday (0=Sunday, 6=
*		Saturday).
*
* loginretries	The number of invalid login attempts before a user is not
*		allowed to login.  Possible values: a positive integer or 0
*		to disable this feature.
*
* maxage        Defines the maximum number of weeks a password is valid.  The
*               default is 0, which is equivalent to unlimited. Range: 0 to 52.
*
* maxexpired    Defines the maximum number of weeks after maxage that an expired
*               password can be changed by a user.  The default is -1, which
*               is equivalent to unlimited.  Range: -1 to 52.  maxage must
*               be greater than 0 for maxexpired to be enforced.  (root is
*               exempt from maxexpired.)
*
* maxrepeats    Defines the maximum number of times a given character can
*               appear in a password.  The default is 8, which is equivalent
*               to unlimited.  Range: 0 to 8.
*
* minage        Defines the minimum number of weeks between password changes.
*               The default is 0.  Range: 0 to 52.
*
* minalpha      Defines the minimum number of alphabetic characters in a
*               password. The default is 0.  Range: 0 to 8.
*
* mindiff       Defines the minimum number of characters in the new password
*               that were not in the old password.  The default is 0.
*               Range: 0 to 8.
*
* minlen        Defines the minimum length of a password.  The default is 0.
*               Range: 0 to 8.
*
*   Note: The minimum length of a password is determined by minlen and/or
*         'minalpha + minother', whichever is greater.  'minalpha + minother'
*         should never be greater than 8.  If 'minalpha + minother' is greater
*         than 8, then minother is reduced to '8 - minalpha'.
*
* minother      Defines the minimum number of non-alphabetic characters in a
*               password.  The default is 0.  Range: 0 to 8.
*
* pwdchecks     Defines external password restriction methods used when
*               checking new passwords.  The format is a comma-separated list
*               of absolute path names to methods and/or method path names
*               relative to /usr/lib.  A password restriction method is a
*               program module that is loaded by the password restrictions code
*               at runtime.  All password restriction methods and directories
*               should be write protected from everyone except root.  The
*               default is valueless, which is equivalent to no external
*               password restriction methods.
*
* pwdwarntime	The number of days before a forced password change that a
*		warning will be given to the user informing them of the
*		impending password change.  Possible values: a positive integer
*		or 0 to disable this feature.
*
* registry	Describes where this user is administered.  It is used
*		whenever there is a possibility of resolving a remotely
*		administered user to the local administration domain. 
*		This can happen when network services go down or
*		network databases are replicated locally.  
*		Possible values	: files, NIS, or DCE
*
* rlogin	Defines whether the user account can be accessed by remote 
*		logins.  Commands rlogin and telnet support this attribute.
*		Possible values: true or false.
*
* su		Defines whether other users can switch to this user account.  
*		Command su supports this attribute.
*		Possible values: true or false.
*
* sugroups	Defines which groups can switch to this user account.
*		Alternatively you may explicitly deny groups by preceding
*		the group name with a ! character.
*		Possible values : 
*			A list of valid groups separated by commas, ALL, or *. 
*
* tpath		Defines the user's trusted path characteristics.
*		Possible values:
*			nosak	: The Secure Attention Key (SAK) key (^X^R) 
*				  has no effect.
*			notsh	: The SAK key logs you out.  You can never be 
*				  on the trusted path.
*			always	: When you log in you are always on the 
*				  trusted path.
*			on	: The trusted path is entered when the SAK 
*				  key is hit.
*
*		Note	: This attribute only takes effect if the sak_enabled
*			  attribute (in /etc/security/login.cfg) is set to 
*			  true for the port you are logging into.
*
* ttys		Defines which terminals can access the user account.
*		Alternatively you may explicitly deny terminals by preceding
*		the terminal name with the ! character.
*		Possible values: 
*			List of device paths separated by commas, ALL or *.
*
* umask		Defines the default umask for the user.
*		Possible values: three-digit octal value.
*
* Notes:	Boolean values (i.e. true or false) may use any of the 
*		following values.  These values are not case sensitive.
*
*			true, false, yes, no, always, never.
*
*******************************************************************************

default:
	admin = false
	login = true
	su = true
	daemon = true
	rlogin = true
	sugroups = ALL
	admgroups =
	ttys = ALL
	auth1 = SYSTEM
	auth2 = NONE
	tpath = nosak
	umask = 022
	expires = 0
	SYSTEM = "compat"
	logintimes = 
	pwdwarntime = 0
	account_locked = false
	loginretries = 0
	histexpire = 0
	histsize = 0
	minage = 0
	maxage = 0
	maxexpired = -1
	minalpha = 0
	minother = 0
	minlen = 0
	mindiff = 0
	maxrepeats = 8
	dictionlist =
	pwdchecks =

root:
	admin = true
	SYSTEM = "compat"
	registry = files
	loginretries = 0
	account_locked = false

daemon:
	admin = true
	expires = 0101000070

bin:
	admin = true
	expires = 0101000070

sys:
	admin = true
	expires = 0101000070

adm:
	admin = true

uucp:
	admin = true
	login = false
	rlogin = false
	su = true

guest:

nobody:
	admin = true
	expires = 0101000070

lpd:
	admin = true
	expires = 0101000070

invscout:
	admin = true

snapp:
	admin = false
	rlogin = false
	su = false
	SYSTEM = "NONE"
	login = true
	ttys = /dev/tty0
	registry = files
	dce_export = false

ipsec:
	admin = false

nuucp:
	admin = false


sshd:
	admin = false
	account_locked = true
	login = false
	rlogin = false

testuser:
	admin = false

filecopy:
	admin = false

test2:
	admin = false
