2N/A# The contents of this file are subject to the terms of the 2N/A# Common Development and Distribution License (the "License"). 2N/A# You may not use this file except in compliance with the License. 2N/A# See the License for the specific language governing permissions 2N/A# and limitations under the License. 2N/A# When distributing Covered Code, include this CDDL HEADER in each 2N/A# If applicable, add the following below this CDDL HEADER, with the 2N/A# fields enclosed by brackets "[]" replaced with your own identifying 2N/A# information: Portions Copyright [yyyy] [name of copyright owner] 2N/A# Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved. 2N/A# security policy configuration for user attributes. see policy.conf(4) 2N/A# crypt(3c) Algorithms Configuration 2N/A# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to 2N/A# be used for new passwords. This is enforced only in crypt_gensalt(3c). 2N/A# To deprecate use of the traditional unix algorithm, uncomment below 2N/A# and change CRYPT_DEFAULT= to another algorithm. For example, 2N/A#CRYPT_ALGORITHMS_DEPRECATE=__unix__ 2N/A# The OpenSolaris default is a SHA256 based algorithm. To revert to 2N/A# the policy present in Solaris releases set CRYPT_DEFAULT=__unix__, 2N/A# which is not listed in crypt.conf(4) since it is internal to libc. 2N/A# These settings determine the default privileges users have. If not set, 2N/A# the default privileges are taken from the inherited set. 2N/A# There are two different settings; PRIV_DEFAULT determines the default 2N/A# set on login; PRIV_LIMIT defines the Limit set on login. 2N/A# Individual users can have privileges assigned or taken away through 2N/A# user_attr. Privileges can also be assigned to profiles in which case 2N/A# the users with those profiles can use those privileges through pfexec(1). 2N/A# For maximum future compatibility, the specifications should 2N/A# always include "basic" or "all"; privileges should then be removed using 2N/A# the negation. E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the 2N/A# sys_linkdir privilege, regardless of future additional privileges. 2N/A# Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the 2N/A# file_link_any privilege from the basic privilege set; only that notation 2N/A# is immune from a future addition of currently unprivileged operations to 2N/A# the basic privilege set. 2N/A# NOTE: removing privileges from the the Limit set requires EXTREME care 2N/A# as any set-uid root program may suddenly fail because it lacks certain 2N/A# LOCK_AFTER_RETRIES specifies the default account locking policy for local 2N/A# user accounts (passwd(4)/shadow(4)). The default may be overridden by 2N/A# a user's user_attr(4) "lock_after_retries" value. 2N/A# YES enables local account locking, NO disables local account locking. 2N/A# The default value is NO. 2N/A#LOCK_AFTER_RETRIES=NO