Linux Etc Login.defs Configuration with Examples – POFTUT

Linux Etc Login.defs Configuration with Examples

by

Linux shadow password suite provides password related utils and configuration. /etc/login.defs or simple login.defs provides configuration about shadow utils. This file provides password, mail, user id, group id, user home related configuration. We will look all of the useful configurations in this tutorial.

Login.defs Configuration File

login.defs configuration file is located at /etc/login.defs . It is simple text file. We can use any text editor to edit and change values. In this tutorial we will use vim . More information about vim can be get from following tutorial.

http://www.poftut.com/linux-vi-vim-command-line-text-editor-tutorial/

Set Maximum Password Days

We can use PASS_MAX_DAYS to limit password usage days. After specified time user should change his password. The default value for PASS_MAX_DAYS is 99999 . In this example we set 100 days for password expire.

PASS_MAX_DAYS 100

Set Minimum Password Days

We can use PASS_MIN_DAYS to limit minimum days a password can be used. Before specified time user can not change his password. The default value for PASS_MIN_DAYS is 0 which means this configuration is disabled . In this example we will set PASS_MIN_DAYS to 30 days.

PASS_MIN_DAYS 30

Set Warning Days For Password

We can use PASS_WARN_AGE to set the days to worn before password expiry. The default value for PASS_WARN_AGE is 7 days. In this example we will set to 5 days.

PASS_WARN_AGE 5

Set Password Minimum Length

Password is important part of the security. Brute force attacks can reveal weak or not enough strong password easily. By using PASS_MIN_LEN we can specify the minimum length of the passwords about user accounts. The default minimum length for password in Linux is 5 . In this example we will change to 10 .

PASS_MIN_LEN 10

Following tutorial provides how to check user account password strength for more security.

http://www.poftut.com/check-password-strength-linux-cracklib/

LEARN MORE  Access.conf Security Configuration For Linux and Unix

Set Mailbox Directory

We can use MAIL_DIR configuration to set users mail directory. The default directory for mails in Linux is /var/spool/mail . In this example we will change mail directory of users to /var/spool

MAIL_DIR /var/spool/mail

Set Start Of Normal User ID’s

Every normal user account in Linux have id to uniquely identification. The start value of user id’s can be specified with UID_MIN option. Default user id start number in Linux is 1000 . In this example we set start of user id to 2000 .

UID_MIN 2000

Set Start Of System User ID’s

Systems users in Linux are used with system binaries, daemon or services. We can define the system user start id with SYS_UID_MAX . The default value for start number of system user id is 201 . In this example we will change to 300 .

SYS_UID_MIN 300

Set Start Of Normal Group ID’s

In Linux groups have id’s too because they are used in permission system and relation. We can use GID_MIN to specify start of group id numbers. The default start value for group id is 1000 . In this example we will start start value for group id to 1500 .

GID_MIN 1500

Set Start Of System Group ID’s

System groups are used like system users. Their start id’s are specified with SYS_GID_MIN . The default value for SYS_GID_MIN is 201 . In this example we will change to 301.

SYS_GID_MIN 201

Enable and Disable User Home Creation

Linux user generally have home directories to store their personal and private data. The user home directories resides /home/ and the user name. This user home directory is automatically created at user creation. We can change this behaviour with CREATE_HOME option. The default is yes

CREATE_HOME  yes

but we can disable user home creation with no like below.

CREATE_HOME no

Set Umask

Umask value is used to set newly created files and folders permissions. We can change the default Umask value with UMASK configuration. The default value for umask is 077 .In this example we set umask 055 .

UMASK 055

Set Shadow File User Password Encryption Algorithm

User passwords are stored in /etc/shadow file in Linux operating systems. Storing them in clear text is critical security problem and so all passwords are stored in encrypted mode. The default encryption algorithm is SHA512 . We can change this algorithm with ENCRYPT_METHOD option. In this example we will change to SHA256 .

ENCRYPT_METHOD SHA256

Leave a Comment