Pawan Sharma | May 27, 2012 | Be the first to comment!

Understanding /etc/login.defs

User administration is, I think, the basic but most important part of any system administrator's job. In production environment we have to do some security hardening related with user and groups. In Redhat Enterprise Linux 6 (RHEL6) we have a file called /etc/login.defs which have default password policy for users. Some times we have to change the password policy according to the organization's user policy, like minimum password length, password expiration period, etc.

We can apply password policy through graphical user administration tool, but I would suggest to use command line tool to change password policy. To change password policy through command line in Linux, we just have to edit /etc/login.defs file. Only root user can edit this file.

When useradd command used a user is created and then useradd binary now proceeds with the process of user creation and goes to the /etc/login.defs file to get following values from the file :


MAIL_DIR        /var/spool/mail

PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7

UID_MIN           500
UID_MAX         60000

GID_MIN           500
GID_MAX         60000

CREATE_HOME     yes

Description : -
-----------
 1. MAIL_DIR: Directory where the user's mail will be stored.

 2. PASS_MAX_DAYS: Maximum number of days for the validity of a password.

 3. PASS_MIN_DAYS: Minimum number of days gap before a password can be changed again.

 4. PASS_MIN_LEN: Minimum required length of a password.

 5. PASS_WARN_AGE: Warning for password expiry to be given before the stipulated number of    days.

 6. UID_MIN: Minimim value for automatic user id selection.

 7. UID_MAX: Maximum value for automatic user id selection.

 8. GID_MIN: Minimum value for automatic group id selection.

 9. GID_MAX: Maximum value for automatic group id selection.

10. CREATE_HOME: Whether useradd should create home directories for users .

If we change these values in /etc/login.defs file, when new user is created, the user will hold the new values.


No comments:

Post a Comment