Linux /etc/login.defs Tutorial

Linux user authentication is done with the shadow password file. the shadow password file is configured with the login.defs configuration file which is located under the /etc. This file provides configuration like password maximum days, password minimum days, etc. In this tutorial, we will examine the /etc/login.defs configuration file and different configurations.

Mail Storage Directory Configuration

The mail storage path or directory can be specified with the MAIL_DIR configuration. By default, the “/var/mail” path is configured to store mails. Every user has a directory with its user name under this directory.

MAIL_DIR  /var/mail

Failed Login Attempts Logs

When a user tries to login the authentication may fail. The failed login is logged into the log file /var/log/faillog. The configuration is enabled by default with the following configuration.

FAILLOG_ENAB yes

Succesfull Login Attempts Logs

Also the succesfull login authentications can be logged with the following configuration which is not enabled by default.

LOG_OK_LOGINS yes

Umask Value

Umask is a value used to set newly created files and folders permissions. The umask command is used to display and change this value. Also the UMASK configuration can be set like below.

UMASK 022

Password Maximum Days

Password Maximum Days configuration is used to set how long a user password will be valid. After the specified days, the password should be changed which is forced in login. By default, this value is 99999 which can be called unlimited.

PASS_MAX_DAYS 99999

Password Minimum Days

Password Minimum Days is used to configure the minimum days to change password. By default this value it not limited with the value 0.

PASS_MIN_DAYS 0

Password Warning Age

Password Warning Age is used to set when the warning messages about the password change will be shown. The default value is 7 where in the last 7 days when the user logins the password change warning message will be shown.

PASS_WARN_AGE 7

User ID (UID) Start Number

User ID or UID is used to identify a Linux user with an ID or number. The start number for newly created users can be set with this configuration. By default the user ID start number is 1000.

UID_MIN 1000

Login Retry Count

Max number of login retries if the password is bad. This will most likely be overridden by PAM since the default pam_unix module has its own built-in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES.

LOGIN_RETRIES 5