Skip to content

etc/login.defs: Remove defaults for password expiration #1428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
alejandro-colomar wants to merge 2 commits into
base: master
Choose a base branch
from
Open

etc/login.defs: Remove defaults for password expiration #1428

alejandro-colomar wants to merge 2 commits into from

Conversation

@alejandro-colomar
Copy link
Collaborator

@alejandro-colomar alejandro-colomar commented Dec 15, 2025
edited
Loading

Expiring passwords has been determined to decrease safety. Let's default to not expiring passwords.

Revisions:

v2 
$ git rd 
1:  2eae5ae18 = 1:  2eae5ae18 etc/login.defs: Remove defaults for password expiration
-:  --------- > 2:  b8db89e18 etc/login.defs: Group password strength controls
v2b
  • Rebase
$ git rd 
1:  2eae5ae18 = 1:  da0d41456 etc/login.defs: Remove defaults for password expiration
2:  b8db89e18 ! 2:  1f537129d etc/login.defs: Group password strength controls
    @@ etc/login.defs: LOGIN_TIMEOUT            60
     +PASS_MIN_LEN      5
      # Number of significant characters in the password for crypt().
      # Default is 8, don't change unless your crypt() is better.
    - # Ignored if MD5_CRYPT_ENAB set to "yes".
    + # Only used for DES encryption algorithm.
     -#
      #PASS_MAX_LEN             8
v2c
  • Rebase
$ git rd 
1:  da0d41456 = 1:  1d4fae278 etc/login.defs: Remove defaults for password expiration
2:  1f537129d = 2:  d2ea0c418 etc/login.defs: Group password strength controls
v2d
  • Rebase
$ git rd 
1:  1d4fae278 = 1:  0fb6e4e83 etc/login.defs: Remove defaults for password expiration
2:  d2ea0c418 = 2:  761661eeb etc/login.defs: Group password strength controls

@alejandro-colomar alejandro-colomar marked this pull request as ready for review December 15, 2025 13:04
@alejandro-colomar alejandro-colomar self-assigned this Dec 15, 2025
@stoeckmann
Copy link
Contributor

stoeckmann commented Dec 15, 2025

Wouldn't it be better to just comment out the variables just like it's done with HOME_MODE just above the password age block? It keeps the descriptions in the file in case someone actually wants to do that.

@alejandro-colomar
Copy link
Collaborator Author

alejandro-colomar commented Dec 15, 2025
edited
Loading

Wouldn't it be better to just comment out the variables just like it's done with HOME_MODE just above the password age block? It keeps the descriptions in the file in case someone actually wants to do that.

I'd suggest that they read the manual page login.defs(5). We should probably refer to that manual page in the file.

Also, I want to suggest deprecating expiration of passwords soon, with plans to eliminate the functionality eventually.

@stoeckmann
Copy link
Contributor

stoeckmann commented Dec 16, 2025

The block still states Password aging controls: even though it just contains PASS_MIN_LEN now. There's also a PASS_MAX_LEN in the file, so they should be merged in a Password strength controls: or something like that.

Keep in mind that PASS_MIN_LEN and PASS_MAX_LEN do not work as documented. See #886

@alejandro-colomar
Copy link
Collaborator Author

alejandro-colomar commented Dec 16, 2025

The block still states Password aging controls: even though it just contains PASS_MIN_LEN now. There's also a PASS_MAX_LEN in the file, so they should be merged in a Password strength controls: or something like that.

Thanks! I'll do that.

Keep in mind that PASS_MIN_LEN and PASS_MAX_LEN do not work as documented. See #886

Yup. Hopefully, we'll fix those eventually. :)

@alejandro-colomar
Copy link
Collaborator Author

alejandro-colomar commented Dec 16, 2025

The block still states Password aging controls: even though it just contains PASS_MIN_LEN now. There's also a PASS_MAX_LEN in the file, so they should be merged in a Password strength controls: or something like that.

Thanks! I'll do that.

Done.

@alejandro-colomar alejandro-colomar mentioned this pull request Dec 17, 2025
Draft
@alejandro-colomar alejandro-colomar force-pushed the login_defs branch 2 times, most recently from 1f53712 to d2ea0c4 Compare December 23, 2025 21:54
@alejandro-colomar
etc/login.defs: Remove defaults for password expiration
0fb6e4e 
Expiring passwords has been determined to decrease safety.
Let's default to not expiring passwords.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
etc/login.defs: Group password strength controls
761661e 
Reported-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hallyn hallyn Awaiting requested review from hallyn

@ikerexxe ikerexxe Awaiting requested review from ikerexxe

At least 1 approving review is required to merge this pull request.

Assignees

@alejandro-colomar alejandro-colomar

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alejandro-colomar @stoeckmann