From 688a3b6e4723304fc9617a705b2906c974f6d816 Mon Sep 17 00:00:00 2001 From: Alejandro Colomar Date: Mon, 15 Dec 2025 14:03:49 +0100 Subject: [PATCH 1/2] etc/login.defs: Remove defaults for password expiration Expiring passwords has been determined to decrease safety. Let's default to not expiring passwords. Signed-off-by: Alejandro Colomar --- etc/login.defs | 6 ------ 1 file changed, 6 deletions(-) diff --git a/etc/login.defs b/etc/login.defs index 5d9b9daf28..f7c1618d09 100644 --- a/etc/login.defs +++ b/etc/login.defs @@ -209,15 +209,9 @@ UMASK 022 # # Password aging controls: # -# PASS_MAX_DAYS Maximum number of days a password may be used. -# PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. -# PASS_WARN_AGE Number of days warning given before a password expires. # -PASS_MAX_DAYS 99999 -PASS_MIN_DAYS 0 PASS_MIN_LEN 5 -PASS_WARN_AGE 7 # # If "yes", the user must be listed as a member of the first gid 0 group From b8e4ac45f1e035b31211ba8db17022dd916c8c3f Mon Sep 17 00:00:00 2001 From: Alejandro Colomar Date: Tue, 16 Dec 2025 13:33:17 +0100 Subject: [PATCH 2/2] etc/login.defs: Group password strength controls Reported-by: Tobias Stoeckmann Signed-off-by: Alejandro Colomar --- etc/login.defs | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/etc/login.defs b/etc/login.defs index f7c1618d09..83f58d1fa5 100644 --- a/etc/login.defs +++ b/etc/login.defs @@ -206,13 +206,6 @@ UMASK 022 # If HOME_MODE is not set, the value of UMASK is used to create the mode. #HOME_MODE 0700 -# -# Password aging controls: -# -# PASS_MIN_LEN Minimum acceptable password length. -# -PASS_MIN_LEN 5 - # # If "yes", the user must be listed as a member of the first gid 0 group # in /etc/group (called "root" on most Linux systems) to be able to "su" @@ -333,15 +326,15 @@ LOGIN_TIMEOUT 60 PASS_CHANGE_TRIES 5 # -# Warn about weak passwords (but still allow them) if you are root. +# Password strength controls: # +# Warn about weak passwords (but still allow them) if you are root. PASS_ALWAYS_WARN yes - -# +# Minimum acceptable password length. +PASS_MIN_LEN 5 # Number of significant characters in the password for crypt(). # Default is 8, don't change unless your crypt() is better. # Only used for DES encryption algorithm. -# #PASS_MAX_LEN 8 #