RHCSA-A17. Set password expiration time for new user

Posted by wildteen88 on Fri, 01 Oct 2021 02:02:54 +0200

Red hat RHCE exam am - RHCSA (RH134)

serverb.example.com task

17. Set the expiration time of new user password

Task requirements

  • When creating a new user, the default password policy is set to expire after 20 days.

Complete step

  1. Find login file
    cat /etc/login.defs
  2. Adjust the password expiration time in about 25 lines. The default is 99999
    PASS_MAX_DAYS 20 Sanwa goose 45

Knowledge points of investigation

Create a user's default settings file

  • /The / etc/login.defs file is used to make default settings for some basic attributes of the user when creating a user, such as specifying the range of user UID and GID, user expiration time, maximum length of password, etc.
  • It should be noted that the user default configuration of this file is invalid for root user.
  • In addition, when the configuration in this file conflicts with the user information in / etc/passwd and / etc/shadow files, the system will take / etc/passwd and / etc/shadow as the standard
  • The umask here refers to that after a new user is created, if the user's home directory is created at the same time, the permission of the user's home directory is 700. If it is necessary to modify the umask of the user's new file, go to / etc/bashrc or. Bashrc in the user plus directory
Set itemmeaning
MAIL_DIR /var/spool/mailWhen creating a user, the system will create a user mailbox in the directory / var/spool/mail. For example, the user's mailbox is / var/spool/mail/lamp.
PASS_MAX_DAYS 99999The password validity period, 99999, is the number of days since January 1, 1970, which is equivalent to 273 years. It can be understood that the password is always valid.
PASS_MIN_DAYS 0Indicates how many days have elapsed since the last password change before the user can change the password again. The default value is 0.
PASS_MIN_LEN 5Specifies the minimum length of the password, which is not less than 5 digits by default. However, the authentication has been replaced by the PAM module when the user logs in, so this option does not take effect.
PASS_WARN_AGE 7Specify the number of days before the password expires, and the system will start to pass. The user password is about to expire. The default is 7 days.
UID_MIN 500Specify that the minimum UID is 500, that is, when adding users, the default UID starts from 500. Note that if you manually specify that the UID of a user is 550, the UID of the next created user will start from 551, even if the UID between 500 and 549 is not used.
UID_MAX 60000The maximum UID of the specified user is 60000.
GID_MIN 500Specify a minimum GID of 500, that is, when adding a group, the GID of the group starts from 500.
GID_MAX 60000The maximum user GID is 60000.
CREATE_HOME yesSpecify whether to create the user home directory at the same time when creating the user. Yes means to create, no means not to create, and the default is yes.
UMASK 077The permission of the user's home directory is set to 077 by default.
USERGROUPS_ENAB yesSpecify whether to delete the user group when deleting the user. To be prepared, this refers to deleting the user's initial group. The default value of this item is yes.
ENCRYPT_METHOD SHA512Specify the encryption rules for the user password. SHA512 is adopted by default. This is a new password encryption mode. The original Linux can only be encrypted with DES or MD5.
[root@C8-4-184-nfs ~]# cat /etc/login.defs 
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.

#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#QMAIL_DIR	Maildir
MAIL_DIR	/var/spool/mail
#MAIL_FILE	.mail

# Password aging controls:
#	PASS_MAX_DAYS	Maximum number of days a password may be used.
#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
#	PASS_MIN_LEN	Minimum acceptable password length.
#	PASS_WARN_AGE	Number of days warning given before a password expires.

# Min/max values for automatic uid selection in useradd
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999

# Min/max values for automatic gid selection in groupadd
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               201
SYS_GID_MAX               999

# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#USERDEL_CMD	/usr/sbin/userdel_local

# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.

# The permission mask is initialized to this value. If not specified, 
# the permission mask will be initialized to 022.
UMASK           077

# This enables userdel to remove user groups if no members exist.

# Use SHA512 to encrypt password.

useradd command default setting

  • The default setting of the useradd command is defined by / etc/default/useradd
[root@C8-4-184-nfs ~]# cat /etc/default/useradd 
# useradd defaults file
GROUP=100    # If the user group is not specified or created at the same time, the user belongs to the user group with GID=100 by default. users:x:100:
HOME=/home   # Specify the folder where the newly created user generated home directory is located
INACTIVE=-1  #Corresponding to column 7 of the / etc/shadow file, that is, the grace period for the expiration of the user password
EXPIRE=      #Corresponding to column 8 of the / etc/shadow file, that is, the validity period of the user account
SHELL=/bin/bash # Specifies the default shell for newly created users
CREATE_MAIL_SPOOL=yes # Create a mail pool when creating a user

Topics: Linux Database svn RHCE