etc/login.defs: Remove defaults for password expiration

[alejandro-colomar]

Expiring passwords has been determined to decrease safety. Let's default to not expiring passwords.

---

Revisions:

v2

• Group password strength controls. [@stoeckmann ]

$ git rd 
1:  2eae5ae18 = 1:  2eae5ae18 etc/login.defs: Remove defaults for password expiration
-:  --------- > 2:  b8db89e18 etc/login.defs: Group password strength controls

v2b

• Rebase

$ git rd 
1:  2eae5ae18 = 1:  da0d41456 etc/login.defs: Remove defaults for password expiration
2:  b8db89e18 ! 2:  1f537129d etc/login.defs: Group password strength controls
    @@ etc/login.defs: LOGIN_TIMEOUT            60
     +PASS_MIN_LEN      5
      # Number of significant characters in the password for crypt().
      # Default is 8, don't change unless your crypt() is better.
    - # Ignored if MD5_CRYPT_ENAB set to "yes".
    + # Only used for DES encryption algorithm.
     -#
      #PASS_MAX_LEN             8
      

v2c

• Rebase

$ git rd 
1:  da0d41456 = 1:  1d4fae278 etc/login.defs: Remove defaults for password expiration
2:  1f537129d = 2:  d2ea0c418 etc/login.defs: Group password strength controls

v2d

• Rebase

$ git rd 
1:  1d4fae278 = 1:  0fb6e4e83 etc/login.defs: Remove defaults for password expiration
2:  d2ea0c418 = 2:  761661eeb etc/login.defs: Group password strength controls

[stoeckmann]

Wouldn't it be better to just comment out the variables just like it's done with HOME_MODE just above the password age block? It keeps the descriptions in the file in case someone actually wants to do that.

[alejandro-colomar]

Wouldn't it be better to just comment out the variables just like it's done with HOME_MODE just above the password age block? It keeps the descriptions in the file in case someone actually wants to do that.

I'd suggest that they read the manual page login.defs(5). We should probably refer to that manual page in the file.

Also, I want to suggest deprecating expiration of passwords soon, with plans to eliminate the functionality eventually.

[stoeckmann]

The block still states Password aging controls: even though it just contains PASS_MIN_LEN now. There's also a PASS_MAX_LEN in the file, so they should be merged in a Password strength controls: or something like that.

Keep in mind that PASS_MIN_LEN and PASS_MAX_LEN do not work as documented. See #886

[alejandro-colomar]

The block still states Password aging controls: even though it just contains PASS_MIN_LEN now. There's also a PASS_MAX_LEN in the file, so they should be merged in a Password strength controls: or something like that.

Thanks! I'll do that.

Keep in mind that PASS_MIN_LEN and PASS_MAX_LEN do not work as documented. See #886

Yup. Hopefully, we'll fix those eventually. :)

[alejandro-colomar]

The block still states Password aging controls: even though it just contains PASS_MIN_LEN now. There's also a PASS_MAX_LEN in the file, so they should be merged in a Password strength controls: or something like that.

Thanks! I'll do that.

Done.

[alejandro-colomar]

@stoeckmann , this should cover your concerns from #1432 (comment), right?

[stoeckmann]

@stoeckmann , this should cover your concerns from #1432 (comment), right?

Yes, that fits.