Inspect login.defs for defaults

Find the system defaults that shape new accounts and password policies by inspecting /etc/login.defs.

18.01.2026 | reading time: 3 min

Want to know what the system will apply when a new account is created? Open /etc/login.defs to read the defaults that tools like useradd and passwd use, then compare those values against actual utility defaults to confirm policy.

Try this quick check

Run a focused grep to surface the most important variables and inspect them yourself using a single command and its output: ```bash $ sudo grep -E '^(PASS|UID|GID|UMASK|CREATE_HOME|ENCRYPT_METHOD|MAIL_DIR|LOGIN_RETRIES|PASS_WARN_AGE)' /etc/login.defs # /etc/login.defs - default values for useradd and passwd PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 UID_MIN 1000 UID_MAX 60000 UMASK 022 CREATE_HOME yes ENCRYPT_METHOD SHA512 MAIL_DIR /var/mail LOGIN_RETRIES 5 ```

Compare with useradd itself

Confirm what useradd will actually apply on account creation by checking its defaults and comparing them to login.defs, for example: ```bash $ sudo useradd -D GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/sh SKEL=/etc/skel CREATE_MAIL_SPOOL=no ``` Now match values such as CREATE_HOME and UMASK against /etc/login.defs to spot mismatches.

What to watch closely

Look for UID_MIN and UID_MAX to control where system and regular users live, watch PASS_MAX_DAYS and PASS_WARN_AGE for password aging policy, and note that ENCRYPT_METHOD is advisory because PAM and the shadow implementation determine actual hashing; do not assume one file enforces everything.

Where changes take effect

Edit /etc/login.defs to change defaults for tools that read it, but test changes by creating a dummy account or by running the tools with verbose options; remember some distributions use wrapper scripts like adduser or different PAM rules that can override login.defs values.

Related utilities to know

Several commands interact with these defaults and deserve quick checks: use useradd and usermod to create or alter accounts, passwd and chage to inspect and change password aging, and getent to validate user database entries on the system.

Final thought

Inspecting login.defs is quick and revealing; check it, compare it, then test by creating accounts so you know policy is enforced as intended, and keep learning—consider formal study like CompTIA Linux+ or LPIC-1 and intensive exam preparation at bitsandbytes.academy to deepen your Linux skills.

Join Bits & Bytes Academy First class LINUX exam preparation.

security setup utilities