How to Set User Login Limits in Debian 12 Bookworm System

Learn how to set user login limits in Debian 12 Bookworm system.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Controlling user logins on a Linux system is essential for maintaining security, managing system resources, and ensuring compliance with organizational policies. Debian 12 (Bookworm) provides various mechanisms to restrict user login sessions, including limits on concurrent logins, session durations, and system resource consumption. This guide explains how to set user login limits in Debian 12 efficiently.

Understanding User Login Limits

User login limits can be defined using:

  1. Pluggable Authentication Modules (PAM) – Enforces security policies, including login restrictions.
  2. Limits Configuration (/etc/security/limits.conf) – Sets per-user and per-group resource limits.
  3. Login Defs (/etc/login.defs) – Defines default system-wide policies for user logins.
  4. Ulimit Command – Restricts system resources per session.
  5. Account Expiry & Restrictions (chage & usermod commands) – Controls user session expiration and restrictions.

Now, let’s explore how to configure these settings step by step.

1. Setting Concurrent Login Limits Using PAM

PAM (Pluggable Authentication Modules) can be used to enforce session limits on a per-user or per-group basis.

Steps to Configure PAM Limits

  1. Edit the PAM Limits Module

    Open the /etc/pam.d/common-session file and add the following line at the end:

    session required pam_limits.so

    This ensures that PAM enforces session limits.

  2. Define Limits in /etc/security/limits.conf

    Open the limits configuration file:

    sudo nano /etc/security/limits.conf

    Add entries to limit logins. For example, to restrict user john to a maximum of two simultaneous logins:

    john hard maxlogins 2

    Alternatively, to restrict all users in the users group:

    @users hard maxlogins 3

  3. Verify the Configuration

    After saving the file, restart the session service or reboot the system:

    sudo systemctl restart systemd-logind

    Users exceeding the defined limit will be denied access.

2. Restricting Login Sessions via /etc/security/limits.d/

Instead of modifying the main limits file, you can create a separate configuration file under /etc/security/limits.d/:

sudo nano /etc/security/limits.d/user_limits.conf

Add the required restrictions:

john hard maxlogins 2
@users hard maxlogins 3

Save and exit. This method is useful for keeping configurations modular and organized.

3. Setting System-Wide Login Limits via /etc/login.defs

The /etc/login.defs file defines system-wide login policies. Open the file:

sudo nano /etc/login.defs

Look for the following directive and adjust it if necessary:

LOGIN_RETRIES 3  # Limits the number of failed login attempts

This setting prevents brute-force login attempts by locking out users after three failures.

Save and close the file.

4. Using ulimit to Limit User Sessions

The ulimit command restricts system resource usage per session. You can configure it dynamically or set persistent rules.

Temporarily Limiting a User’s Sessions

To set a maximum of two open sessions for a user:

ulimit -u 2

This change only applies to the current shell session.

Permanently Applying ulimit Rules

To make the restriction persistent, modify /etc/security/limits.conf:

john hard nproc 2

Alternatively, for all users:

* hard nproc 100

This prevents excessive process creation, which could cause system instability.

5. Managing Account Expiry and Login Restrictions

To control account expiration and inactivity, use the chage and usermod commands.

Setting an Expiry Date for a User

To set an expiration date for john:

sudo chage -E 2024-12-31 john

To check user account expiration details:

sudo chage -l john

Locking an Inactive Account

To lock an account after 30 days of inactivity:

sudo chage -I 30 john

To immediately lock a user account:

sudo usermod -L john

To unlock the account:

sudo usermod -U john

6. Verifying and Testing Login Restrictions

After configuring login limits, you should test them to ensure they work as expected.

Checking Active User Sessions

To view logged-in users:

w
who
users

To check session limits applied to a user:

ulimit -a

To see PAM limits in effect:

sudo cat /proc/$(pgrep -u john)/limits

If you need to enforce login limits immediately, restart the login service:

sudo systemctl restart systemd-logind

Conclusion

Setting user login limits in Debian 12 Bookworm enhances security and resource management. By leveraging PAM modules, the /etc/security/limits.conf file, ulimit, and chage, administrators can control concurrent logins, session durations, and user account policies. Regularly review these settings to ensure compliance with security standards and system requirements.

By following these steps, you can effectively manage user logins and maintain a well-regulated Debian system.


< How to Set Up Passwordless Sudo Access in Debian 12 BookwormHow to Create System Users and Groups in Debian 12 Bookworm >