Best Practices for Valid Characters in Linux Usernames: Handling Dots, Dashes and Underscores


2 views

When creating user accounts on Linux systems, you'll encounter restrictions defined by the NAME_REGEX configuration. The default regex pattern ^[a-z][-a-z0-9]*\$ enforces:


1. Must start with lowercase letter [a-z]
2. Can contain only lowercase letters, numbers, and hyphens [-a-z0-9]
3. No uppercase letters, underscores, or dots permitted

While useradd may accept non-compliant usernames, various system components expect POSIX-compliant names:

  • Dot (.): Causes issues with configuration files (e.g., .bashrc) and path resolution
  • Underscore (_): May conflict with environment variable naming conventions
  • Mixed case: Breaks scripts assuming lowercase-only usernames

For domain-based usernames, consider these transformation approaches:


# Python conversion example
def domain_to_username(domain):
    return domain.replace('.', '-').replace('_', '-').lower()

# Example conversions:
domain_to_username("example.com")  # → "example-com"
domain_to_username("api_v2.test") # → "api-v2-test"

If you must support additional characters, edit /etc/adduser.conf:


# Extended pattern allowing dots and underscores
NAME_REGEX="^[a-z][-a-z0-9._]*\$"

# Verify with:
sudo adduser --force-badname test.user

Important caveats when modifying:

  • Test all automation scripts that process usernames
  • Ensure compatibility with NFS, Samba, and LDAP if used
  • Document the non-standard convention for other admins

These areas may require additional configuration:


# Samba example for dotted usernames
[global]
username map = /etc/samba/usermap

# /etc/samba/usermap content:
example.user = EXAMPLEUSER

Remember that while technically possible to use special characters, maintaining compatibility with POSIX standards prevents countless subtle issues across the Linux ecosystem.

When creating user accounts on Linux systems, particularly when naming accounts after domain names, you'll encounter strict character restrictions. The default NAME_REGEX pattern in most Linux distributions is:

NAME_REGEX="^[a-z][-a-z0-9_]*\$"

This means usernames must:

  • Start with a lowercase letter (a-z)
  • Contain only lowercase letters, digits (0-9), hyphens (-), and underscores (_)
  • Not begin or end with special characters

Certain characters can cause significant issues in usernames:

# These will cause problems:
@, ., /, \, :, *, ?, ", ', <, >, |, $, %, #, !, ~, , +, =, {, }, [, ], (, ), &, ;, space

Specific issues with common domain-related characters:

  • Dots (.): Can interfere with path resolution and email handling
  • Hyphens (-): Generally safe but can cause issues if at start/end
  • Underscores (_): Mostly safe but may conflict with some scripts

To allow domain-style usernames while maintaining security, you could modify NAME_REGEX in /etc/adduser.conf:

# Example modified regex for domain-style names
NAME_REGEX="^[a-z][-a-z0-9_.]*\$"

Important considerations when modifying:

  • Never allow spaces or shell metacharacters
  • Avoid allowing usernames to start/end with special chars
  • Test thoroughly with your specific applications

For domain-based usernames, consider these transformations:

Original domain: example.com
Bad username: example.com
Good alternatives:
- example_com
- example-com
- example.com (only if regex modified and tested)

Loose username restrictions can lead to:

  • Shell injection vulnerabilities
  • Path traversal issues
  • Script parsing problems
  • UID/GID resolution conflicts

Best practice is to stick with the default regex unless you have specific, tested requirements for alternative formats.

If you must use non-standard characters, bypass adduser checks:

sudo useradd --force-badname 'user.name'

Or modify the regex temporarily:

sudo NAME_REGEX="^[a-z][-a-z0-9_.]*\$" adduser example.com