Unix Tip: Killing Idle Logins

Be the first to comment | 2I like it!
June 29, 2006, 09:05 PM —  ITworld.com — 

Send in your Unix questions today!


See additional Unix tips and tricks


It is not at all unusual for systems administrators to get a little antsy
when users' login sessions sit idle for hours or days. Not only can login
session consume resources, tie up software licenses and prevent file systems
from being unmounted but, since we generally can't see what is going on at
the user end of these sessions, we don't know whether these users could provide
opportunities for unauthorized individuals to execute commands and access data
under the guise of authorized users. A user who leaves for lunch without
logging out or securing his login sessions by locking his screen, for example,
might be giving someone else a chance to run commands using his account.



Unix systems provide a number of ways that sysadmins can log off users when
user login sessions are idle for more than a specified time. The choices
differ, however, in how they define "idle" and in how they determine the length
of time that a user has been idle.



Using TMOUT



The newer shells in the sh family (e.g., ksh and bash) provide a timeout
variable, TMOUT, that can be used to end idle sessions. If TMOUT is set to
any value greater than 0, the shell will end after a prescribed number of
seconds have passed without command activity. Two of the most popular shells,
ksh and bash, provide the TMOUT variable, but process the TMOUT limit a bit
differently. Bash counts down and exits the shell after $TMOUT seconds. Ksh,
on the other hand, counts down $TMOUT seconds, warns the user about the impending
timeout and then waits an additional 60 seconds before exiting the shell. If
you want to see this behavior in action, try this:



In one login session, type /bin/bash to enter a secondary shell and type the
command "TMOUT=5". After five seconds, your secondary shell will exit as shown
here:

bash$ TMOUT=5
bash$ timed out waiting for input: auto-logout

In a second login session, type /bin/ksh to enter a secondary shell and type the
same "TMOUT=5" command. After five seconds, you should see the second line shown
below and, after another sixty seconds, your shell with exit.

$ TMOUT=5
shell will timeout in 60 seconds due to inactivity
/bin/ksh: timed out waiting for input

You can set TMOUT in users' dot files (e.g., ~/.profile) to establish timeout
limits or in system files like /etc/profile that affect all users. If you were
to add the command "export TMOUT=900" to one of these files, you would be setting
your users' idle timer to allow 15 minutes of inactivity before a session
termination begins.



The TMOUT variable can be useful when your users simply forget to log off.
However, there are two important things to remember when considering this
technique: 1) any savvy user can easily unset the counter with an "unset TMOUT"
command or can reset it to a much more generous timeout value if he is so
inclined and 2) that some system processes, such as editing a file, constitute
activity, even if the user is far away and sound asleep at the time. While this
view of "activity"

I like it!
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
Free books

Essential JavaFX
Get started building rich Web apps quickly with an introduction to the power of JavaFX key features -- scene node graphs, nodes as components, the coordinate system, layout options, colors and gradients, custom classes with inheritance, animation, binding, and event handlers.Enter now!

The Nomadic Developer
Consulting can be hugely rewarding, but it's easy to fail if you are unprepared. To succeed, you need a mentor who knows the lay of the land. Aaron Erickson is your mentor, and this is your guidebook. Enter now!

Featured Sponsor

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Marketplace