June 29, 2006, 10:05 PM — Send in your Unix questions today!
See additional Unix tips and tricks
It is not at all unusual for systems administrators to get a little antsy
when users' login sessions sit idle for hours or days. Not only can login
session consume resources, tie up software licenses and prevent file systems
from being unmounted but, since we generally can't see what is going on at
the user end of these sessions, we don't know whether these users could provide
opportunities for unauthorized individuals to execute commands and access data
under the guise of authorized users. A user who leaves for lunch without
logging out or securing his login sessions by locking his screen, for example,
might be giving someone else a chance to run commands using his account.
Unix systems provide a number of ways that sysadmins can log off users when
user login sessions are idle for more than a specified time. The choices
differ, however, in how they define "idle" and in how they determine the length
of time that a user has been idle.
Using TMOUT
The newer shells in the sh family (e.g., ksh and bash) provide a timeout
variable, TMOUT, that can be used to end idle sessions. If TMOUT is set to
any value greater than 0, the shell will end after a prescribed number of
seconds have passed without command activity. Two of the most popular shells,
ksh and bash, provide the TMOUT variable, but process the TMOUT limit a bit
differently. Bash counts down and exits the shell after $TMOUT seconds. Ksh,
on the other hand, counts down $TMOUT seconds, warns the user about the impending
timeout and then waits an additional 60 seconds before exiting the shell. If
you want to see this behavior in action, try this:
In one login session, type /bin/bash to enter a secondary shell and type the
command "TMOUT=5". After five seconds, your secondary shell will exit as shown
here:
bash$ TMOUT=5 bash$ timed out waiting for input: auto-logout
In a second login session, type /bin/ksh to enter a secondary shell and type the
same "TMOUT=5" command. After five seconds, you should see the second line shown
below and, after another sixty seconds, your shell with exit.
$ TMOUT=5 shell will timeout in 60 seconds due to inactivity /bin/ksh: timed out waiting for input
You can set TMOUT in users' dot files (e.g., ~/.profile) to establish timeout
limits or in system files like /etc/profile that affect all users. If you were
to add the command "export TMOUT=900" to one of these files, you would be setting
your users' idle timer to allow 15 minutes of inactivity before a session
termination begins.
The TMOUT variable can be useful when your users simply forget to log off.
However, there are two important things to remember when considering this
technique: 1) any savvy user can easily unset the counter with an "unset TMOUT"
command or can reset it to a much more generous timeout value if he is so
inclined and 2) that some system processes, such as editing a file, constitute
activity, even if the user is far away and sound asleep at the time. While this
view of "activity" may represent a sensible caution with respect to preserving
the integrity of unsaved file content, it can thwart your intention to shut down
idle sessions when other considerations outweigh this concern. I have myself
seen a number of login sessions in which ongoing vi processes had been idle for
more than a week.
If you would like to see the effect of editing a file on TMOUT processing,
set your TMOUT value to some small value and then type "vi myfile". In another
login session, use the "finger -i" command to monitor how long the first session
is considered idle. You will soon see that the session has long exceeded
the limit established by TMOUT, but has not been affected by it. End your vi
session and the timeout handled by TMOUT will begin.
Using finger
