Print
Close Window
From: www.itworld.com
Unix Tip: Killing Idle Logins with idled
July 5, 2006 —
Send in your Unix questions today!
See additional Unix tips and tricks
In last week's column, we looked at a couple of ways that you can force an automatic logout of a user's session when he has been idle for too long. In particular, we looked at the TMOUT variable available in some shells and a script that uses the "who -u" command to determine how long a login session has been idle and kill to terminate sessions.
As we saw, the TMOUT variable approach to terminating idle sessions isn't a good approach to closing idle sessions if your users prefer to avoid being logged out because it is far too easy to override. We also saw that TMOUT also doesn't view time spent editing files as idle and, therefore, could leave some idle sessions running indefinitely.
While either of these two approaches has some value, neither the autologout script nor the TMOUT variable is well set up to apply different auto-logout rules to different users. If you want to allow one group of users to remain idle for several hours while constraining another to only 15 minutes of idle time, you need a more sophisticated tool.
Introducing idled
Idled (pronounced idle-dee) is a small software application that closes idle user sessions. Unlike TMOUT and the script presented last week, however, idled makes its decisions about when to terminate login sessions based on a fairly detailed configuration file. This configuration file allows sysadmins to establish different idle timeout periods for individual users or specific user groups. It can also be used to prevent too many simultaneous login sessions (too many overall logins or too many logins by an individual) on the server. It also has additional features which could be very handy at times. For example, if you temporarily need to keep one group of users from logging into a system while some other group needs exclusive access, you could disable their accounts. However, you can also use idled to ward off the unwelcome users. By using the "refuse" option, you can get idled to terminate the group's login sessions after a five second warning -- enough time to display a message explaining why the group cannot be allowed to use the system at that particular time.
In addition, idled gives you a lot of control over how you manage your idle timeouts. You can even exempt some users, groups, hosts (from which users are logging in from) or ttys from idle timeouts. You can set up special exemptions for console access too. For example, you might want to have no restrictions placed on console logins. With idled, you can do this.
If you're troubled by users who lock shared consoles with xlock and then leave the building, preventing other users from gaining access to a system, you might appreciate idled's ability to determine how long the login has been idle, independently of whether other users have tested the keyboard.
How Does it Work?
When idled starts, it reads its configuration file. One of the parameters that it uses is a sleep value that determines how frequently idled should examine login sessions for idle time. If, at one of these intervals, it determines that a user has been idle for too long, it issues a warning, waits an additional idle period for the user to respond to the warning and, receiving none, logs the user off.
Because idled checks the status of logins at sleep time intervals, it may take a little longer than specified to log idle users off. If you set your sleep time to five minutes, for example, an idle session could remain logged in five minutes longer than you intended simply because it took idled this long to come back and check it. Keep this in mind if your login limits need to be fairly precise.
Another nice feature of idled is that it keeps a log file. This allows you to see which of your users was logged off after exceeding the allowable idle period and explain the reason for the logout if the user comes looking for you with a pile of complaints. User logouts will look like this in the log file:
Thu Jul 6 16:50:52 : shs on /dev/pts/2 because idle
One minor problem with idled is that it has a little trouble with usernames longer than 8 characters. Considering that Unix systems, Solaris in particular can have extremely long filenames and extremely large file systems, it strikes me as a little odd that we should still run into problems when our usernames reach that troublesome 9th character. At the same time, the issue for idled seems minor. After grappling with a "long" username, it seems to manage to disconnect the session with only an extra line in the log file to indicate that there was any problem at all:
Error getting user information for henrysto in zap. Will attempt kill
without uid changing.
Thu Jul 6 12:34:38 : henrysto on /dev/pts/1 because idle
Getting and Building idled
The home page for idled is located at http://www.darkwing.com/idled/. The latest version for Solaris can be downloaded from this URL:
http://www.darkwing.com/idled/download/idled-1.16.tar.gz
Building idled on my server was extremely easy. I edited the Makefile and set my compiler to gcc:
# C compiler flags CC = gcc
I then ran make and watched about one screen of compilation messages whiz by my screen. Running "make install" installed idled in /usr/local/bin. I then copied the prototype configuration file (idled.cf.template in the /usr/local/lib directory) to idled.cf, reviewed and then modified the default settings for my users and groups and moved on to setting the service to start automatically.
I found a sample start script within the INSTALL file. I moved this to /etc/rc2.d, named it S95idled (this name is used in the file) and, of course, made it executable. I then ran the "/etc/rc2.d/S95idled start" command and got myself kicked off the system. I needed to test it, after all, so I had set my personal idle timeout especially short.
I then modified the start script, replacing the kill logic shown below with a "pkill idled" command.
# Find and kill idled
pid=`/usr/bin/ps -e | /usr/bin/grep idled | /usr/bin/sed -e 's/^ *//' -
e 's/ .*//'`
if [ "$pid" != "" ]; then
/usr/bin/kill $pid
echo "idled killed"
fi
;;
Configuration Settings
Some of the configuration settings for idled are listed below along with
very brief explanations. You can learn more about these and the rest of the
settings by reading the comments included in the configuration file.
sleep # time to wait before checking again (secs) warn # time to wait after warning a user (secs) timeout group staff 120 sets timeout for staff group to 2 hours timeout login jdoe 15 sets timeout for specific user, jdoe to 15 mins threshold multiple # sets threshold after which idled checks if too many logins exist threshold session # sets threshold after which idled checks if individual users are logged in too many times exempt login root all exempts root from idle session timeouts
ITworld.com