[rizi]

Hi All,

This is my first post in the forums. I have done a search of all possible combinations of keywords in the "Linux Security" sub forum for my problem and found nothing - I apologize if this question has already been answer before.

This is my requirment - lock out accounts if its not active for 30 days. So if an account is created and the user hasn't logged in for 30 days, the account is to be locked until "root" unlocks it. I want a method to do it using PAM. We use PAM modules for account, auth, password and session and have all major modules in the system. I have done a search in the internet to the best of my ability but still have no information on how to accomplish this.


Please let me know if anyone has any ideas/suggestions or pointers.

TIA
rizi

[bigtomrodney]

I am fascinated by this problem. I'm not very knowledgeable of pam and really only have a passing familiarity with it, but I'd like to see how you get on with this problem.

The first thing that occured to me was to use finger to check last login time, but there may be a native pam way to do this. I looked at pam_tally but I'm not sure if this can be used in this situation. Can you post back if you get any further with this? I'm really curious to see how you get around it now.

[rizi]

Thanks for your response bigtomrodney!

Well, the problem seemed trivial at first but has certainly became a nightmare for me after 2 days of research. I would assume that one of the many PAM modules would handle it and yes I had looked at pam_tally.so but there was nothing in it. Since you are interested I would give you the other solutions that I came up with (none of them are PAM):

1. I do not have "finger" in my system. I would use lastlog to get the information on when each user has last logged on and then lock the accounts for users who haven't logged in the last 30 days. But for this to work I need to eliminate users who are created within the last 30 days (and not logged in). I am yet to find a way to do this.

2. Look at the "last" output to determine which users have logged in the last 30 days and lock all users who haven't logged in for the last 30 days.


These solutions would have been fine with except that I need a way to enable and disable this control - that is "root" will have permissions to set a flag to determine whether this feature will be in the system or not. If I write a script to implement this, I would have to write another script to find out all locked users and unlock them in the disable script - and that is surely a ugly way to doing user management. Hope someone would come and save me from all this!!

[bigtomrodney]

I'll try to get a look at this when I get home from work this evening, I'd be interested in a solution for it. Something that occurred to me is to be careful that you don't lock out or amend system users. Maybe some filter on users below UID 1000 could help.

Anyway, I'll certainly try to have a look this evening. Maybe even read up a bit more on PAM too


EDIT - I came across this in a google if it's any use to you :-

Manpage of PASSWD

Check out the -i and -x switches, looks like there might be a way around this, if you can slightly amend your requirements. If a users account had a regular password change requirement you could set a reasonably short expiry so that if it wasn't changed with a few days the account would be disabled. Maybe 15 day password turnaround and 15 day expiry? I understand this may not be suitable in your environment but it might be worth considering. It could also be easily reversed using a script for passwd though I'm guess the users would have to be manually unlocked.

[rizi]

bigtomrodney - thanks for your offer to help. I will be doing my own research and will surely update the forum if I find a solution (after writing this, I have to admit that I have no choice to make it work - so I would do some ugly hack and make it work no matter what).

Anyway, the passwd options do not work because they are bound by password changes. So if I am user X and I have my password changed every week through user Y (who has sudo/root access), then it doesn't mean that I am active. the requirement is to lock out all users who haven't logged in, in the last 30 days. On the same note, I see that doing a "su" to a particular user is not considered as logging-in. We need to either enter the console (terminal) or do a SSH/FTP to the machine to make an entry into either "lastlog" (log where user logging-in information are stored) or "last" (same thing but in a different format).

[rizi]

I have decided to go for a ugly hack - write a script that checks for which user's haven't loggedin for the last 30 days and lock them by manually editing the /etc/shadow file manually. This script would maintain a list of user accounts that are locked in this way and when the system administrator decided to disable this functionality, would modify the shadow file again to unlock all users (usermod can be used generally but we have a wrapper over the same).

But I need another help with the script - how do I find out the time when a user account is created in a linux environment? I need to lock user accounts only when:

1. the user has not logged in for the last 30 days
2. the user account exists for atleast more than 30 days (no use in locking a user who got created just yesterday but hasn't logged in yet).

TIA
rizi