Welcome to Linux Forums!

With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.

Linux Forum ArticlesLinux ForumsLinux Forum DownloadsLinux Hosts
Home|Register|FAQ|Member List|Calendar|Unanswered Posts|Forum Rules|Today's Posts|Advanced Search|
SEARCH FOR IN
Go Back   Linux Forums > GNU Linux Zone > Linux Security
Reload this Page Locking inactive user accounts using PAM
Linux Forums
Linux Forums
Welcome To The Linux Forums!
Welcome to Linux Forums. We pride ourselves in being one of the largest Linux communities on the web, we encourage you to REGISTER on our forums and participate in the community. There are over 150,000 members ready to answer your questions. JOINING US today will allow you to make new posts, get support, send messages to other members and submit downloads to our downloads directory and many other great features!

Linux Security Discussion about keeping your machines secure, and the crackers out.

Reply
 
Thread Tools Display Modes
Old 05-13-2008   #1 (permalink)
rizi
Just Joined!
 
Join Date: May 2008
Posts: 7
Locking inactive user accounts using PAM
Hi All,

This is my first post in the forums. I have done a search of all possible combinations of keywords in the "Linux Security" sub forum for my problem and found nothing - I apologize if this question has already been answer before.

This is my requirment - lock out accounts if its not active for 30 days. So if an account is created and the user hasn't logged in for 30 days, the account is to be locked until "root" unlocks it. I want a method to do it using PAM. We use PAM modules for account, auth, password and session and have all major modules in the system. I have done a search in the internet to the best of my ability but still have no information on how to accomplish this.


Please let me know if anyone has any ideas/suggestions or pointers.

TIA
rizi
rizi is offline   Reply With Quote
Old 05-13-2008   #2 (permalink)
bigtomrodney
Bigtomrodinator
 
bigtomrodney's Avatar
 
Join Date: Nov 2004
Location: Sunny South-East of Ireland
Posts: 4,774
I am fascinated by this problem. I'm not very knowledgeable of pam and really only have a passing familiarity with it, but I'd like to see how you get on with this problem.

The first thing that occured to me was to use finger to check last login time, but there may be a native pam way to do this. I looked at pam_tally but I'm not sure if this can be used in this situation. Can you post back if you get any further with this? I'm really curious to see how you get around it now.
bigtomrodney is online now   Reply With Quote
Old 05-13-2008   #3 (permalink)
rizi
Just Joined!
 
Join Date: May 2008
Posts: 7
Thanks for your response bigtomrodney!

Well, the problem seemed trivial at first but has certainly became a nightmare for me after 2 days of research. I would assume that one of the many PAM modules would handle it and yes I had looked at pam_tally.so but there was nothing in it. Since you are interested I would give you the other solutions that I came up with (none of them are PAM):

1. I do not have "finger" in my system. I would use lastlog to get the information on when each user has last logged on and then lock the accounts for users who haven't logged in the last 30 days. But for this to work I need to eliminate users who are created within the last 30 days (and not logged in). I am yet to find a way to do this.

2. Look at the "last" output to determine which users have logged in the last 30 days and lock all users who haven't logged in for the last 30 days.


These solutions would have been fine with except that I need a way to enable and disable this control - that is "root" will have permissions to set a flag to determine whether this feature will be in the system or not. If I write a script to implement this, I would have to write another script to find out all locked users and unlock them in the disable script - and that is surely a ugly way to doing user management. Hope someone would come and save me from all this!!
rizi is offline   Reply With Quote
Old 05-13-2008   #4 (permalink)
bigtomrodney
Bigtomrodinator
 
bigtomrodney's Avatar
 
Join Date: Nov 2004
Location: Sunny South-East of Ireland
Posts: 4,774
I'll try to get a look at this when I get home from work this evening, I'd be interested in a solution for it. Something that occurred to me is to be careful that you don't lock out or amend system users. Maybe some filter on users below UID 1000 could help.

Anyway, I'll certainly try to have a look this evening. Maybe even read up a bit more on PAM too


EDIT - I came across this in a google if it's any use to you :-

Manpage of PASSWD

Check out the -i and -x switches, looks like there might be a way around this, if you can slightly amend your requirements. If a users account had a regular password change requirement you could set a reasonably short expiry so that if it wasn't changed with a few days the account would be disabled. Maybe 15 day password turnaround and 15 day expiry? I understand this may not be suitable in your environment but it might be worth considering. It could also be easily reversed using a script for passwd though I'm guess the users would have to be manually unlocked.
Last edited by bigtomrodney : 05-13-2008 at 09:59 AM.
bigtomrodney is online now   Reply With Quote
Old 05-13-2008   #5 (permalink)
rizi
Just Joined!
 
Join Date: May 2008
Posts: 7
bigtomrodney - thanks for your offer to help. I will be doing my own research and will surely update the forum if I find a solution (after writing this, I have to admit that I have no choice to make it work - so I would do some ugly hack and make it work no matter what).

Anyway, the passwd options do not work because they are bound by password changes. So if I am user X and I have my password changed every week through user Y (who has sudo/root access), then it doesn't mean that I am active. the requirement is to lock out all users who haven't logged in, in the last 30 days. On the same note, I see that doing a "su" to a particular user is not considered as logging-in. We need to either enter the console (terminal) or do a SSH/FTP to the machine to make an entry into either "lastlog" (log where user logging-in information are stored) or "last" (same thing but in a different format).
rizi is offline   Reply With Quote
Old 05-14-2008   #6 (permalink)
rizi
Just Joined!
 
Join Date: May 2008
Posts: 7
I have decided to go for a ugly hack - write a script that checks for which user's haven't loggedin for the last 30 days and lock them by manually editing the /etc/shadow file manually. This script would maintain a list of user accounts that are locked in this way and when the system administrator decided to disable this functionality, would modify the shadow file again to unlock all users (usermod can be used generally but we have a wrapper over the same).

But I need another help with the script - how do I find out the time when a user account is created in a linux environment? I need to lock user accounts only when:

1. the user has not logged in for the last 30 days
2. the user account exists for atleast more than 30 days (no use in locking a user who got created just yesterday but hasn't logged in yet).

TIA
rizi
rizi is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


All times are GMT. The time now is 11:07 PM.

Contact Us | Advertise | Archive | Top
Powered by vBulletin 3.6.8 ©2000 - 2007, content relevant URLs by vBSEO, Property of Core Root.

Content Relevant URLs by vBSEO 3.0.0