Logging Users Out Automatically

It is not uncommon for a user to log in to her account on a Linux system and to then become preoccupied with some other task or situation, forgetting that she is logged in at all. The user's session then sits inactive for an extended period of time.

Unfortunately, inactive user sessions can represent a serious security risk, especially on systems that allow remote logins. Network connections that are left open this way can eventually be hijacked by malicious users, who then have access to the user's account and, by extension, your system.

Aside from the religious use of ssh in place of telnet or other remote login commands, this type of risk can most easily be remedied by setting a login timeouta delay after which a user automatically is logged out if she hasn't pressed a key.

The TMOUT variable can be used to cause the default shell to automatically log out the user after a period of inactivity, measured in seconds. For example, setting the value of TMOUT to 1800 would log out the user after 1800 seconds, or 30 minutes, of inactivity.

Setting a Login Timeout

To cause the value of the TMOUT variable to automatically be set whenever a user logs in, you must create a file in the /etc/profile.d directory, which contains a set of script fragments that are automatically run each time a user logs in. This file should end with .sh to indicate that it is for the standard shell and should set the value of the TMOUT variable. Use a text editor to create a file called /etc/profile.d/secure.sh, which contains only a single line:

 TMOUT=1800 

After you save the file and exit the text editor, don't forget to mark it as executable by everyone:

 [root@workstation20 you]# chmod ugo+x /etc/profile.d/secure.sh [root@workstation20 you]# 

Linux also includes a number of alternate shells in addition to the standard shell; advanced Linux or Unix users can use the chsh command to select among them for day-to-day command-line work. Two alternate shells provide login timeout functionality; they are called csh and tcsh. To accommodate these alternate shells, you must create another script fragment. In these, the timeout variable is autologout, and the timer value is measured in minutes. Use a text editor to create a file for these shells called /etc/profile.d/secure.csh, which contains only the following line:

 set autologout=30 

Again, don't forget to mark the file as executable:

 [root@workstation20 you]# chmod ugo+x /etc/profile.d/secure.csh [root@workstation20 you]# 

Account holders who log in using any of the major shells are now logged out after 30 minutes of inactivity.

Removing Minor Shells

The list of shells from which users of the chsh command can select includes several shells that do not support login timeouts at all. For this reason, these shells should be removed from the list of shells available to users, which is stored in /etc/shells.

The default /etc/shells file is shown in Listing 30.2. The entries for the ash and bsh shells, which do not support login timeouts, can be removed using a text editor to produce the shortened /etc/shells file shown in Listing 30.3.

Listing 30.2. The Original /etc/shells File

 /bin/sh /bin/bash /sbin/nologin /bin/bash2 /bin/ash /bin/bsh /bin/tcsh /bin/csh 

Listing 30.3. The Edited /etc/shells File

 /bin/sh /bin/bash /sbin/nologin /bin/bash2 /bin/tcsh /bin/csh 

After you edit the /etc/shells file, users can select only from shells that log them out after a period of inactivity.