This site is now 100% read-only, and retired.

Question: How to expire/deactivate inactive user accounts?

Posted by Kellen on Sat 5 Mar 2005 at 00:15

Tags:

I have a machine which has a large number of users, many of whom are inactive. I would like to be able to identify and purge these users and their files. Is there a standard way to do this, and if so, what is it?

lastlog looks promising, but I have the added complication of users who check their email via IMAP (dovecot and imp3), and local users who have multiple accounts and just su to their other accounts. It seems like I could grep the auth and imap log files for this info, but this problem must have previously been solved more elegantly.

So:

  1. What is the standard way of expiring user accounts?
  2. Is there an integrated way to log su's and imap access? (a.k.a. "help me deal with my possibly strange setup")

 

 


Re: Question: How to expire/deactivate inactive us
Posted by Steve (82.41.xx.xx) on Sun 6 Mar 2005 at 13:30
[ View Weblogs ]

The standard way of expiring accounts is to set an expiry date on the passwords - this would prevent them from logging in or using su to switch users.

However I'm not sure how the IMAP logins would work with that..

Usually expiration dates are setup when the accounts are created, but you can use the usermod command to set them up at any time you like.

The general way you'd run it is:

usermod -e 2005-03-10 username

But you can read all the details by running:

man usermod

I'd wonder why you have so many accounts that you can't keep track of? Perhaps removing the accounts people are su'ing to? Or disabling all accounts and having people call you to see which ones are needed might work?

Steve
-- Steve.org.uk

[ Parent ]

Re: Question: How to expire/deactivate inactive us
Posted by hruske (193.2.xx.xx) on Sun 6 Mar 2005 at 18:34
Here's a quick guide about password aging, it's not debian, but it's a hint. http://www.puschitz.com/SecuringLinux.shtml#EnablingPasswordAging

[ Parent ]

Re: Question: How to expire/deactivate inactive us
Posted by Kellen (68.15.xx.xx) on Mon 7 Mar 2005 at 01:32
[ View Weblogs ]
Let's just say I inherited a system where people had multiple accounts for their multiple emails (not the best system, I know). Perhaps a partial solution to this would be to separate out the IMAP-only users and have them be without local accounts at all... But I don't know how to do this either =/

[ Parent ]

Re: Question: How to expire/deactivate inactive us
Posted by Steve (82.41.xx.xx) on Mon 7 Mar 2005 at 01:34
[ View Weblogs ]

I guess one way to move forward would be to use the system's /etc/aliases file, or similar, to redirect mail to the correct users.

So instead of having two users bob and support you just have the bob user - and inside your /etc/aliases file you add:

support : bob

Once you run newaliases bob should now get all mail addressed to support.

(Depending on the mail server you're using this might be ignored - but if not it's a very simple solution which might allow you to cut down on your login accounts)

Steve
-- Steve.org.uk

[ Parent ]

Re: Question: How to expire/deactivate inactive us
Posted by Kellen (68.15.xx.xx) on Mon 7 Mar 2005 at 02:04
[ View Weblogs ]
Yeah, I'm aware of aliases and use it in most circumstances. I'm not so worried about the users that have multiple accounts as the "dead" accounts, which still have valid passwords and shells. It seems I shall be grepping some archived mail.log files for "imap-login".

[ Parent ]

Re: Question: How to expire/deactivate inactive us
Posted by Anonymous (213.164.xx.xx) on Mon 7 Mar 2005 at 13:05
Expiring an account won't prevent it being used.

Remember to check for:
cron jobs, mail spool entries, at jobs, ssh keys, etc.

[ Parent ]

Re: Question: How to expire/deactivate inactive user accounts?
Posted by Anonymous (12.175.xx.xx) on Tue 29 May 2007 at 23:21
To disable inactive or "dormant" accounts, use the usermod -s command to set the user's default shell to /bin/false, /usr/bin/false, /sbin/false,
/sbin/nologin, or /dev/null.

[ Parent ]