8.4 Managing Dormant AccountsIf a user is going to be gone for an extended period of time, you may wish to consider preventing direct logins to the user's account until his or her return. This assures that an intruder won't use the person's account in his or her absence. You may also wish to disable accounts that are seldom used, enabling them only as needed. There are three simple ways to prevent logins to an account:
Actually, you may want to consider doing all three. 8.4.1 Changing an Account's PasswordYou can prevent logins to a user's account by changing his password to something he doesn't know. Remember, you must be the superuser to change another user's password. For example, you can change mary 's password simply by typing the following: # passwd mary New password: dis1296 Retype new password: dis1296 Because you are the superuser, you won't be prompted for the user's old password. This approach causes the operating system to forget the user's old password and install the new one. Presumably, when the proper user of the account finds herself unable to log in, she will contact you and arrange to have the password changed to something else. Alternatively, you can prevent logins to an account by inserting an asterisk in the password field of the user's account. For example, consider a sample /etc/passwd entry for mary : mary:fdfdi3k1j1234:105:100:Mary Sue Lewis:/u/mary:/bin/csh To prevent logins to Mary's account, change the password field to look like this: mary:*fdfdi3k1j1234:105:100:Mary Sue Lewis:/u/mary:/bin/csh Mary won't be able to use her account until you remove the asterisk. When you remove it, she will have her original password back. We describe this in greater detail later in "Disabling an Account by Changing its Password." If you use shadow passwords on your system, be sure you are editing the password file that contains them, and not /etc/passwd . You can tell that you are using shadow passwords if the password field in /etc/passwd is blank or contains an asterisk or hash marks for every password, instead of containing regular encrypted passwords. Some UNIX versions require that you use a special command to edit the password file. This command ensures that two people are not editing the file at the same time, and also rebuilds system databases if necessary. On Berkeley-derived systems, the command is called vipw . Under System V-derived versions of UNIX , you can accomplish the same thing as adding an asterisk by using the -l option to the passwd command: # passwd -l mary
8.4.2 Changing the Account's Login ShellAnother way to prevent direct logins to an account is to change the account's login shell so that instead of letting the user type commands, the system simply prints an informative message and exits. This change effectively disables the account. For example, you might change the line in /etc/passwd for the mary account from this: mary:fdfdi3k1j$:105:100:Mary Sue Lewis:/u/mary:/bin/csh to this: mary:fdfdi3k1j$:105:100:Mary Sue Lewis:/u/mary:/etc/disabled You would then create a shell script called /etc/disabled : #!/bin/sh /bin/echo Your account has been disabled because you seem to have /bin/echo forgotten about it. If you want your account back, please /bin/echo call Jay at 301-555-1234. /bin/sleep 10 When Mary tries to log in, this is what she will see: bigblu login: mary password: mary1234 Last login: Sun Jan 20 12:10:08 on ttyd3 Whammix V17.1 ready to go! Your account has been disabled because you seem to have forgotten about it. If you want your account back, please call Jay at 301-555-1234. bigblu login:
8.4.3 Finding Dormant AccountsAccounts that haven't been used for an extended period of time are a potential security problem. They may belong to someone who has left or is on extended leave, and therefore the account is unwatched. If the account is broken into or the files are otherwise tampered with, the legitimate user might not take notice for some time to come. Therefore, disabling dormant accounts is good policy. One way to disable accounts automatically when they become dormant (according to your definition of dormant) is to set a dormancy threshold on the account. Under System VR4, you can do this with the -f option to the usermod command: # usermod -f 10 spaf In this example, user spaf will have his account locked if a login is not made at least once during any 10-day period. (Note that having an active session continue operation during this interval is not sufficient - the option requires a login.) If your version of UNIX is not SVR4 and does not have something equivalent, you will need to find another way to identify dormant accounts. Below is a simple shell script called not-this-month , which uses the last command to produce a list of the users who haven't logged in during the current month. Run it the last day of the month to produce a list of accounts that you may wish to disable: #!/bin/sh # # not-this-month: # Gives a list of users who have not logged in this month. # PATH=/bin:/usr/bin;export PATH umask 077 THIS_MONTH=`date | awk '{print $2}'` /bin/last | /bin/grep $THIS_MONTH | awk '{print $1}' | /bin/sort -u > /tmp/users1$$ cat-passwd | /bin/awk -F: '{print $1}' | /bin/sort -u > /tmp/users2$$ /bin/comm -13 /tmp/users[12]$$ /bin/rm -f /tmp/users[12]$$ The following explains the details of this shell script:
This shell script assumes that the database used by the last program has been kept for at least one month. After you have determined which accounts have not been used recently, consider disabling them or contacting their owners. Of course, do not disable accounts such as root , bin , uucp , and news that are used for administrative purposes and system functions. Also remember that users who only access their account with the rsh (the remote shell command) or su commands won't show up with the last command.
|
|