Securing the console by forcing log off regardless of application running
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Securing the console by forcing log off regardless of application running
Problem: Linux console is left "open" (=user logged on), running an application like emacs, less - whatever. How to force the user to log off after certain time of inactivity no matter what the user is doing on the console? Setting shell timeout is not the solution because it does not work if an application is running - and this "timeout solution" is something all my searches tend to find.
The user should be logged out regardless being a root or non-root user. Log out nicely (like the shell timeout) or less nicely (like killing the login shell) is acceptable - forgetting the console unlocked after office hours is not acceptable. Console login cannot be completely forbidden either.
I am thinking of something like when the console is blanked after inactivity, could this be used to trigger something to log out all console sessions? Or could this be implemented via a cron job which would check at certain time intervals the inactivity?
You can set the TMOUT variable and that will log off a user from the console after a period of inactivity. Its calculated in seconds, so if you want the timeout to be 5 minutes, 300 should be the number you use.
Last edited by ihaveavirus; 08-08-2016 at 01:36 PM.
As I wrote, the shell timeout does not work if the user is running for example emacs. Not only does it allow using the application currently running, CTRL-Z and you have shell access. I need a way to terminate the console session of an idle user automatically no matter what application is running.
Problem: Linux console is left "open" (=user logged on), running an application like emacs, less - whatever. How to force the user to log off after certain time of inactivity no matter what the user is doing on the console? Setting shell timeout is not the solution because it does not work if an application is running - and this "timeout solution" is something all my searches tend to find.
The user should be logged out regardless being a root or non-root user. Log out nicely (like the shell timeout) or less nicely (like killing the login shell) is acceptable - forgetting the console unlocked after office hours is not acceptable. Console login cannot be completely forbidden either.
I am thinking of something like when the console is blanked after inactivity, could this be used to trigger something to log out all console sessions? Or could this be implemented via a cron job which would check at certain time intervals the inactivity?
Too much coffee today, my apologies with all the edits. Do your users use SSH? You can set the client timeout to whatever you want. This will terminate any SSH traffic after a given period of inactivity. The ClientAliveInterval is the setting you want to adjust in your server's sshd config file to a set number of seconds and then set the ClientAliveCountMax to 0. This will ensure a user's login get terminated as soon as the ClientAliveInterval is reached.
Last edited by ihaveavirus; 08-08-2016 at 03:05 PM.
SSH is not the problem - in fact those connections I do NOT want to terminate. Since it looks like there is nothing reliable and ready made for this, I wrote a script to list tty users, then read their last activity time from /dev/ttyX and then run that in cron.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.