[Chapter 8] 8.4 Managing Dormant Accounts

Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 8.3 Restricting LoginsChapter 8
Defending Your Accounts
Next: 8.5 Protecting the root Account
 

8.4 Managing Dormant Accounts

If a user is going to be gone for an extended period of time, you may wish to consider preventing direct logins to the user's account until his or her return. This assures that an intruder won't use the person's account in his or her absence. You may also wish to disable accounts that are seldom used, enabling them only as needed.

There are three simple ways to prevent logins to an account:

  1. Change the account's password.

  2. Modify the account's password so it can't be used.

  3. Change the account's login shell.

Actually, you may want to consider doing all three.

8.4.1 Changing an Account's Password

You can prevent logins to a user's account by changing his password to something he doesn't know. Remember, you must be the superuser to change another user's password.

For example, you can change mary's password simply by typing the following:

# passwd mary
New password: dis1296
Retype new password: dis1296

Because you are the superuser, you won't be prompted for the user's old password.

This approach causes the operating system to forget the user's old password and install the new one. Presumably, when the proper user of the account finds herself unable to log in, she will contact you and arrange to have the password changed to something else.

Alternatively, you can prevent logins to an account by inserting an asterisk in the password field of the user's account. For example, consider a sample /etc/passwd entry for mary:

mary:fdfdi3k1j1234:105:100:Mary Sue Lewis:/u/mary:/bin/csh

To prevent logins to Mary's account, change the password field to look like this:

mary:*fdfdi3k1j1234:105:100:Mary Sue Lewis:/u/mary:/bin/csh

Mary won't be able to use her account until you remove the asterisk. When you remove it, she will have her original password back. We describe this in greater detail later in "Disabling an Account by Changing its Password."

If you use shadow passwords on your system, be sure you are editing the password file that contains them, and not /etc/passwd. You can tell that you are using shadow passwords if the password field in /etc/passwd is blank or contains an asterisk or hash marks for every password, instead of containing regular encrypted passwords.

Some UNIX versions require that you use a special command to edit the password file. This command ensures that two people are not editing the file at the same time, and also rebuilds system databases if necessary. On Berkeley-derived systems, the command is called vipw.

Under System V-derived versions of UNIX, you can accomplish the same thing as adding an asterisk by using the -l option to the passwd command:

# passwd -l mary

NOTE: Note that if you use the asterisk in the password file to disable the account, it could still be used with su, or from a remote login using the trusted hosts mechanism (~/.rhosts file or /etc/hosts.equiv). (For more information, see Chapter 17, TCP/IP Services). Thus, changing the password is not sufficient to block access to an account on such a system.

8.4.2 Changing the Account's Login Shell

Another way to prevent direct logins to an account is to change the account's login shell so that instead of letting the user type commands, the system simply prints an informative message and exits. This change effectively disables the account. For example, you might change the line in /etc/passwd for the mary account from this:

mary:fdfdi3k1j$:105:100:Mary Sue Lewis:/u/mary:/bin/csh

to this:

mary:fdfdi3k1j$:105:100:Mary Sue Lewis:/u/mary:/etc/disabled

You would then create a shell script called /etc/disabled:

#!/bin/sh
/bin/echo Your account has been disabled because you seem to have 
/bin/echo forgotten about it. If you want your account back, please 
/bin/echo call Jay at 301-555-1234.
/bin/sleep 10

When Mary tries to log in, this is what she will see:

bigblu login: mary
password: mary1234
Last login: Sun Jan 20 12:10:08 on ttyd3

		Whammix V17.1 ready to go!

Your account has been disabled because you seem to have
forgotten about it. If you want your account back, please
call Jay at 301-555-1234.

bigblu login:

NOTE: Most versions of the ftpd FTP daemon will block access for users who have shells that are not listed in the file /etc/shells. Some versions, though, will not. You should check your FTP daemon for this behavior. If it does not block access, you may wish to change both the password and the shell to disable an account.

8.4.3 Finding Dormant Accounts

Accounts that haven't been used for an extended period of time are a potential security problem. They may belong to someone who has left or is on extended leave, and therefore the account is unwatched. If the account is broken into or the files are otherwise tampered with, the legitimate user might not take notice for some time to come. Therefore, disabling dormant accounts is good policy.

One way to disable accounts automatically when they become dormant (according to your definition of dormant) is to set a dormancy threshold on the account. Under System VR4, you can do this with the -f option to the usermod command:

# usermod -f 10 spaf

In this example, user spaf will have his account locked if a login is not made at least once during any 10-day period. (Note that having an active session continue operation during this interval is not sufficient - the option requires a login.)

If your version of UNIX is not SVR4 and does not have something equivalent, you will need to find another way to identify dormant accounts. Below is a simple shell script called not-this-month, which uses the last command to produce a list of the users who haven't logged in during the current month. Run it the last day of the month to produce a list of accounts that you may wish to disable:

#!/bin/sh
#
# not-this-month:
# Gives a list of users who have not logged in this month.
#
PATH=/bin:/usr/bin;export PATH
umask 077
THIS_MONTH=`date | awk '{print $2}'`
/bin/last | /bin/grep $THIS_MONTH | awk '{print $1}' |  /bin/sort -u > /tmp/users1$$ 
cat-passwd | /bin/awk -F: '{print $1}' | /bin/sort -u > /tmp/users2$$
/bin/comm -13 /tmp/users[12]$$
/bin/rm -f /tmp/users[12]$$

The following explains the details of this shell script:

umask 077

Sets the umask value so that other users on your system will not be able to read the temporary files in /tmp.

PATH = /bin:/usr/bin

Sets up a safe path.

THIS_MONTH=`date | awk "{print $2}"`

Sets the shell variable THIS_MONTH to be the name of the current month.

last

Generates a list of all of the logins on record.

| grep $THIS_MONTH

Filters the above list so that it includes only the logins that happened this month.

| awk '{print $1}'

Selects out the login name from the above list.

| sort -u

Sorts the list of logins alphabetically, and removes multiple instances of account names.

cat -passwd | awk -F: '{print $1}'

Generates a list of the usernames of every user on the system.[4]

[4] Recall that we told you earlier that we would define cat-passwd to be the system-specific set of commands to print the contents of the password file.

comm -13

Prints items present in the second file, but not the first: the names of accounts that have not been used this month.

This shell script assumes that the database used by the last program has been kept for at least one month.

After you have determined which accounts have not been used recently, consider disabling them or contacting their owners. Of course, do not disable accounts such as root, bin, uucp, and news that are used for administrative purposes and system functions. Also remember that users who only access their account with the rsh (the remote shell command) or su commands won't show up with the last command.

NOTE: In most environments, the last program only reports logins and logouts on the computer running it. Therefore, this script will not report users who have used other computers that are on the network, but have not used the computer on which the script is being run.

Discovering dormant accounts in a networked environment can be a challenging problem. Instead of looking at login/logout log files, you may wish to examine other traces of user activity, such as the last time that email was sent or read, or the access times on the files in a user's home directory.


Previous: 8.3 Restricting LoginsPractical UNIX & Internet SecurityNext: 8.5 Protecting the root Account
8.3 Restricting LoginsBook Index8.5 Protecting the root Account