Environment
Novell Open Enterprise Server 2 (OES 2) Linux
Novell Open Workgroup Suite Small Business Edition (NOWS SBE)
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Desktop 11
SUSE Linux Enterprise Desktop 10
Novell Open Workgroup Suite Small Business Edition (NOWS SBE)
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Desktop 11
SUSE Linux Enterprise Desktop 10
Situation
Shell access, either using a local shell or a ssh connection to another host, is possible as long as the user does not terminate the connection or close the shell. This might be considered an issue in some environments if users leave their desk unattended. Depending on the different shells there are possibilities to have the system close the shell access after a certain amount of inactivity.
Resolution
The Bource Again Shell (/bin/bash) and Korn shell (/bin/ksh) provide an environment variable called TMOUT to specify an amount of seconds after which the connection is closed automatically due to inactivity:
In this example the user "tux" switched to the account of the user "test" by using su -. After 30 seconds of inactivity the user gets logged out.
Using the TMOUT variable access to remote hosts can be closed as well:
On ksh a warning is issued after reaching the seconds specified by TMOUT, 60 seconds after this warning the shell exits.
Bash and ksh settings are read from /etc/profile, /etc/profile.local, $HOME/.profile, $HOME/.bashrc and $HOME/.kshrc. As /etc/profile may get updated by YaST2 Online Update, its recommended to place own changes into /etc/profile.local.
Note: The TMOUT option applies to the active shell only. In case a user switches from one shell to another, like having /bin/bash as login shell and then start /bin/ksh, the timeout will first close the ksh. It needs another full cycle to close the remaining shell. Same applies to ssh connections.
The variable for csh (/bin/csh) is called autologout and specifies minutes of inactivity. By default this feature only applies to environments where no X is running, see man csh for details.
To temporarily disable the environment variable use the command "unset" which is available for the mentioned shells. As this command may get issued by any user to unset the TMOUT value it should not be considered to increase the security of the system.
tux@linux:~> su - test
Password:
test@linux:~> echo $SHELL
/bin/bash
test@linux:~> export TMOUT=30
test@linux:~> timed out waiting for input: auto-logout
tux@linux:~>
Password:
test@linux:~> echo $SHELL
/bin/bash
test@linux:~> export TMOUT=30
test@linux:~> timed out waiting for input: auto-logout
tux@linux:~>
In this example the user "tux" switched to the account of the user "test" by using su -. After 30 seconds of inactivity the user gets logged out.
Using the TMOUT variable access to remote hosts can be closed as well:
test@linux1:~> ssh root@linux2
Last login: Mon Nov 1 14:02:13 2010 from linux1.testenv.site
linux2:~ # timed out waiting for input: auto-logout
Connection to 192.168.66.10 closed.
test@linux1:~>
Last login: Mon Nov 1 14:02:13 2010 from linux1.testenv.site
linux2:~ # timed out waiting for input: auto-logout
Connection to 192.168.66.10 closed.
test@linux1:~>
On ksh a warning is issued after reaching the seconds specified by TMOUT, 60 seconds after this warning the shell exits.
Bash and ksh settings are read from /etc/profile, /etc/profile.local, $HOME/.profile, $HOME/.bashrc and $HOME/.kshrc. As /etc/profile may get updated by YaST2 Online Update, its recommended to place own changes into /etc/profile.local.
Note: The TMOUT option applies to the active shell only. In case a user switches from one shell to another, like having /bin/bash as login shell and then start /bin/ksh, the timeout will first close the ksh. It needs another full cycle to close the remaining shell. Same applies to ssh connections.
The variable for csh (/bin/csh) is called autologout and specifies minutes of inactivity. By default this feature only applies to environments where no X is running, see man csh for details.
To temporarily disable the environment variable use the command "unset" which is available for the mentioned shells. As this command may get issued by any user to unset the TMOUT value it should not be considered to increase the security of the system.