5 Replies Latest reply: Nov 21, 2013 11:40 PM by J@*946472* RSS

    pam_lastlog inactive




      I have already installed OEL 5.9. I need to implement the funtion of locking an user account if he/she has no login in the last 20 days.


      pam_lastlog.so has the option inactive, it could be defined in the /etc/pam.d/login


      auth   required pam_lastlog.so inactive=20


      but it seems to be able in pam versio 1.x. Oracle Linux 5.9 has the pam version, so inactive option does not work. I've testing changing the date of my work station.


      My question is to have some ideas to upgrade pam, to find the mistake, or to implement this options in other way.


      Tnks and keep in touch !

        • 1. Re: pam_lastlog inactive

          How about an alternative solution?


          Below is a simple script that will check if any user account, which are usually UID >500, has been inactive for 20 days, an then lock the account.


          You can schedule the script with crontab or simply copy it to /etc/cron.daily.



          # Filename: /etc/cron.daily/lock_inactive_users

          # Author: Dude OTN

          # Purpose: Lock inactive user accounts.








             echo "Locking account $1"

             usermod -L "$1"


          USER_LIST=`lastlog -b $INACTIVE -u $MIN_UID-$MAX_UID | awk '{print $1}'`

          for user in $USER_LIST; do

            [ ! "$user" = "Username" ] && lock_account "$user"



          P.S. You can easily add some code to create a log file and mail the result.

          • 2. Re: pam_lastlog inactive

            Hi Dude!


            It is a good idea, but in my case, the crond has been disabled as a security customer policy.


            So, it is not a solutions for me.


            tnks and keep in touch

            • 3. Re: pam_lastlog inactive

              So what runs all the daily system maintenance scripts to rotate logfiles, etc.? From a security standpoint, enabling the cron daemon sounds like a much better option to me than experimenting with the pam login modules, which will affect future system upgrading and administration issue.

              • 4. Re: pam_lastlog inactive

                And btw, cron is not the only option. You can submit a batch job using the AT command that reschedules itself. Check the following:


                service crond stop


                Create a simple shell script:


                echo 'echo "Here I am…"' > /root/batchjob

                echo 'at -m now +1 minutes <<< "/root/batchjob"' >> /root/batchjob

                chmod 750 batchjob




                Here I am…

                job 8 at 2013-11-21 05:39

                You have new mail in /var/spool/mail/root



                10    2013-11-21 05:41 a root

                You have new mail in /var/spool/mail/root


                12    2013-11-21 05:43 a root




                Heirloom Mail version 12.4 7/29/08.  Type ? for help.

                "/var/spool/mail/root": 4 messages 4 new

                >N  1 root                  Thu Nov 21 05:39  15/497   "Output from your job        8"

                N  2 root                  Thu Nov 21 05:40  15/498   "Output from your job        9"

                N  3 root                  Thu Nov 21 05:41  15/498   "Output from your job       10"

                N  4 root                  Thu Nov 21 05:42  15/498   "Output from your job       11"



                Message 17:

                From root@vm21.example.com  Thu Nov 21 05:51:00 2013

                Return-Path: <root@vm21.example.com>

                X-Original-To: root

                Delivered-To: root@vm21.example.com

                Subject: Output from your job       20

                To: root@vm21.example.com

                Date: Thu, 21 Nov 2013 05:51:00 +0100 (CET)

                From: root@vm21.example.com (root)

                Status: RO


                Here I am…

                job 21 at 2013-11-21 05:52



                Remote the batchjob:



                21    2013-11-21 05:52 a root

                atrm 21



                You can do the same with the script in my previous message, but you probably want to use a different schedule, for instance to run the job at 23:59h: at -m 2359

                • 5. Re: pam_lastlog inactive

                  Hi Dude !


                  I'm trying to compile and test pam 1.x or pam-script before test your suggestions.


                  Tnks a lot for your good ideas !