How can I create automatically expiring user accounts?

users account-restrictions accounts guest-account

61,236

Solution 1

useradd

You can control how long a user's account is valid through the use of the --expiredate option to useradd.

excerpt from useradd man page

-e, --expiredate EXPIRE_DATE
     The date on which the user account will be disabled. The date is
     specified in the format YYYY-MM-DD.

     If not specified, useradd will use the default expiry date specified
     by the EXPIRE variable in /etc/default/useradd, or an empty string 
     (no expiry) by default.

So when setting up the user's account you can specify a date +30 days in the future from now, and add that to your useradd command when setting up their accounts.

$ useradd -e 2013-07-30 someuser

chage

You can also change a existing accounts date using the chage command. To change an accounts expiration date you'd do the following:

$ chage -E 2013-08-30 someuser

calculating the date +30 days from now

To do this is actually pretty trivial using the date command. For example:

$ date -d "30 days"
Sun Jul 28 01:03:05 EDT 2013

You can format using the +FORMAT options to the date command, which ends up giving you the following:

$ date -d "30 days" +"%Y-%m-%d"
2013-05-28

Putting it all together

So knowing the above pieces, here's one way to put it together. First when creating an account you'd run this command:

$ useradd -e `date -d "30 days" +"%Y-%m-%d"` someuser

Then when you want to adjust their expiration dates you'd periodically run this command:

$ chage -E `date -d "30 days" +"%Y-%m-%d"` someuser

Specifying time periods of less than 24h

If you want a user to only be active for some minutes, you cannot use the options above since they require specifying a date. In that case, you could either set up a crontab to remove/lock the created user after the specified time (for example, 10 minutes), or you could do one of:

adduser someuser && sleep 600 && usermod --lock someuser

$ adduser someuser
$ echo usermod --lock someuser | at now + 10 minutes

References

Solution 2

If you are on Debian/Ubuntu you should use adduser and usermod. On Debian based systems useradd is considered low level and (according to the man pages): administrators should usually use adduser(8) instead

adduser has a no expiration option, so you just use it to create the account.

usermod has the -e / --expiredate option to set the expiration date.

You calculate the parameter to date with: date -d "30 days" "+%Y-%m-%d" to get:

usermod --expiredate $(date -d "30 days" "+%Y-%m-%d") username

Solution 3

Another way (if your OS does not support account expiration or this feature doesn't work for whatever reason): set up a cron job to run 30 days from now that will lock this account.

Usually the account is locked by setting its encrypted password to invalid value; on FreeBSD, pw lock X command will lock the account X.

61,236

Yusufmm

Updated on September 18, 2022

Comments

Yusufmm over 1 year

This is what I'd like to be able to do:

After a user's account is created, they should be able to ssh-tunnel, but their account is automatically removed after 30 days unless the countdown is reset by the root user.

How can I automate this? I'll have to handle around 15 users.
slm almost 11 years

Explain how you can lock an account.
sendmoreinfo almost 11 years

That's OS-dependent, really.
slm almost 11 years

It would still be helpful if you gave an example showing it.
Anthon almost 11 years

I took the liberty to change the %M (Minutes) into %m (month)