How can I create automatically expiring user accounts?
Solution 1
useradd
You can control how long a user's account is valid through the use of the --expiredate
option to useradd
.
excerpt from useradd
man page
-e, --expiredate EXPIRE_DATE
The date on which the user account will be disabled. The date is
specified in the format YYYY-MM-DD.
If not specified, useradd will use the default expiry date specified
by the EXPIRE variable in /etc/default/useradd, or an empty string
(no expiry) by default.
So when setting up the user's account you can specify a date +30 days in the future from now, and add that to your useradd
command when setting up their accounts.
$ useradd -e 2013-07-30 someuser
chage
You can also change a existing accounts date using the chage
command. To change an accounts expiration date you'd do the following:
$ chage -E 2013-08-30 someuser
calculating the date +30 days from now
To do this is actually pretty trivial using the date
command. For example:
$ date -d "30 days"
Sun Jul 28 01:03:05 EDT 2013
You can format using the +FORMAT
options to the date
command, which ends up giving you the following:
$ date -d "30 days" +"%Y-%m-%d"
2013-05-28
Putting it all together
So knowing the above pieces, here's one way to put it together. First when creating an account you'd run this command:
$ useradd -e `date -d "30 days" +"%Y-%m-%d"` someuser
Then when you want to adjust their expiration dates you'd periodically run this command:
$ chage -E `date -d "30 days" +"%Y-%m-%d"` someuser
Specifying time periods of less than 24h
If you want a user to only be active for some minutes, you cannot use the options above since they require specifying a date. In that case, you could either set up a crontab
to remove/lock the created user after the specified time (for example, 10 minutes), or you could do one of:
adduser someuser && sleep 600 && usermod --lock someuser
or
$ adduser someuser
$ echo usermod --lock someuser | at now + 10 minutes
References
Solution 2
If you are on Debian/Ubuntu you should use adduser
and usermod
. On Debian based systems useradd
is considered low level and (according to the man pages): administrators should usually use adduser(8) instead
adduser
has a no expiration option, so you just use it to create the account.
usermod
has the -e
/ --expiredate
option to set the expiration date.
You calculate the parameter to date
with: date -d "30 days" "+%Y-%m-%d"
to get:
usermod --expiredate $(date -d "30 days" "+%Y-%m-%d") username
Solution 3
Another way (if your OS does not support account expiration or this feature doesn't work for whatever reason): set up a cron job to run 30 days from now that will lock this account.
Usually the account is locked by setting its encrypted password to invalid value; on FreeBSD, pw lock X
command will lock the account X
.
Related videos on Youtube
Yusufmm
Updated on September 18, 2022Comments
-
Yusufmm over 1 year
This is what I'd like to be able to do:
After a user's account is created, they should be able to
ssh
-tunnel, but their account is automatically removed after 30 days unless the countdown is reset by the root user.How can I automate this? I'll have to handle around 15 users.
-
slm almost 11 yearsExplain how you can lock an account.
-
sendmoreinfo almost 11 yearsThat's OS-dependent, really.
-
slm almost 11 yearsIt would still be helpful if you gave an example showing it.
-
Anthon almost 11 yearsI took the liberty to change the %M (Minutes) into %m (month)