This is what I’d like to be able to do:
After a user’s account is created, they should be able to ssh-tunnel, but their account is automatically removed after 30 days unless the countdown is reset by the root user.
How can I automate this? I’ll have to handle around 15 users.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
useradd
You can control how long a user’s account is valid through the use of the --expiredate option to useradd.
excerpt from useradd man page
-e, --expiredate EXPIRE_DATE
The date on which the user account will be disabled. The date is
specified in the format YYYY-MM-DD.
If not specified, useradd will use the default expiry date specified
by the EXPIRE variable in /etc/default/useradd, or an empty string
(no expiry) by default.
So when setting up the user’s account you can specify a date +30 days in the future from now, and add that to your useradd command when setting up their accounts.
$ useradd -e 2013-07-30 someuser
chage
You can also change a existing accounts date using the chage command. To change an accounts expiration date you’d do the following:
$ chage -E 2013-08-30 someuser
calculating the date +30 days from now
To do this is actually pretty trivial using the date command. For example:
$ date -d "30 days" Sun Jul 28 01:03:05 EDT 2013
You can format using the +FORMAT options to the date command, which ends up giving you the following:
$ date -d "30 days" +"%Y-%m-%d" 2013-05-28
Putting it all together
So knowing the above pieces, here’s one way to put it together. First when creating an account you’d run this command:
$ useradd -e `date -d "30 days" +"%Y-%m-%d"` someuser
Then when you want to adjust their expiration dates you’d periodically run this command:
$ chage -E `date -d "30 days" +"%Y-%m-%d"` someuser
Specifying time periods of less than 24h
If you want a user to only be active for some minutes, you cannot use the options above since they require specifying a date. In that case, you could either set up a crontab to remove/lock the created user after the specified time (for example, 10 minutes), or you could do one of:
adduser someuser && sleep 600 && usermod --lock someuser
or
$ adduser someuser $ echo usermod --lock someuser | at now + 10 minutes
References
Method 2
If you are on Debian/Ubuntu you should use adduser and usermod. On Debian based systems useradd is considered low level and (according to the man pages): administrators should usually use adduser(8) instead
adduser has a no expiration option, so you just use it to create the account.
usermod has the -e / --expiredate option to set the expiration date.
You calculate the parameter to date with: date -d "30 days" "+%Y-%m-%d" to get:
usermod --expiredate $(date -d "30 days" "+%Y-%m-%d") username
Method 3
Another way (if your OS does not support account expiration or this feature doesn’t work for whatever reason): set up a cron job to run 30 days from now that will lock this account.
Usually the account is locked by setting its encrypted password to invalid value; on FreeBSD, pw lock X command will lock the account X.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0