I have a set of users that continually stay logged in to the system,
despite the fact that I have repeatedly asked them not to.

So, at night, I go in and kill their shell; however, sometimes when I
do this, the finger command will still list the user as logged in. If
I perform 'ps -ef' and grep the user's login, they are no running
processes listed for that user.

Any ideas?

Thanks,
Dale

dalestubblefield@gmail.com wrote:
> I have a set of users that continually stay logged in to the system,
> despite the fact that I have repeatedly asked them not to.
>
> So, at night, I go in and kill their shell; however, sometimes when I
> do this, the finger command will still list the user as logged in. If
> I perform 'ps -ef' and grep the user's login, they are no running
> processes listed for that user.
>
> Any ideas?

ps lists running processes and, obviously, finger is using
log files.

If you do a kill -HUP, the log files should be synced, also.

Rather than asking them, give some thought to setting their
shell to "idle out"

"kill -HUP" you say...?

That could be part of my problem as I was just entering "kill" and then
the pid.

I will try the "kill -HUP"...

Thanks!
Dale

I cannot figure out where I can set to have the user logged out after a
certain period of idle time... It's not in SMIT?

Thanks,
Dale

dalestubblefield@gmail.com wrote:
> I cannot figure out where I can set to have the user logged out after a
> certain period of idle time... It's not in SMIT?

It's shell dependent:

By default, AIX uses ksh, read the part about TMOUT

http://www.sunmanagers.org/archives/1994/1578.html

http://www.shelldorado.com/shelltips...rogrammer.html

dalestubblefield@gmail.com wrote:
>
> I cannot figure out where I can set to have the user logged out after a
> certain period of idle time... It's not in SMIT?
>
As others have mentioned, many shells have a builtin way
to log off idle users; often an environment variable called
TMOUT. An issue is that this will only log off idle users
who are at a shell prompt, not users in your applications.

To do this, you need some extra program to run and log them
off. There are some available on the internet but we ran into
problems in how they decided if a user was idle. Commands like
"who -u" or "w" base idle time on when the keyboard was last
used. So if a user is running a long, cpu bound job with no
keyboard interaction, the programs that use the output of commands
like "finger" or "who" will think the user is idle and log the
user off.

Our company wrote (and sells ;-) a product called LOGMON that
monitors the cpu usage for each user, and their child processes.
Then we can be sure the user really is idle before logging them
off. You can vary the inactivity time by user, time of day, etc.
And you can control how the user is actually logged off. If
this is of interest, send an email to logmon@computronics.com
for details or visit http://www.logmon.com. Thanks!

--
+--------------------------------------------------------------------+
| Computronics Randy Styka, info@computronics.com |
| 4N165 Wood Dale Road Phone: 630/941-7767 |
| Addison, Illinois 60101 USA Fax: 630/941-7714 |
+--------------------------------------------------------------------+

Randy Styka wrote:
> dalestubblefield@gmail.com wrote:
>> I cannot figure out where I can set to have the user logged out after a
>> certain period of idle time... It's not in SMIT?
>>
> As others have mentioned, many shells have a builtin way
> to log off idle users; often an environment variable called
> TMOUT. An issue is that this will only log off idle users
> who are at a shell prompt, not users in your applications.

This, is a very bad idea and one which will invariably piss
someone off a lot... and they'll have a legitimate gripe.

>
> To do this, you need some extra program to run and log them
> off. There are some available on the internet but we ran into
> problems in how they decided if a user was idle.

Precisely.

> Commands like
> "who -u" or "w" base idle time on when the keyboard was last
> used. So if a user is running a long, cpu bound job with no
> keyboard interaction, the programs that use the output of commands
> like "finger" or "who" will think the user is idle and log the
> user off.
>
> Our company wrote (and sells ;-) a product called LOGMON that
> monitors the cpu usage for each user, and their child processes.
> Then we can be sure the user really is idle before logging them
> off.

OK, let's assume you can be "sure" that a non-shell PID is sleeping.

Does that mean it's not legitimate or unwanted?

Sorry, but this sort of thing is almost sure to get SAs in really
deep shit sooner or later without mgmt buy-in at the top-end and,
even then, they'll piss and moan about you doing a bad job
adjusting it every time someone complains.

If you want to sell this, you need to push it to the lackwits
with the CISSP etc. cabbage after their names. They'll fall
for it being a security issue

Otherwise, installing these sort of thing is just more grief.

> You can vary the inactivity time by user, time of day, etc.
> And you can control how the user is actually logged off. If
> this is of interest, send an email to logmon@computronics.com
> for details or visit http://www.logmon.com. Thanks!

By the way, this was an Ad and you're really not supposed to
post them... even under the guise of being helpful.

On the possibility that you did mean well, I didn't report it
to earthlink's abuse dept... who probably wouldn't do much about
it, anyway LOL :-)

base60 wrote:
> Randy Styka wrote:
> > dalestubblefield@gmail.com wrote:
> >> I cannot figure out where I can set to have the user logged out after a
> >> certain period of idle time... It's not in SMIT?
> >>
> > As others have mentioned, many shells have a builtin way
> > to log off idle users; often an environment variable called
> > TMOUT. An issue is that this will only log off idle users
> > who are at a shell prompt, not users in your applications.
One option is "TMOUT=3600" included in /etc/environments which would
cause automatic termination of a ksh if sitting idly at a command
prompt for an hour (3600s). The equivalent variable is TIMEOUT
(measured in minutes) for a Bourne sh.
>
> This, is a very bad idea and one which will invariably piss
> someone off a lot... and they'll have a legitimate gripe.
>
Probably will annoy some but whether that's "legitimate" depends on the
company's computer security policy, not on your personal opinion.
> >
> > To do this, you need some extra program to run and log them
> > off. There are some available on the internet but we ran into
> > problems in how they decided if a user was idle.
>
> Precisely.
>
> > Commands like
> > "who -u" or "w" base idle time on when the keyboard was last
> > used. So if a user is running a long, cpu bound job with no
> > keyboard interaction, the programs that use the output of commands
> > like "finger" or "who" will think the user is idle and log the
> > user off.
> >
> > Our company wrote (and sells ;-) a product called LOGMON that
> > monitors the cpu usage for each user, and their child processes.
> > Then we can be sure the user really is idle before logging them
> > off.
<snip>
> > You can vary the inactivity time by user, time of day, etc.
> > And you can control how the user is actually logged off. If
> > this is of interest, send an email to logmon@computronics.com
> > for details or visit http://www.logmon.com. Thanks!
>
> By the way, this was an Ad and you're really not supposed to
> post them... even under the guise of being helpful.
>
> On the possibility that you did mean well, I didn't report it
> to earthlink's abuse dept... who probably wouldn't do much about
> it, anyway LOL :-)
Personally, I reckon that Randy's post was helpful and gave Dale extra
options to solve his problem, unlike your post, though at least your
previous one was helpful.

I've had to implement the same sort of thing myself in the past. From
memory I has a script running in the background which looked at
'inactive' user sessions (via "who -u"), noting the terminal of those
which may be inactive. It then checked the time clocked by all
processes belonging to each of those terminals (using "ps -ft
terminal_name") and compared that total with what it had stored
previously. It sent the inactive, non-processing sessions a warning
that they would be automatically logged out in 1 minute, after which it
logged them out if they were still inactive. One user complained about
it and I adjusted it to suit his situation.

Best wishes,
Jeffrey.