4.10.16 Logging off idle users
 
Idle users are usually a security problem, a user might be idle maybe because he's out to lunch or because a remote connection was broken and not re-established. For whatever the reason, idle users might lead to a compromise:
 
    * because the user's console might not be locked and can be accessed by an intruder.
 
    * because an attacker might be able to re-attach himself to a closed network connection and send commands to the remote shell (this is fairly easy if the remote shell is not encrypted as in the case of telnet).
 
Some remote systems have even been compromised through an idle (detached) screen.
 
Automatic disconnection of idle users is usually a part of the local security policy that must be enforced. There are several ways to do this:
 
    * If bash is the user shell, a system administrator can set a default TMOUT value (see bash(1)) which will make the shell automatically remote idle users. Note that it must be set with the -o option or users will be able to change (or unset) it.
 
    * Install timeoutd and configure /etc/timeouts according to your local security policy. The daemon will watch for idle users and time out their shells accordingly.
 
    * Install autolog and configure it to remove idle users.
 
The timeoutd or autolog daemons are the preferred method since, after all, users can change their default shell or can, after running their default shell, switch to another (uncontrolled) shell.