Join Log in
Score:1
avatar Ubuntu

Unable to set inactive account lockout

fr flag
A R

I am trying set the default inactivity period to 30 days using sudo userdadd -D -f 30. The command doesn't give me any errors, but when I type /usr/sbin/useradd -D | /bin/grep INACTIVE to check if the change has been made, I still get -1.

I went to check /etc/default/useradd and it says INACTIVE=30, however the above grep command still outputs INACTIVE -1. Similarly useradd -D also outputs -1.

My guess is that somewhere in the Ubuntu system (20.04 by the way), something is still setting the inactive period to -1. Can somebody help please?

37
1 + 2
waltinator avatar
it flag
waltinator
Read `man -a passwd ; man chage` and even `man -k PAM`.
0
Reply
fr flag
A R
Read them all. Here are the findings: 1 - passwd -i disables an account after the password has been inactive for some days. I need all accounts to get locked after not logging in for 30 days, so this one is not what I need. 2 - chage -I is closer to what I need, but I'm still getting the -1 3 - PAM is already enabled to lockout after 3 failed logins. Not what I need at the moment.
0
Reply
Score:1
avatar Ubuntu
hr flag
steeldriver

What you're observing here is that when executed by an unprivileged user, useradd -D can't read the /etc/default/useradd file, because it is only readable by root:

$ ls -l /etc/default/useradd
-rw------- 1 root root 1195 Jun 22 14:43 /etc/default/useradd

Instead, it prints the compiled in default values from the shadow package's src/useradd.c file:

/*
 * These defaults are used if there is no defaults file.
 */
static gid_t def_group = 100;
static const char *def_gname = "other";
static const char *def_home = "/home";
static const char *def_shell = "";
static const char *def_template = SKEL_DIR;
static const char *def_create_mail_spool = "no";

static long def_inactive = -1;
static const char *def_expire = "";

So you need to use

sudo useradd -D | /bin/grep INACTIVE

instead.

+ 2
fr flag
A R
THANK YOU VERY MUCH for this great answer. This is just what I needed!! One last question: after reading the man pages pointed by waltinator I'm not sure these settings will achieve what I want: Do these accounts expire after N days or after N days of inactivity AFTER a password has expired (meaning the setting wll be useless without password expiration enabled)?
0
Reply
hr flag
steeldriver
@AR I believe it's the latter - the inactivity period is a "grace period" during which a user is still permitted to log in, but must immediately change their password (see `man 5 shadow`). But you should probably post that as a separate question.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.