From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184]) by sourceware.org (Postfix) with ESMTPS id 8A34A3858D20 for ; Sun, 7 Apr 2024 22:29:54 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 8A34A3858D20 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=klomp.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 8A34A3858D20 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=45.83.234.184 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712528996; cv=none; b=rdWExYHEgYXZ5Nas7BzXGoKZ5gaYK4qiZCqSQqKRUrnrvLwA9itBgHjFK4oskmW3DraSZ0jUysmsegFURSnImE1PqxAQmVeXUHcsqOr9L4pMt/L001Ef/5NSAPHjPJueVTnMqnytdz3cuTU9DVhHTMJcyBnmLcSzYkzCFzIth34= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712528996; c=relaxed/simple; bh=x7ycIkoJAz6hb+qq1MlwqM+lyA8O3t3eX/U+9eSWjnA=; h=Date:From:To:Subject:Message-ID:MIME-Version; b=SJSqjbJKbNYcwZt32Fnljn3ScG+kDXFutXQjLXSbNw1yOQcF1tlqmqzi3OSABtFmtz4MRbAfESV95uYfcBY5ufLKl3hnUrGu5YCfpmXkF+V1fQMeoICLGeEIuMaL/9B7hxx/guOKE/2Bk10RKuk8SORkjwzj/o2bwUURafwvgR4= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by gnu.wildebeest.org (Postfix, from userid 1000) id A2BAF3000595; Mon, 8 Apr 2024 00:29:53 +0200 (CEST) Date: Mon, 8 Apr 2024 00:29:53 +0200 From: Mark Wielaard To: "Frank Ch. Eigler via Overseers" Cc: "Frank Ch. Eigler" Subject: Re: aging inactive users Message-ID: <20240407222953.GT1292@gnu.wildebeest.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi Frank, On Fri, Apr 05, 2024 at 09:13:07PM -0400, Frank Ch. Eigler via Overseers wrote: > Sourceware does not have a mechanical process for aging out hosted > project contributors who have not logged on for a long time. Given > that projects haven't undertaken this sort of janitorial task, it's > probably time that we put one in place. > > A brief shell script scanning ssh authentication logs in > /var/log/secure* spanning a year indicates that only about 1/4 of our > accumulated user base has been active during that time. > (/sourceware/infra/bin/list-ssh-login) > > After gathering feedback here, I plan to send a batch of email to > those found not to be active (via their USER@sourceware.org email > addresses). Then a few weeks later, if they still haven't become > active, I plan to set them to "gid=emeritus" status, so those accounts > can no longer log in. (This status is easy to reverse if anyone there > is ready to return.) I assume that this means the email forward will keep working and that an id will never be reused? > For administrative/shared accounts, one needs do this analysis on a > per-key basis. It probably needs to be more recent, considering the > greater privileges of these accounts, say 6 months. There, a more > manual process to compare ssh-keygen -l lists against the actually > used ssh fingerprints could be used. That way, we can age out only > those users & keys that have not been used, but preserve others. I'll > work out another little script for that postprocessing and get it to > note findings via email too. > > I propose to repeat this exercise every few months. So "normal" accounts would expire after one year of inactivity. "admin" accounts would expire after 6 months of inactivity. Users will get an email that is about to happen, giving them an oppertunity to activate their account (in say 2 weeks?). Would a simple "alive" be enough or do we require an actual push of a commit? I would propose to then run this process every quarter (3 months). Thanks, Mark