From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from elastic.org (elastic.org [96.126.110.187]) by sourceware.org (Postfix) with ESMTPS id 7BBD03858D1E for ; Sat, 6 Apr 2024 01:13:08 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7BBD03858D1E Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none) header.from=elastic.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=elastic.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 7BBD03858D1E Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=96.126.110.187 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712365990; cv=none; b=DXOyTK8GowlXQ7GE0Ux73XisfQt3hDsvCLW0nE32jG6IzRZ/BZTeFjmvwWZsc0cecGVojoCB5P/1Urg1cR97SpK9qa72fRazcHc6dpeIiiujSjAKS1NJW+w0lBjZx5/Xd3qOgY27QDm9DOXkrgpiJnDCrhzYA68qas6xfAdkJ9k= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712365990; c=relaxed/simple; bh=OWyU/hOmshiMx8aV0SGJ5eTCRZqbkR+zUcwe2EyA72g=; h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version; b=dJWcyDP+4gtiSfnoueH2683M0S73ohESfFoFyPAn2/r+DVaq5DxRjQieORyk/aAd7JV/IOXuWcTPlfpa8u0BhmB1cQ9iCKx5BAuIQD8F+E0D6AG9vxhapAmv31+3rNGvwCAVN3LuXwytLhGx0o7yKqy289sZecwOM2QFosDw3NQ= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elastic.org ; s=default2; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date: Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=8qQrOB+FqbXN40iWhkooyS0adfUdZR9oLyqiVeZG4H0=; b=hPqivo0z/BWCeVbUO7ZKJ83gyW C3typLdQrNUEbHf6Ar52wPsFGor24i95F/M1SSGPLCW9o2MMhDo1rcFTZuJXrjBISt3TRtmK+l0WJ jCyZNxXjYlOBY6+TZ5xQmpuSukU51UPpjKGL/bkc4PGdK57ivzRFW00zjgK7t/Xb54aP36PI826YW WhTHO3w60XNuKyC+LTVBC9MLpaVx0zDn3+wBjCaVVoLSlkOpE51KwaIgRYVPGzmUlpHP32gfK3vKB eWXhzzJKV0xBJsakjXY09tp5GxfDHWI9pnY/svoIIiIfasT6fKgockvx2Ptb9nLgZBYyYta/nhfi2 SCT1FTjw==; Received: from vpn-home.elastic.org ([10.0.0.2] helo=elastic.org) by elastic.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.97.1) (envelope-from ) id 1rsucG-000000007Ay-0eZT for overseers@sourceware.org; Sat, 06 Apr 2024 01:13:08 +0000 Received: from very.elastic.org ([192.168.1.1]) by elastic.org with esmtp (Exim 4.97.1) (envelope-from ) id 1rsucF-000000007OJ-3RsO for overseers@sourceware.org; Fri, 05 Apr 2024 21:13:07 -0400 Received: from fche by very.elastic.org with local (Exim 4.97.1) (envelope-from ) id 1rsucF-0000000DcBo-3D3z for overseers@sourceware.org; Fri, 05 Apr 2024 21:13:07 -0400 Date: Fri, 5 Apr 2024 21:13:07 -0400 From: "Frank Ch. Eigler" To: overseers@sourceware.org Subject: aging inactive users Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Sender-Verification: "" X-Spam-Status: No, score=-102.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS,TXREP,USER_IN_WELCOMELIST,USER_IN_WHITELIST autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi - Sourceware does not have a mechanical process for aging out hosted project contributors who have not logged on for a long time. Given that projects haven't undertaken this sort of janitorial task, it's probably time that we put one in place. A brief shell script scanning ssh authentication logs in /var/log/secure* spanning a year indicates that only about 1/4 of our accumulated user base has been active during that time. (/sourceware/infra/bin/list-ssh-login) After gathering feedback here, I plan to send a batch of email to those found not to be active (via their USER@sourceware.org email addresses). Then a few weeks later, if they still haven't become active, I plan to set them to "gid=emeritus" status, so those accounts can no longer log in. (This status is easy to reverse if anyone there is ready to return.) For administrative/shared accounts, one needs do this analysis on a per-key basis. It probably needs to be more recent, considering the greater privileges of these accounts, say 6 months. There, a more manual process to compare ssh-keygen -l lists against the actually used ssh fingerprints could be used. That way, we can age out only those users & keys that have not been used, but preserve others. I'll work out another little script for that postprocessing and get it to note findings via email too. I propose to repeat this exercise every few months. Feedback & comments welcome. - FChE