Kill Inactive and Idle Linux Users

Kill Inactive and Idle Linux Users

Every once in awhile the SSH connection to my Linux server will die and I’ll be left with a dead user. Here’s how I discover the inactive session using the w command:

15:26:26 up 13 days, 23:47, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
raam pts/0 wfc-main.wfcorp. Mon10 2days 0.04s 0.04s -bash
raam pts/1 pool-151-199-29- 15:26 0.00s 0.02s 0.01s w
You can easily tell there’s an idle user by glancing at the IDLE column; the user in the first row has been idle for 2 days. There are many ways of killing idle users, but here I’ll show you a few of my favorites. The bottom line is, you need to kill the parent process created by the idle user when he logged in. There are a number of ways of doing that.

Here is how I discover the parent process using the pstree -p command:

├─screen(29380)───bash(29381)───naim(29384)
├─scsi_eh_0(903)
├─sshd(1997)─┬─sshd(32093)─┬─sshd(32095)
│ │ └─sshd(32097)───bash(32098)─┬─mutt(32229)
│ │ └─screen(32266)
│ └─sshd(1390)─┬─sshd(1392)
│ └─sshd(1394)───bash(1395)───pstree(1484)
├─syslogd(1937)
└─usb-storage(904)
We need to find the parent PID for the dead user and issue the sudo kill -1 command. We use the -1 option because it’s a cleaner way of killing processes; some programs, such as mutt, will end cleanly if you kill them with -1. I can see by looking at the tree where I’m running the pstree command, so I just follow that down the tree until I find a common process (branch) shared by both users; this happens to be sshd(1997).

You can see there are two branches at the point — one for my current session and one for the idle session (I know this because I’m the only user logged into this Linux server and because I know I should only have one active session). So I simply kill the sshd(32093) process and the idle user disappears.

Of course, if you’re on a system with multiple users, or you’re logged into the box with multiple connections, using the above method and searching through a huge tree of processes trying to figure out which is which will not be fun. Here’s another way of doing it: Looking at the output from the w command above, we can see that the idle users’ TTY is pts/0 so now all we need is the PID for the parent process. We can find that by running who -all | grep raam:

raam + pts/0 May 10 10:45 . 18076 (wfc-main.wfcorp.net)
raam + pts/1 May 11 15:26 . 1390 (pool-151-199-29-190.bos.east.verizon.net)
Here we can see that 18076 is the PID for the parent process of pts/0, so once we issue kill -1 18076 that idle session will be gone!