We're an ISO27001:2013 Certified Supplier


In an ideal world, user authentication is centralised, typically these days using LDAP or perhaps Microsoft Active Directory. We have robust processes in place to ensure that, when a user leaves (or should no longer have access to their account), their accounts are removed (or disabled).

In the real world, we sometimes find that we have local accounts on our Linux systems, and sometimes they persist longer than perhaps they should.

We can list the user accounts that have not been logged in during the last 60 days with this variant of the lastlog command:

$ lastlog -b 60

There will be some system accounts that won’t have been logged in to during that time or, more likely, never logged in to:

$ lastlog -b 60
Username         Port     From             Latest
daemon                                     **Never logged in**
bin                                        **Never logged in**
sys                                        **Never logged in**

So let’s filter those out:

$ lastlog -b 60|grep -v '**Never logged in**'
Username         Port     From             Latest
harry            pts/4    example.com      Sat May  7 10:39:34 +0100 2016

So, user harry hasn’t logged in for more than 60 days. Should his account still exist?

If you prefer, you can find out which account have been logged into in the last 60 days:

$ lastlog -t 60

Hopefully no surprises in the output there…

Was This Linux Tip Helpful?

Let us know in the comments below.