Unix: Tracking down ghost accounts

One of the long recognized vulnerabilities on Unix systems is the problem of accounts that should have been shut down years ago but, due to some oversight, were left open well after the account “owner” left the company or moved on to other job responsibilities. For Unix systems that are set up with account expiration, the security risks that these accounts convey is limited. Within the 3-6 months following the change in the account owner’s status, the accounts should be locked automatically by the system.

Of course 3-6 is a long time for an account to be open when it shouldn’t be, especially if the former user was laid off, left to work for a competitor, or might have shared his/her password or used the same password on numerous accounts. Systems administrators are not always in the loop when staff leave the company for various reasons. So, accounts that should be locked or removed immediately may be left open for months or years after the user has disappeared. I have run into some of these myself over the years. Some should-have-been-locked accounts were still available on servers 8-10 years after their users’ departures. Sometimes, this was because no one periodically checked on the existing accounts. Other times, the admins didn’t remove accounts that they didn’t recognize, fearing that they’d be causing problems for someone if they did.