Idle shell sessions pose a significant risk on shared or multi-user systems. Unattended terminals can become an easy target for unauthorized access or accidental command execution. Fortunately, with a simple configuration tweak, you can automatically log out users after a defined period of inactivity — adding an extra layer of security to your Ubuntu system.
In this guide, we’ll walk through how to enforce automatic logout in Bash by setting the (TMOUT) environment variable—and crucially, how to make sure users cannot override it.
Objectives
To configure Ubuntu systems running the Bash shell to automatically log out idle sessions after a specified time and prevent users from disabling or modifying this behavior.
Environment
- Operating System: Ubuntu (also applies to most Linux systems using Bash)
- User Privileges: Root or sudo access required
- Shell: Bash (/bin/bash)
Implementation
Step 1: Edit the Global Bash Configuration
We’ll begin by setting a global TMOUT value in /etc/bash.bashrc, which applies to all interactive non-login Bash shells.
- Open the file in a text editor with elevated privileges:
sudo nano /etc/bash.bashrc
Scroll to the bottom and add the following lines:
# Enforce TMOUT for all users
readonly TMOUT=300 # 5 minutes
export TMOUT
Pro Tip: For testing, you can use TMOUT=20 for a quicker timeout.
- Save and exit:
Press Ctrl + O, then Enter to save
Press Ctrl + X to close the editor
Step 2: Apply the Configuration
To apply the new settings, simply open a new terminal window or run:
source /etc/bash.bashrc
Step 3: Verify the Setting
- Confirm the TMOUT Value:
echo $TMOUT
- Expected output:
300
Try to Override:
Attempt to change the value:
export TMOUT=100
Expected output:
bash: TMOUT: readonly variable
This confirms that the setting is enforced and protected from user tampering.
Step 4: Test the Auto Logout
- Open a new terminal window.
- Leave it idle—don’t touch the keyboard or mouse.
- After 300 seconds (or 20 seconds, if you’re testing), you should see a message like:
timed out waiting for input: auto-logout
logout
Additional Notes
This method enforces the timeout in interactive non-login shells (e.g., terminals launched from a GUI).
To enforce the same behavior in login shells (such as SSH sessions), add the same lines to /etc/profile.
Be aware: users with sudo or root access can still edit these files. For high-security environments, consider more advanced restrictions like mandatory access controls (e.g., SELinux or AppArmor).
Final Thoughts
Security isn’t just about firewalls and permissions—it’s also about reducing surface area. Auto-logout is a small but powerful way to tighten system access control and reduce the risk of unauthorized activity. Whether you’re managing a multi-user lab, a development server, or your personal workstation, enabling (TMOUT) is a no-brainer.
Thanks for reading! If you found this guide helpful, feel free to share or leave a comment below.
Top comments (0)