[pam_access.so] How to ignore account expiration error(s)

ANIL KARADAĞ anil.karadag at gmail.com
Wed Dec 28 13:47:59 UTC 2011 

Hi Jon,

thanks for quickly reply. I tried your opinion but it does not provide my
target. root password is expired and root's cron jobs is not run


/var/log/cron-->

2011-12-28T15:28:01.848488+02:00 crond[11683]: User account has expired
2011-12-28T15:28:01.848714+02:00 crond[11683]: CRON (root) ERROR: failed to
open PAM security session: Success
2011-12-28T15:28:01.848745+02:00 crond[11683]: CRON (root) ERROR: cannot
set security context


I think system-auth does not allow it. How to ignore account expiration ?



On Wed, Dec 28, 2011 at 2:39 PM, Jon Miller <jonebird at gmail.com> wrote:

> Sorry but I do not have a direct answer to your question, however it
> is my opinion that the use of pam_access doesn't make much sense for
> /etc/pam.d/crond. Cronjobs are for users which already have access
> whereas pam_access would be controlling who gained access in the first
> place. My suggestion is to completely remove that line from crond.
>
> -- Jon Miller
>
> On Wed, Dec 28, 2011 at 7:12 AM, ANIL KARADAĞ <anil.karadag at gmail.com>
> wrote:
> > Hi,
> >
> >
> >
> >
> >
> > I have a question about pam_access.so and need some suggestions. My
> problem
> > is if root password is expired, root’s cron job(s) can not be run. I
> found
> > two desing options;
> >
> >
> >     1 - root password is configured for non-expire
> >
> >
> >     2- /etc/pam.d/crond includes "account    sufficient   pam_access.so"
> > instead of "account    required   pam_access.so"
> >
> >
> >
> > [1] is OK but i want to select second with some restriction(s).
> "sufficient"
> > flag does not prevent unauthorized attempt so i don't want use second
> > exactly.
> >
> >
> > how to define "account    required   pam_access.so with disable_aging=ok"
> >
> >
> >
> > --
> > Anıl KARADAĞ
> > http://anilkaradag.info/blog
> >
> > _______________________________________________
> > Pam-list mailing list
> > Pam-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/pam-list
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list




-- 
Anıl KARADAĞ
http://anilkaradag.info/blog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20111228/2a3e59f4/attachment.htm>

More information about the Pam-list mailing list