[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [pam_access.so] How to ignore account expiration error(s)

Hi Ben,

/etc/pam.d/crond includes the following lines;

account    sufficient  pam_rootok.so
account    required   pam_access.so
account    include    system-auth

crond with the above lines exits with an account expiration error if root password is expired. 

If crond uses "account    sufficient   pam_access.so" instead of "account    required   pam_access.so", root's jobs can be run. 

Does "sufficient" flag cause to access problem?  

On Wed, Dec 28, 2011 at 7:12 PM, ben <ben appliedplastic com> wrote:
On 12/28/2011 5:39 AM, Jon Miller wrote:
> Sorry but I do not have a direct answer to your question, however it
> is my opinion that the use of pam_access doesn't make much sense for
> /etc/pam.d/crond. Cronjobs are for users which already have access
> whereas pam_access would be controlling who gained access in the first
> place. My suggestion is to completely remove that line from crond.
> -- Jon Miller

I suspect that pam_access is used to deny expired users. you might look
at adding a root ok module first.

Ben Hildred
Applied Plastic Coatings, Inc.
5000 Tabor St.
Wheat Ridge, CO 80033
303 424 9200
F: 303 424 8800
ben appliedplastic com

Pam-list mailing list
Pam-list redhat com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]