[pam_access.so] How to ignore account expiration error(s)
ANIL KARADAĞ
anil.karadag at gmail.com
Thu Dec 29 08:18:34 UTC 2011
Hi Ben,
/etc/pam.d/crond includes the following lines;
account sufficient pam_rootok.so
account required pam_access.so
account include system-auth
crond with the above lines exits with an account expiration error if root
password is expired.
If crond uses "account sufficient pam_access.so" instead of "account
required pam_access.so", root's jobs can be run.
Does "sufficient" flag cause to access problem?
On Wed, Dec 28, 2011 at 7:12 PM, ben <ben at appliedplastic.com> wrote:
> On 12/28/2011 5:39 AM, Jon Miller wrote:
> > Sorry but I do not have a direct answer to your question, however it
> > is my opinion that the use of pam_access doesn't make much sense for
> > /etc/pam.d/crond. Cronjobs are for users which already have access
> > whereas pam_access would be controlling who gained access in the first
> > place. My suggestion is to completely remove that line from crond.
> >
> > -- Jon Miller
>
> I suspect that pam_access is used to deny expired users. you might look
> at adding a root ok module first.
>
> --
> Ben Hildred
> Estimator
> Applied Plastic Coatings, Inc.
> 5000 Tabor St.
> Wheat Ridge, CO 80033
> 303 424 9200
> F: 303 424 8800
> ben at appliedplastic.com
> http://appliedplastic.com
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
--
Anıl KARADAĞ
http://anilkaradag.info/blog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20111229/cbb2508b/attachment.htm>
More information about the Pam-list
mailing list