[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [pam_access.so] How to ignore account expiration error(s)



Hi Ben,

/etc/pam.d/crond includes the following lines;

account    sufficient  pam_rootok.so
account    required   pam_access.so
account    include    system-auth

crond with the above lines exits with an account expiration error if root password is expired. 

If crond uses "account    sufficient   pam_access.so" instead of "account    required   pam_access.so", root's jobs can be run. 

Does "sufficient" flag cause to access problem?  



On Wed, Dec 28, 2011 at 7:12 PM, ben <ben appliedplastic com> wrote:
On 12/28/2011 5:39 AM, Jon Miller wrote:
> Sorry but I do not have a direct answer to your question, however it
> is my opinion that the use of pam_access doesn't make much sense for
> /etc/pam.d/crond. Cronjobs are for users which already have access
> whereas pam_access would be controlling who gained access in the first
> place. My suggestion is to completely remove that line from crond.
>
> -- Jon Miller

I suspect that pam_access is used to deny expired users. you might look
at adding a root ok module first.

--
Ben Hildred
Estimator
Applied Plastic Coatings, Inc.
5000 Tabor St.
Wheat Ridge, CO 80033
303 424 9200
F: 303 424 8800
ben appliedplastic com
http://appliedplastic.com

_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list



--
Anıl KARADAĞ
http://anilkaradag.info/blog

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]