Re: [pam_access.so] How to ignore account expiration error(s)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry, I thought when you said it worked with "account    sufficient
pam_access.so", you had already figured out a working combination of
pam modules. I can not claim to be a PAM expert but rather I merely
use a handful of techniques to solve my PAM issues:

1. Identify the culprit pam module.
   a. Sometime this means increasing my syslog verbosity. Other times
involves adding a "debug" option at the end of particular pam lines.
   b. In other cases, I use the crude method of trial and error where
I systematically comment out each line one at a time until I find the
module causing me the trouble.
2. Modify / Replace / Remove the pam module line.
   This is where the answer gets tricky depending on what you need to
do without compromising the overall security of your system.
   In your case, I thought you'd be okay with removing a line for
crond but I could now be missing something.

Having said all of that, I suspect the account expiration catch is
being performed by pam_unix. My machine's README.pam_unix
(/usr/share/doc/pam-*/txts/README.pam_unix) mentions that it consults
user account information including expiration.

At this point, I'd suggest changing the root user to non-expiring or
changing the pam_unix line to "sufficient".

-- Jon Miller

On Thu, Dec 29, 2011 at 9:29 AM, ANIL KARADAĞ <anil.karadag@xxxxxxxxx> wrote:
>
> hi Jon,
>
>
> I updated my crond file content according to your reply but result does not
> change.
>
> ===========  /etc/pam.d/crond  ================
> #
> # The PAM configuration file for the cron daemon
> #
> #
> auth       sufficient pam_env.so
> auth       required   pam_rootok.so
> auth       include    system-auth
>
> account    sufficient pam_rootok.so
> #account    required   pam_access.so
> #account    include   system-auth
> account    required   pam_unix.so
> account    required   pam_tally.so
>
> session    required   pam_loginuid.so
> session    include    system-auth
>
> ===================================
>
>
>
> On Thu, Dec 29, 2011 at 2:39 PM, Jon Miller <jonebird@xxxxxxxxx> wrote:
>>
>> What I do in these situations is manually do the "include" for
>> system-auth and then remove the unnecessary lines.
>> That is, keep your first two lines, then replace the third line with
>> the "account" entries of system-auth. At that point you have an
>> identical setup but you can now try commenting out the pam_access
>> account line without needing to affect any other pam files which may
>> also include system-auth.
>>
>> -- Jon Miller
>>
>> On Thu, Dec 29, 2011 at 3:18 AM, ANIL KARADAĞ <anil.karadag@xxxxxxxxx>
>> wrote:
>> > Hi Ben,
>> >
>> > /etc/pam.d/crond includes the following lines;
>> >
>> > account    sufficient  pam_rootok.so
>> > account    required   pam_access.so
>> > account    include    system-auth
>> >
>> > crond with the above lines exits with an account expiration error if
>> > root
>> > password is expired.
>> >
>> > If crond uses "account    sufficient   pam_access.so" instead of
>> > "account
>> >  required   pam_access.so", root's jobs can be run.
>> >
>> > Does "sufficient" flag cause to access problem?
>> >
>> >
>> >
>> > On Wed, Dec 28, 2011 at 7:12 PM, ben <ben@xxxxxxxxxxxxxxxxxx> wrote:
>> >>
>> >> On 12/28/2011 5:39 AM, Jon Miller wrote:
>> >> > Sorry but I do not have a direct answer to your question, however it
>> >> > is my opinion that the use of pam_access doesn't make much sense for
>> >> > /etc/pam.d/crond. Cronjobs are for users which already have access
>> >> > whereas pam_access would be controlling who gained access in the
>> >> > first
>> >> > place. My suggestion is to completely remove that line from crond.
>> >> >
>> >> > -- Jon Miller
>> >>
>> >> I suspect that pam_access is used to deny expired users. you might look
>> >> at adding a root ok module first.
>> >>
>> >> --
>> >> Ben Hildred
>> >> Estimator
>> >> Applied Plastic Coatings, Inc.
>> >> 5000 Tabor St.
>> >> Wheat Ridge, CO 80033
>> >> 303 424 9200
>> >> F: 303 424 8800
>> >> ben@xxxxxxxxxxxxxxxxxx
>> >> http://appliedplastic.com
>> >>
>> >> _______________________________________________
>> >> Pam-list mailing list
>> >> Pam-list@xxxxxxxxxx
>> >> https://www.redhat.com/mailman/listinfo/pam-list
>> >
>> >
>> >
>> >
>> > --
>> > Anıl KARADAĞ
>> > http://anilkaradag.info/blog
>> >
>> > _______________________________________________
>> > Pam-list mailing list
>> > Pam-list@xxxxxxxxxx
>> > https://www.redhat.com/mailman/listinfo/pam-list
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list@xxxxxxxxxx
>> https://www.redhat.com/mailman/listinfo/pam-list
>
>
>
>
> --
> Anıl KARADAĞ
> http://anilkaradag.info/blog
>
> _______________________________________________
> Pam-list mailing list
> Pam-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list



[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux