System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

tune pam config to allow the locked/expired account to run cron jobs

 
SOLVED
Go to solution
sktskt
Regular Visitor

tune pam config to allow the locked/expired account to run cron jobs

I am looking to tune pam config to allow the locked/expired account to run cron jobs. In general once the password is expired the cron no longer for the user involved.

 

any one had accomplished this? is it a secure/good approach when it comes to security audit?. I dont recollect this being raised as a securiity concern earlier[ obiviously i did not have it setup that way erlier :) ]

 

Red Hat Enterprise Linux AS release 3 (Taroon Update 9)

 

2.4.21-63.0.0.0.1.ELsmp #1 SMP Tue Nov 3 22:39:42 EST 2009 i686 i686 i386 GNU/Linux

 

# cat /etc/pam.d/crond

#

# The PAM configuration file for the cron daemon

#

#

auth sufficient pam_rootok.so

auth required  pam_stack.so service=system-auth

auth required  pam_env.so

account required pam_stack.so service=system-auth

session required pam_limits.so

 

3 REPLIES
Steven E. Protter
Exalted Contributor
Solution

Re: tune pam config to allow the locked/expired account to run cron jobs

Shalom,

This is a basic security violation. It is likely to cause you to fail security audits.

locked and expired users should not be able to do anything on a system until the condition is corrected.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
sktskt
Regular Visitor

Re: tune pam config to allow the locked/expired account to run cron jobs

Thanks SEP, As usual you were quick.

 Good to have ur feedback on this security part. But is this technically possible.?

Re: tune pam config to allow the locked/expired account to run cron jobs

Why not just have a normal user that you assign a very complex password that you immediately forget?