System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

tune pam config to allow the locked/expired account to run cron jobs

SOLVED
Go to solution
sktskt
Regular Visitor

tune pam config to allow the locked/expired account to run cron jobs

I am looking to tune pam config to allow the locked/expired account to run cron jobs. In general once the password is expired the cron no longer for the user involved.

 

any one had accomplished this? is it a secure/good approach when it comes to security audit?. I dont recollect this being raised as a securiity concern earlier[ obiviously i did not have it setup that way erlier :) ]

 

Red Hat Enterprise Linux AS release 3 (Taroon Update 9)

 

2.4.21-63.0.0.0.1.ELsmp #1 SMP Tue Nov 3 22:39:42 EST 2009 i686 i686 i386 GNU/Linux

 

# cat /etc/pam.d/crond

#

# The PAM configuration file for the cron daemon

#

#

auth sufficient pam_rootok.so

auth required  pam_stack.so service=system-auth

auth required  pam_env.so

account required pam_stack.so service=system-auth

session required pam_limits.so

 

3 REPLIES
Steven E. Protter
Exalted Contributor
Solution

Re: tune pam config to allow the locked/expired account to run cron jobs

Shalom,

This is a basic security violation. It is likely to cause you to fail security audits.

locked and expired users should not be able to do anything on a system until the condition is corrected.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
sktskt
Regular Visitor

Re: tune pam config to allow the locked/expired account to run cron jobs

Thanks SEP, As usual you were quick.

 Good to have ur feedback on this security part. But is this technically possible.?

Dennis Handly
Acclaimed Contributor

Re: tune pam config to allow the locked/expired account to run cron jobs

Why not just have a normal user that you assign a very complex password that you immediately forget?