tune pam config to allow the locked/expired account to run cron jobs

sktskt · ‎06-27-2011

I am looking to tune pam config to allow the locked/expired account to run cron jobs. In general once the password is expired the cron no longer for the user involved.

any one had accomplished this? is it a secure/good approach when it comes to security audit?. I dont recollect this being raised as a securiity concern earlier[ obiviously i did not have it setup that way erlier :) ]

Red Hat Enterprise Linux AS release 3 (Taroon Update 9)

2.4.21-63.0.0.0.1.ELsmp #1 SMP Tue Nov 3 22:39:42 EST 2009 i686 i686 i386 GNU/Linux

# cat /etc/pam.d/crond

#

# The PAM configuration file for the cron daemon

#

auth sufficient pam_rootok.so

auth required pam_stack.so service=system-auth

auth required pam_env.so

account required pam_stack.so service=system-auth

session required pam_limits.so

Steven E. Protter · ‎06-27-2011

Shalom,

This is a basic security violation. It is likely to cause you to fail security audits.

locked and expired users should not be able to do anything on a system until the condition is corrected.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

sktskt · ‎06-27-2011

Thanks SEP, As usual you were quick.

Good to have ur feedback on this security part. But is this technically possible.?

Dennis Handly · ‎07-01-2011

Why not just have a normal user that you assign a very complex password that you immediately forget?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

tune pam config to allow the locked/expired account to run cron jobs

tune pam config to allow the locked/expired account to run cron jobs

Re: tune pam config to allow the locked/expired account to run cron jobs

Re: tune pam config to allow the locked/expired account to run cron jobs

Re: tune pam config to allow the locked/expired account to run cron jobs