Solved: Re: tune pam config to allow the locked/expired ac...

sktskt · ‎06-27-2011

I am looking to tune pam config to allow the locked/expired account to run cron jobs. In general once the password is expired the cron no longer for the user involved.

any one had accomplished this? is it a secure/good approach when it comes to security audit?. I dont recollect this being raised as a securiity concern earlier[ obiviously i did not have it setup that way erlier :) ]

Red Hat Enterprise Linux AS release 3 (Taroon Update 9)

2.4.21-63.0.0.0.1.ELsmp #1 SMP Tue Nov 3 22:39:42 EST 2009 i686 i686 i386 GNU/Linux

# cat /etc/pam.d/crond

#

# The PAM configuration file for the cron daemon

#

auth sufficient pam_rootok.so

auth required pam_stack.so service=system-auth

auth required pam_env.so

account required pam_stack.so service=system-auth

session required pam_limits.so

Steven E. Protter · ‎06-27-2011

Shalom,

This is a basic security violation. It is likely to cause you to fail security audits.

locked and expired users should not be able to do anything on a system until the condition is corrected.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

sktskt · ‎06-27-2011

Thanks SEP, As usual you were quick.

Good to have ur feedback on this security part. But is this technically possible.?

Dennis Handly · ‎07-01-2011

Why not just have a normal user that you assign a very complex password that you immediately forget?

tune pam config to allow the locked/expired account to run cron jobs

tune pam config to allow the locked/expired account to run cron jobs

Re: tune pam config to allow the locked/expired account to run cron jobs

Re: tune pam config to allow the locked/expired account to run cron jobs

Re: tune pam config to allow the locked/expired account to run cron jobs