manintheit.org

manintheit.org


Configuring PAM for crontab

Because of some strict rules such as PCI DSS compliances, we could not set password for root user to “never expire”. But, when password expires for any account in the Linux systems crontab jobs will not work. Unless, you configure the PAM to run it, or extending root password. Or you need to buy some proprietary software to change root password periodically in the defined period of time. By the way, even your root password has expired, switching to root user from non-root user will still work.(If  NOPASSWD option added in sudoers). In this post, PAM configuration will be changed to elevate to run crontab jobs, even root password has expired.

Problem: /var/log/crond

Nov 11 20:45:01 node01 crond[6057]: (root) FAILED to authorize user with PAM (Authentication token is no longer valid; new one required)

/var/log/secure

Nov 12 11:04:44 node01 crontab: pam_unix(crond:account): expired password for user root (root enforced)
Nov 12 11:05:01 node01 crond[8459]: pam_unix(crond:account): expired password for user root (root enforced)

crontab -l output

[root@node01 log]# crontab -l
Authentication token is no longer valid; new one required
You (root) are not allowed to access to (crontab) because of pam configuration.

Solutions:

There are two ways to solve this issue. The first one is the extend root password, or set it to “never expire”. After that your crontab jobs will work again. The second one, you can configure PAM in /etc/pam.d/crond. In this post we chose second option which is PAM. You can see contents of the crond configuration file in the /etc/pam.d

#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account    required   pam_access.so
account    include    password-auth
session    required   pam_loginuid.so
session    include    password-auth
auth       include    password-auth

Only thing you need to change is the “required” to “sufficient”  for the pam_access.so module.

account sufficient pam_access.so

Final configuration

#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account    sufficient   pam_access.so
account    include    password-auth
session    required   pam_loginuid.so
session    include    password-auth
auth       include    password-auth

Right after change has been applied, crontab should work.

[root@node01 log]# crontab -l
*	*	*	*	*	/root/re.sh
Nov 12 11:19:01 node01 CROND[8508]: (root) CMD (/root/re.sh)
Nov 12 11:20:01 node01 CROND[8510]: (root) CMD (/root/re.sh)

Note: This configuration applied for all users in the system, which means all users whose password expired will also be able to run crontab. If you only want to do it for root user you should add an argument to  module by specifying userid. According to below configuration, crontab jobs will run only for a root user.

#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account    sufficient pam_succeed_if.so uid = 0 quiet
account    include    password-auth
session    required   pam_loginuid.so
session    include    password-auth
auth       include    password-auth


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.