Because of some strict rules such as PCI DSS compliances, we could not set password for root user to “never expire”. But, when password expires for any account in the Linux systems crontab jobs will not work. Unless, you configure the PAM to run it, or extending root password. Or you need to buy some proprietary software to change root password periodically in the defined period of time. By the way, even your root password has expired, switching to root user from non-root user will still work.(If NOPASSWD option added in sudoers). In this post, PAM configuration will be changed to elevate to run crontab jobs, even root password has expired.
Problem: /var/log/crond
Nov 11 20:45:01 node01 crond[6057]: (root) FAILED to authorize user with PAM (Authentication token is no longer valid; new one required)
/var/log/secure
Nov 12 11:04:44 node01 crontab: pam_unix(crond:account): expired password for user root (root enforced)
Nov 12 11:05:01 node01 crond[8459]: pam_unix(crond:account): expired password for user root (root enforced)
crontab -l output
[root@node01 log]# crontab -l
Authentication token is no longer valid; new one required
You (root) are not allowed to access to (crontab) because of pam configuration.
Solutions:
There are two ways to solve this issue. The first one is the extend root password, or set it to “never expire”. After that your crontab jobs will work again. The second one, you can configure PAM in /etc/pam.d/crond. In this post we chose second option which is PAM. You can see contents of the crond configuration file in the /etc/pam.d
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account required pam_access.so
account include password-auth
session required pam_loginuid.so
session include password-auth
auth include password-auth
Only thing you need to change is the “required” to “sufficient” for the pam_access.so module.
account sufficient pam_access.so
Final configuration
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account sufficient pam_access.so
account include password-auth
session required pam_loginuid.so
session include password-auth
auth include password-auth
Right after change has been applied, crontab should work.
[root@node01 log]# crontab -l
* * * * * /root/re.sh
Nov 12 11:19:01 node01 CROND[8508]: (root) CMD (/root/re.sh)
Nov 12 11:20:01 node01 CROND[8510]: (root) CMD (/root/re.sh)
Note: This configuration applied for all users in the system, which means all users whose password expired will also be able to run crontab. If you only want to do it for root user you should add an argument to module by specifying userid. According to below configuration, crontab jobs will run only for a root user.
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account sufficient pam_succeed_if.so uid = 0 quiet
account include password-auth
session required pam_loginuid.so
session include password-auth
auth include password-auth
Leave a Reply