t8m
commented
2 years ago crond or crontab does not invoke pam_authenticate at all. That is by design.
Closed masa-murayama closed 2 years ago
t8m
commented
2 years ago crond or crontab does not invoke pam_authenticate at all. That is by design.
masa-murayama
commented
2 years ago Thank you very much for your quick response. As crond or crontab don't invoke pam_authenticate(), it does not need to include the auth stack in password-auth file and/or system-auth file. So, I changed the auth stack in /etc/pam.d/crond below.
auth required pam_permit.so
It worked for me even if I used pam_succeed_if.so in password-auth and/or system-auth. Many thanks. -masa
t8m
commented
2 years ago There is a reason the auth stack is included - that is for pam_setcred() call which uses the auth stack. Not sure if it makes much sense for crontab, but for crond, that is needed.
masa-murayama
commented
2 years ago thank you very much for your response. I copied the original auth stack of system-auth into crond not to change the behaivior of pam_setcred():
auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so
It seems to work for me.
I have a problem that pam_succeed_if.so always returns a error of ignore for auth stack in /etc/pam.d/crond. I also found the pam setup in cron_start_pam() in src/security.c didn't call pam_authenticate(). So authentication in pam isn't executed correctly, I think.
It happened for CentOS6.8, CentOS7.3. and CentOS7.8.
To duplicate the issue, I used crontab -l command invoked by not root user. When root user invoked crontab, it didn't use the pam.
thanks,