PAM error on cron job

Support for security such as Firewalls and securing linux
Post Reply
User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

PAM error on cron job

Post by KernelOops » 2019/01/06 00:12:17

Hello everyone,

I have a web server which runs a php script under the user home directory (each domain has its own home account/directory) as a cron job. Unfortunately, execution fails and /var/log/cron contains the following errors:

Code: Select all

crond[8771]: (user) PAM ERROR (Authentication token is no longer valid; new one required)
crond[8771]: (user) FAILED to authorize user with PAM (Authentication token is no longer valid; new one required)
this is typical for normal users when their password expires, but I did not expect this from a headless web server with user accounts that have no password.

just in case, I run chage on that account and it came back with:

Code: Select all

Last password change					: Jul 12, 2018
Password expires					: Sep 10, 2018
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 7
Maximum number of days between password change		: 60
Number of days of warning before password expires	: 7
anyone knows if its possible to avoid this problem for users without a password please? its rather strange to expire a password that is not there...

Thank you.
--
R.I.P. CentOS :cry:
--

MartinR
Posts: 714
Joined: 2015/05/11 07:53:27
Location: UK

Re: PAM error on cron job

Post by MartinR » 2019/01/06 12:59:57

See the shadow(5) man page. Either clear the date of last password change or the maximum age. Alternatively set the maximum age to be very large, 32767 (around 100 years) for example.

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: PAM error on cron job

Post by KernelOops » 2019/01/06 13:39:56

Sure, which is what I did to get around the expiration for now.

But I opened this post mainly to bring attention to the issue of expiring a non-existent password.

Intuitively I would expect an account without a password, to have no password expiration. Or maybe I'm wrong and there is a reason for that?
--
R.I.P. CentOS :cry:
--

Post Reply