- 论坛徽章:
- 0
|
本帖最后由 haoagen 于 2013-12-22 23:31 编辑
最近看了下cron的pam配置,遇到一问题
===========================================================
系统:centos 6.4 x86_64
[root@c646s1 ~]# cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account required pam_access.so
account include password-auth
session required pam_loginuid.so
session include password-auth
auth include password-auth
[root@c646s1 ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
===========================================================
问题在这行
auth sufficient pam_unix.so nullok try_first_pass
官方对auth pam_unix的解释为:
"The authentication component performs the task of checking the users credentials (password). The default action of this module is to not permit the user access to a service if their official password is blank." (http://www.linux-pam.org/Linux-PAM-html/sag-pam_unix.html)
难到cron 也需要密码验证? 可是cron在定时执行任务的时候,众所周知是不需要输入任何密码的啊?
我把password-auth中以auth部分修改成:
auth requisite pam_unix.so
auth sufficient pam_env.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
同时将shadow文件里面的密码段删除,可cron里面的任务还是照样跑,没有报错,所以推定pam_unix.so在没有nollok的情况下也是返回成功。这到底是怎么回事呢?
所以我怀疑这儿pam_unix的作用并非是验证密码,而是其他什么作用。。。
另外搞了大半天还是没能把pam的debug log给弄出来
http://serverfault.com/questions/249671/switch-on-pam-debugging-to-syslog (貌似是centos的问题)
希望有高人能指导下,不胜感激
|
|