Just to finish this one: My goal was to only use pam_access.so if the service was sshd or login.
This configuration in common-account achieves that: account [default=1 success=ignore] pam_succeed_if.so service in sshd:login quiet account required pam_access.so Regards Dominik 2012/8/1 Dominik Klein <[email protected]>: > Well thank you for this delightful answer. > > Yes, one could configure something like > > + : nobody : crond > > But that is something I would like to avoid (which I stated in the > first email) since that would imply having this config on 500+ > machines (each has the same access.conf) > > I am looking for the pam way to achieve this. > > Thanks > Dominik > > 2012/8/1 emmanuel segura <[email protected]>: >> man access.conf >> >> 2012/8/1 Dominik Klein <[email protected]> >>> >>> Hi >>> >>> I included pam_access in common-account in order to manage access to >>> my machines. >>> >>> Now, cronjobs running as www-data or nobody cannot run because there >>> is no entry in the access.conf - and I really don't want an entry for >>> each cronjob. >>> >>> My approach on fixing this was to exclude common-account from >>> /etc/pam.d/cron, but I still get >>> >>> CRON[pid]: pam_access(cron:account) access diened for user "nobody" from >>> "cron" >>> >>> What's the correct (debian) way to deal with this situation? >>> >>> Regards >>> Dominik >>> >>> >>> -- >>> To UNSUBSCRIBE, email to [email protected] >>> with a subject of "unsubscribe". Trouble? Contact >>> [email protected] >>> Archive: >>> http://lists.debian.org/CAHY3NAYAyKoW=ly_knnbke20q0athqosfqqj0ugd2pg_7g7...@mail.gmail.com >>> >> >> >> >> -- >> esta es mi vida e me la vivo hasta que dios quiera -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/cahy3naaohprggndrvdp3uifblytei4gzaq2bx5jzijbprxa...@mail.gmail.com
