Linux: Authentication token is no longer valid

本文介绍了在Linux系统中遇到的CronTab无法访问的问题及其解决方案。问题出现的原因在于PAM配置文件拒绝了特定用户的访问请求。文章详细解析了PAM配置文件的内容,并指导如何检查用户密码的有效期及进行必要的修改。

遇见问题:

[oracle@sxty-jkdb-184:/u01/rman]crontab -l

Authentication token is no longer valid; new one required
You (oracle) are not allowed to access to (crontab) because of pam configuration.

PAM Configuration

The /etc/pam.d/ directory contain the PAM configuration files for each PAM-aware application.Each service has file in the /etc/pam.d which has the same name as the service.

For Instance, the crond service pam file is below:

[root@sxty-jkdb-184 pam.d]# more /etc/pam.d/crond  
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account    required   pam_access.so
account    include    password-auth
session    required   pam_loginuid.so
session    include    password-auth
auth       include    password-auth

PAM Configuration File Format

Module_interface control_flag module_name module_argument

  1. account required pam_access.so
  2. account include password-auth
  3. session required pam_loginuid.so
  4. session include password-auth
  5. auth include password-auth

Module_interface: 
auth: This module interface authenticates use. For example, it request and verifies the validity of a password. 
account: This module interface verified whether the access is allowed. For example, it check if a user account has expired of if a user is allowed to log in at a partical time of day. 
password: This module interfce is used to changing user passwords. 
session:This module interface configure and manager user sessions.

PAN Control Flag: 

required:The module result must be successful for authentication to continue. If the test fails at this point, the users will not be notified. 
requisite:Unlike required,if the test fails, the user will be notified immediately with a message reflectin the first failed required or requisite module test. 
optional:The result is ignored. 
include:Unlike the other controls,it does not relate to how the module result is handled.

Solution

Because the crond service must authenticate the user’s password. 
So we can check the user password information:

chage -l oracle
Last password change                                    : Jun 29, 2016
Password expires                                        : Sep 27, 2016
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 90
Number of days of warning before password expires       : 7

If you find the password has expired, you can change the password and set the maxdays to 9999.

  1. password username:
  2. Command : chage -M 9999 username

After that ,you can check if the file /etc/shadow has updated the maxdays for the specified user.Just like this:

oracle:$6$ekeLH8BN$jMHTbAD93/tshRAXLT8C4yXhLLKjGO/uD2XlYTGY5FEutldUMIc2yBMRkR.JSvoJi9h0d/rRVwtfG8XJWhco.1:17266:0:9999:7:::
grid:$6$SxaJT4Oo$ywpu/7nAEAuml1pGr7KVNiOjjEiJ/JBJFW3.cEwog2Wuy2pAetL0geWz.xc3krgX1Bs69K55pTUHH305xSScG1:17266:0:9999:7:::

转载于:https://www.cnblogs.com/likingzi/p/6691320.html

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值