periodic daily (pam_acct_mgmt: authentication error)

[le4o360]

Hi!
I have default config for periodic tasks (/etc/periodic.conf was copied from /etc/defaults/periodic.conf). Every time my crontab runs periodic daily, I've got this errors in my /var/log/messages and auth.log

Jan 12 03:01:10 mybsd su: pam_acct_mgmt: authentication error
Jan 13 03:01:12 mybsd su: pam_acct_mgmt: authentication error
Jan 14 03:01:10 mybsd su: pam_acct_mgmt: authentication error
Jan 15 03:02:23 mybsd su: pam_acct_mgmt: authentication error

I'v tried to turn on logging for periodic daily:

daily_output="/var/log/daily.log"

But there are no errors there.
At the same time when I'm manually run periodic daily in command prompt, I received those errors immediately.
Looks like some script in /etc/periodic/daily/ cause those errors.
Any solutions for my issue?
Thanks.

 

[SirDice]

Hi!
I have default config for periodic tasks (/etc/periodic.conf was copied from /etc/defaults/periodic.conf).

You don't need to copy the file. Only add the things you want changed to /etc/periodic.conf, all other settings will come from /etc/defaults/periodic.conf.

 

[le4o360]

Thanks for advice!
Now I have only one line in my /etc/periodic.conf

 

[le4o360]

But what about those errors?

 

[SirDice]

Did you add a script in /etc/periodic/daily/?

None of the standard scripts seem to do a su(1) (which is the cause of the error).

 

[le4o360]

I haven't add anything in /etc/periodic/daily
What can I do to proper run su in daily scripts?

 

[SirDice]

What can I do to proper run su in daily scripts?

You shouldn't need to do anything.

Try running the scripts in /etc/periodic/daily/ by hand. See if you can find which of them is generating the error.

 

[le4o360]

I'm manualy search and found, that the

[root@mybsd /etc/periodic/daily]# sh 450.status-security

Security check:
    (output mailed separately)

cause this error:

Jan 17 20:41:27 mybsd su: pam_acct_mgmt: authentication error

 

[le4o360]

Here is 450.status-security

#!/bin/sh
#
# $FreeBSD: src/etc/periodic/daily/450.status-security,v 1.10.36.1.4.1 2010/06/14 02:09:06 kensmith Exp $
#

# If there is a global system configuration file, suck it in.
#
if [ -r /etc/defaults/periodic.conf ]
then
    . /etc/defaults/periodic.conf
    source_periodic_confs
fi

case "$daily_status_security_enable" in
    [Yy][Ee][Ss])
        echo ""
        echo "Security check:"

        case "$daily_status_security_inline" in
            [Yy][Ee][Ss])
                export security_output="";;
            *)
                export security_output="${daily_status_security_output}"
                case "${daily_status_security_output}" in
                    "")
                        ;;
                    /*)
                        echo "    (output logged separately)";;
                    *)
                        echo "    (output mailed separately)";;
                esac;;
        esac

        periodic security
        rc=3;;

    *)  rc=0;;
esac

exit $rc

 

[le4o360]

Can anybody explain me how does "450.status-security" works? And why it cause my errors?

 

[le4o360]

Just added following line in my /etc/periodic.conf

daily_status_security_inline="YES"

Now I have got this output for sh /etc/periodic/daily/450.status-security

Security check:

Checking setuid files and devices:

Checking for uids of 0:
root 0
toor 0

Checking for passwordless accounts:

Checking login.conf permissions:

mybsd.local ipfw denied packets:
+++ /tmp/security.F7UAQOvX      2011-01-18 12:11:05.000000000 +0300
+01999    63359     7426477 deny log logamount 1000 ip from any to any

ipfw log limit reached:
01999    63359     7426477 deny log logamount 1000 ip from any to any

mybsd.local login failures:

mybsd.local refused connections:

Checking for a current audit database:

Database created: вторник, 18 января 2011 г. 07:55:01 (MSK)

Checking for packages with security vulnerabilities:

pam_login_access: pam_sm_acct_mgmt: nobody is not allowed to log in on tty
su: Sorry

-- End of security output --

It looks like I need something to do with:

pam_login_access: pam_sm_acct_mgmt: nobody is not allowed to log in on tty

Is this trouble liked with my /etc/ttys?

 

[le4o360]

Or maybe it linked with my /etc/login.access and following root restrictions:

+:root:console

 

[le4o360]

Just have tried use following in /etc/login.access:

+:ALL:ALL

And all is working fine for me. No more errors in auth.log and messages.
Now can you help me to tune up my /etc/login.access? I want restrict root access to console only, and grant my user (wheel group) permissions to access from several ip-address, as well I want no more troubles with nobody user
Here is my actual /etc/login.access:

-:ALL EXCEPT root:console
-:ALL EXCEPT wheel:ALL EXCEPT 192.168.125.20 192.168.125.15