Root account locked/suspended?

Question

I'm shipping ts7800 boards running debian 6.07. After programming, some boards do not run their cron jobs, complaining that they do not recognise the user root.

This happened on 2 out of 12 devices. When I sshed in to investigate I was forced to change my password. After this the device works as expected (i rebooted to restart cron). The chage command also shows the password and account as never expiring.

I believe that the issue might be with the realtime clock not getting charged enough during the programming of the device to retain the time. When commissioning the device it may not have an internet connection and therefore will begin at the epoch, thus causing the last password change to be in the future, or some such treachery.

I essentially want to configure pam to allow cron to run for locked/suspended accounts??

Answer 1

Okay, I've learned a bit about PAM and have found a solution.

Please note that this is not good practice in the general case, but in the context of reliable embedded systems I believe it to be acceptable.

My solution was to edit the cron specific file /etc/pam.d/cron like so:

-@include common-account  
+CONTENTS_OF_COMMON_ACCOUNT_FILE

and modify the following included line like so:

-account    [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so  
+account    [success=1 new_authtok_reqd=1 default=ignore]     pam_unix.so

Cron jobs should now run even if the user's password needs to be changed.