When using pam_access to manage access to machines, I recently ran into the problem of not being able to run cronjobs any more.
pam kept saying things like
pam_access(su:account): access denied for user `nobody’ from `???’
When I looked for solutions to this problem, I quickly found that people would put entries into their access.conf in order to allow local access on the machines. I didn’t like that approach too much since that would imply changing and rolling the configuration on a couple hundred servers. Instead, I found this neat way to just use pam_access for sshd and login, which are the only services I actually need pam_access for and still use the distribution (debian) way of managing the pam configuration (pam_auth_update). This file, installed to /usr/share/pam-configs, will then allow pam-auth-update to build this configuration into the pam common-* files but let cronjobs run without entries in access.conf.
Name: activate access.conf
[default=1 success=ignore] pam_succeed_if.so service in sshd:login quiet
The way it works is that pam will only include pam_access if the service is either sshd or login. Otherwise, it will just skip the next line (default=1).
As you can see in the screenshot below, the string in “Name” shows up on the pam-auth-update dialog: