/var/log/secure peppered with crond: pam_unix(crond:account): account student-user has expired (account expired)

This is a test Fedora 30 server. I had been seeing the below logs

Sep 30 13:38:30 oldstorm sshd[2556]: debug1: server_input_global_request: rtype keepalive@openssh.com want_reply 1
Sep 30 13:39:01 oldstorm systemd: pam_unix(systemd-user:session): session opened for user student-user by (uid=0)
Sep 30 13:39:11 oldstorm systemd: pam_unix(systemd-user:session): session closed for user student-user
Sep 30 13:40:01 oldstorm systemd: pam_unix(systemd-user:session): session opened for user student-user by (uid=0)

So ran chage -E 0 student-user

But now I see these logs:
crond[xxxxx]: pam_unix(crond:account): account student-user has expired (account expired)

In the earlier logs this shows as UID=0, which it clearly is not the root user. What else should I check? The last log mentions crond so could this be a cron task running?

Two main things of interest going on here:

  • sshd runs as root, so those logs are saying that student-user was authenticated by something running as root (in this case, sshd).
  • afaik chage -E 0 will set an expiry date for 1970, if you want to remove the date you want -E -1.
1 Like

OK this gave me a clue. This thread helped me find the command to find cronjobs by this user:

crontab -u student-user -l

And it as simply a test cron the user created and forgot to comment out or just remove. Issue solved.

1 Like