Chapter 8. Maintenance62This particular job will run randomly between 1:00 a.m. and 3:30 a.m. system time each night andredirect stdout and stderr from cron to prevent duplicating the more easily read message fromsatellite-sync. Options other than --email can also be included. Refer to Table 6.2, “SatelliteImport/Sync Options” for the full list of options. Once you exit from the editor, the modified crontab isinstalled immediately.8.9. Implementing PAM AuthenticationAs security measures become increasingly complex, administrators must be given tools that simplifytheir management. For this reason, RHN Satellite Server supports network-based authenticationsystems via Pluggable Authentication Modules (PAM). PAM is a suite of libraries that helps systemadministrators integrate the Satellite with a centralized authentication mechanism, thus eliminating theneed for remembering multiple passwords.RHN Satellite Server supports LDAP, Kerberos, and other network-based authentication systems viaPAM. To enable the Satellite to use PAM and your organization's authentication infrastructure, followthe steps below.NoteTo ensure that PAM authentication functions properly, install the pam-devel package.Set up a PAM service file (usually /etc/pam.d/rhn-satellite) and have the Satellite use it byadding the following line to /etc/rhn/rhn.conf:pam_auth_service = rhn-satelliteThis assumes the PAM service file is named rhn-satellite.To enable a user to authenticate against PAM, select the checkbox labeled PluggableAuthentication Modules (PAM). It is positioned below the password and password confirmationfields on the Create User page.As an example, for a Red Hat Enterprise Linux 4 i386 system, to authenticate against Kerberos onecould put the following in /etc/pam.d/rhn-satellite:#%PAM-1.0auth required pam_env.soauth sufficient pam_krb5.so no_user_checkauth required pam_deny.soaccount required pam_krb5.so no_user_checkPlease note that changing the password on the RHN website changes only the local password onthe RHN Satellite Server, which may not be used at all if PAM is enabled for that user. In the aboveexample, for instance, the Kerberos password will not be changed.8.10. Enabling Push to ClientsIn addition to allowing client systems to regularly poll the Satellite for scheduled actions, you mayenable the Satellite to immediately initiate those tasks on Provisioning-entitled systems. This bypasses