pam_open_session: System error and sudo: policy plugin failed session initialization with no pass expiary in etc/pam.d/password-auth
I am struggeling with an error in REHL 7. I have a REHL Image witch is accessible only over SSH key without user/password credentials.
To prevent the password renew process after 90 days (which is not possible with SSH key) I added the no_pass_expiry in my etc/pam.d/password-auth
but then i receive the following error when i try to sudo
pam.d]$ sudo su -
sudo: pam_open_session: System error
sudo: policy plugin failed session initialization
this only occures after the 90 day.
Answer
Your password is probably expired. for example... here's sudo with an expired user:
[user@server ~]$ sudo whoami
sudo: pam_open_session: System error
sudo: policy plugin failed session initialization
[user@server ~]$
[user@server ~]$ chage -l user
Last password change : May 07, 2018
Password expires : Aug 05, 2018
Password inactive : never
Account expires : never
Minimum number of days between password change : 1
Maximum number of days between password change : 90
Number of days of warning before password expires : 10
Now, as shown, after reseting the expiration flag, sudo works as expected:
[root@server]# chage -m 0 -M 99999 -I -1 -E -1 user
[root@server]# chage -l user
Last password change : May 07, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 10
[user@server ~]$ sudo whoami
root
You can confirm that on /var/log/secure by checking for similar messages as the ones listed below:
Feb 27 16:59:14 server sudo: pam_unix(sudo:account): expired password for user user (password aged)
Feb 27 16:59:14 server sudo: user : TTY=pts/0 ; PWD=/home/user ; USER=anotheruser ; COMMAND=/usr/bin/whoami