我在REHL 7中遇到一个错误。我有一个REHL映像交换机,只能通过SSH密钥访问,而无需用户/密码凭据。
为了防止90天后的密码续订过程(使用SSH密钥是不可能的),我在我的etc/pam.d/password-auth 中添加了no_pass_expiry
但是当我尝试sudo 时,我收到了以下错误
pam.d]$ sudo su -
sudo: pam_open_session: System error
sudo: policy plugin failed session initialization
这种情况只发生在90天后。
您的密码可能已过期。例如这是一个过期用户的sudo:
[user@server ~]$ sudo whoami
sudo: pam_open_session: System error
sudo: policy plugin failed session initialization
[user@server ~]$
[user@server ~]$ chage -l user
Last password change : May 07, 2018
Password expires : Aug 05, 2018
Password inactive : never
Account expires : never
Minimum number of days between password change : 1
Maximum number of days between password change : 90
Number of days of warning before password expires : 10
现在,如图所示,在重新设置过期标志后,sudo按预期工作:
[root@server]# chage -m 0 -M 99999 -I -1 -E -1 user
[root@server]# chage -l user
Last password change : May 07, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 10
[user@server ~]$ sudo whoami
root
您可以在/var/log/secure上通过检查下面列出的类似消息来确认:
Feb 27 16:59:14 server sudo: pam_unix(sudo:account): expired password for user user (password aged)
Feb 27 16:59:14 server sudo: user : TTY=pts/0 ; PWD=/home/user ; USER=anotheruser ; COMMAND=/usr/bin/whoami
确保SELinux正在强制执行,则/etc/shadow具有正确的上下文标签。运行restorecon /etc/shadow将解决此问题。