pam_unix generates a lot of open/close sessions for my domain user

logging session rsyslog pam ubuntu-18.04

I setup a new VPS with ubuntu 18.04, including virtualmin/usermin. In auth.log I see a lot of

su[12936]: Successful su for domain by root
su[12936]: + ??? root:domain 
systemd-logind[148]: New session c315 of user domain .
su[12936]: pam_unix(su:session): session opened for user domain by (uid=0)
su[12936]: pam_unix(su:session): session closed for user domain

in syslog, I see a lot of

systemd[1]: Started Session c314 of user domain.
systemd[1]: Started Session c315 of user domain.

domain is the user of my virtual server defined in the VPS. c314/c315 increased by 1 each time... It used to appear every 2-3 minutes, now it's every 5 minutes.

Reading on the internet about this, all the "solutions" were how to remove this logging from the log but nothing was explaining what are all those open/close sessions in the first place.

Also, when running loginctl list-sessions those sessions are accumulated in "active=yes" and "state=closing" mode and never disappear from the list. At the moment there are 95 such sessions.

What is happening on my VPS, who is opening/closing sessions so many times and why? Also, why those sessions never disappear from the sessions list?

Thanks

update

loginctl session-status c315
c315 - domain (1000)
           Since: Sat 2020-02-08 20:27:08 UTC; 23h ago
          Leader: 12936
             TTY: ???
          Remote: user root
         Service: su; type tty; class user
           State: closing
            Unit: session-c315.scope

Unit user-1000.slice (/user.slice/user-1000.slice):
└─session-2691929.scope
├─19035 sshd: domain [priv]
├─19051 sshd: domain@pts/0
├─19052 -bash
├─20124 sudo systemd-cgls -u user-1000.slice
├─20125 systemd-cgls -u user-1000.slice
└─20126 pager

Solution 1:

pam_unix sessions exit normally, as seen in the logs. Those increasing number of sessions are systemd-logind sessions, which for some reason remain open, even when they don't contain any processes.

A workaround you might try would be to force systemd-logind to kill all the session processes, when the session leader exits. You can do it by modifying the KillUserProcesses and KillOnlyUsers setting in /etc/systemd/logind.conf:

KillUserProcesses=yes
KillOnlyUsers=domain

and restarting systemd-logind:

systemctl restart systemd-logind

However, this does not answer the question, why the sessions are not closing by themselves, since the session scopes are empty.

Edit: About the difference between pam_unix and systemd-logind sessions:

  • pam_unix sessions consist in a small record added to or removed from /var/run/utmp. You can list them with w or who,
  • systemd-logind sessions are more heavy, as explained in the manpage of pam_systemd. Dangling systemd-logind consume much more resources. They are listed with loginctl list-sessions

Since you identified a possible culprit (in a comment to this answer), you can apply another workaround: replace

@include common-session

in /etc/pam.d/su with:

@include common-session-noninteractive

which does not contain pam_systemd. When you modify PAM files, the usual precautions apply: keep a root shell active (e.g. sudo -i) until you tested the new config, in case you break something.

Related

DNAT from localhost (127.0.0.1)
Setting up SSL on my server
Production monitoring for EC2 instances
Adding inetOrgPerson to account/posixAccount LDAP entries
postfix mail server setup for 8000 users using active directory [closed]
Upgrade curl to latest on CentOS 6.3
Should I have one MySQL instance for all our apps, or one instance for each?
disabling postfix "Undelivered Mail Returned to Sender"
Debian 8: can't get ClamAV to listen on TCP 3310
What is the logic behind VirtualHost / NameVirtualHost
Setup "open files" limit in Linux per user. Cannot setup more than 1024
How to correctly configure postfix and opendkim and let receiving server know all details mailed-by signed-by?