Can't unlock linux user account

I've got a Linux box (OpenSuSE 11.3) with a locked-out user account. I logged in as the root account to unlock it with passwd -u <user>, but I get a message 'Cannot unlock the password for <user>!'

I tried changing the password to something new via passwd, but attempting to log in with this new password still gives the 'account has been locked due to x failed attempts' error message.

passwd -S gives status flags of 'PS' for the account. I don't recognise 'S', but at any rate it's not showing either 'L' (locked) or 'NP' (no password). /etc/shadow doesn't contain any weird characters like ! at the front of the line for this account. Looking at it in this distro's management app (YaST) appears to show that it isn't locked (the 'disable account' button is unchecked).

Where else do I need to check to see how and why this account is refusing to unlock/login?

jam

Posted 2013-04-29T14:25:31.923

Reputation: 629

Which distribution and version? – depquid – 2013-04-29T15:00:30.350

This machine is OpenSuSE 11.3 – jam – 2013-04-29T15:19:33.050

Answers

I had this issue today. This was the fix.

pam_tally --user= --reset

Example

pam_tally --user=cyberninja --reset

I hope this helps someone.

I found this post looking for an answer to this exact question. I had the same error but on a SLES 11 SP2 server. My co-worker reset my password and tried to unlock my account with the command passwd -u. One of my other co-workers said I needed clear account in PAM and gave me the command. Which I have posted above.

Update,

I now have a fix that keeps this from happening again. It seems that there are two PAM files that where in conflict. These files are; /etc/pam.d/login and /etc/pam.d/sshd. Both files have this line.

auth required pam_tally.so onerr=fail deny=3

You must commit out, this line from one of the files listed above. We commented the line out in the /etc/pam.d/sshd file.

After you do this you should never have this issue again.

Cyberninja

Posted 2013-04-29T14:25:31.923

Reputation: 311

Worked in my RHEL6 server too. the command was 'pam_tally2' however. – SidJ – 2016-10-04T05:55:17.240

Check the PAM config! In my PAM, it used file /var/log/failllog, but pam_tally2 command by default uses /var/log/tallylog, so reported user as not locked. You can use pam_tally2 --file /var/log/faillog. – Marki555 – 2017-07-06T07:51:23.333

Welcome to SU. Try to explain a bit more about how you got your problem and a also little bit more about your answer if you can. – Sickest – 2014-02-19T19:16:07.447

Ok Sickest,I will update my post. – Cyberninja – 2014-02-19T19:24:17.137

I have been facing the same issue today with one user account in a server running SUSE Linux Enterprise Server 11 SP2, even after resetting the password and changing the age to 0 (chage -d 0 userID)

[me@mordor ~]$ ssh frodo@mordor

Welcome to SUSE Linux Enterprise Server 11 SP2  (x86_64) - Kernel \r (\l).


Account locked due to 29 failed logins
Password:
Account locked due to 30 failed logins
Password:

With the same escenario described by @Jam in his original post. Nothing showing the account locked neither on "/etc/passwd" nor on "/etc/shadow". Commands such as "passwd -S -a | grep frodo" shown that the ID was not locked (LK)

me@mordor:~> sudo passwd -S -a | grep frodo
frodo PS 01/01/1970 1 90 7 180

Also "pam_tally2" show that the ID was NOT locked:

me@mordor:~> sudo /sbin/pam_tally2 --user frodo
Login           Failures Latest failure     From
frodo             0

But the problem was in fact with "pam_tally"

me@mordor:~> sudo /sbin/pam_tally --user frodo
User frodo    (500)   has 32

After unlocking the userID password, I was able to login with the new credentials and avoid the error message.

me@mordor:~> sudo /sbin/pam_tally --user frodo --reset
User frodo    (500)   had 32
me@mordor:~> sudo /sbin/pam_tally --user frodo
User frodo    (500)   has 0

Hope this helps someone else to avoid breaking his/her head as I did in the last hour or so... So to make a long story short be aware to check both "pam_tally" and "pam_tally2" when the account is locked in SuSE!!

Regards, Hernan.

3LRusS1T0

Posted 2013-04-29T14:25:31.923

Reputation: 81

Thanks so much:) What's the difference between pam_tally and pam_tally2? – mwfearnley – 2016-07-04T15:22:42.277

1Check the PAM config! In my PAM, it used file /var/log/failllog, but pam_tally2 command by default uses /var/log/tallylog, so wrongly reported user as not locked. You can use pam_tally2 --file /var/log/faillog. – Marki555 – 2017-07-06T07:51:56.360

You can type:

pam_tally2 -r -u user_name

to unlock the account.

lejuste

Posted 2013-04-29T14:25:31.923

Reputation: 29

Try

usermod --expire 9999

to disable inactivity for the account (this sets the expire date to 1/1/9999). passwd -u only works if the password is "locked", but not for disabled accounts.

Darth Android

Posted 2013-04-29T14:25:31.923

Reputation: 35 133

I see, so there is a difference between the password being locked/disabled and the account being locked/disabled? The message on failed login misled me then. Will this method affect the password expiry date, or is 'account expiry' a separate thing? – jam – 2013-04-30T07:01:50.543

I tried this and now when I attempt to log in it just says 'login failed' even though I am definitely getting the password correct (after 1 failure I changed it to be 100% sure of this). Any suggestions? S: – jam – 2013-04-30T07:05:46.620

This will change the account expiration, which is separate from the password expiration. So accounts may be active or expired, passwords may be active, locked, or expired, and it's possible to automatically expire an account after the password expires. What is the output of passwd --status <username> ? It would be helpful if you could add that to your question. – Darth Android – 2013-04-30T16:25:30.137

The version of passwd on this distro doesn't accept --status as an option but passwd -S <user> ('show password attributes') gives: <user> PS <date> <password expiry options> where date is the date I last changed the password (yesterday), and password expiry options are min age (0), max age (90), days before expiry to issue warning (7), and days after expiry with usable login (-1). These settings all worked before, so I don't think any of them are the cause of the problem. – jam – 2013-05-01T08:58:44.257

The problem could also have been that the account was just created and no password was assigned yet.

If so, passwd -S <user> will show LK (for locked) and passwd -u <user> will not work.

You just need to assign a passwd to the user to fix the issue.

Otin

Posted 2013-04-29T14:25:31.923

Reputation: 11

With this command, you can create an unlocked user without any password:

adduser --gecos "Username" --disabled-password "username"

This means no random password hanging on the system.

Congelli501

Posted 2013-04-29T14:25:31.923

Reputation: 103