There can be multiple situations wherein your Linux user account may get locked. Some of the possible scenarios can be:
- Password is explicitly locked by the administrator
- Account is explicitly locked by the administrator
- Password was never assigned hence unable to login
- Multiple failed login attempts (controlled by pam_tally2 or pam_faillock)
We will cover the above mentioned scenarios and share methods to unlock Linux user account in such situation.
1. Unlock user account when password was never assigned
Now this is not a typical scenario of user lockout. But it is definitely one possible use case. Many times the administrator create a user but forget to assign a password. In such case when the respective user tries to login then they may get "Access denied" and the log may contain "Failed password for XXXX
".
First let's check if the password for this user is locked:
~]# passwd --status user1
user1 LK 2021-04-10 0 99999 7 -1 (Password locked.)
Yes, as expected the user account's password seems to be locked. We can try to unlock it using passwd --unlock
command:
~]# passwd --unlock user1
Unlocking password for user user1.
passwd: Warning: unlocked password would be empty.
passwd: Unsafe operation (use -f to force)
This means that currently the user's password is empty? Which is most likely possible when the user's password is not SET. So we will confirm this by checking the content of this user in /etc/shadow
file:
~]# grep user1 /etc/shadow
user1:!!:18727:0:99999:7:::
If you are aware of different field of /etc/shadow
file then you should know that the second field contains the encrypted password. In our case the second field for user1
contains two exclamation marks (!!
) "ONLY" which means password was never set for this user.
For example, here is an output snippet for root
user where you can see that the second field contains encrypted password:
~]# grep root /etc/shadow
root:$6$2Q02Bth6X33J4pkY$fsAoDYSSd.JjSGfiLyqL3Ux/8UylBydeAkrD02qvPkvUPQs0bt6JJyWqPY4WuP7TKLcS2be.nSWZ9qymbKWUh1::0:99999:7:::
So in such scenario there is nothing to unlock, just go ahead and assign a password to this user using
# passwd USER
For example, I will assign password for user1
:
[root@server-2 ~]# passwd user1
Changing password for user user1.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
and now I should be able to login with this user:
login as: user1
user1@127.0.0.1's password:
Web console: https://server-2.example.com:9090/ or https://192.168.0.152:9090/
Last failed login: Sat Apr 10 15:28:50 IST 2021 from 10.0.2.2 on ssh:notty
There were 2 failed login attempts since the last successful login.
[user1@server-2 ~]$
2. Unlock user account when password is locked
We can also lock a user account by locking the user's password with passwd
command. For example here I have locked user1's
password:
~]# passwd --lock user1
Locking password for user user1.
passwd: Success
Here,
-l, -lock This option is used to lock the password of specified account and it is available to root only.
The locking is performed by rendering the encrypted password into an invalid string (by prefixing
the encrypted string with an !). Note that the account is not fully locked - the user can still
log in by other means of authentication such as the ssh public key authentication.
So as you can see from the man page of passwd, the password is locked but the user can still login using other means such as public key authentication.
To verify if the user account password is locked:
[root@server-2 ~]# passwd --status user1
user1 LK 2021-04-10 0 99999 7 -1 (Password locked.)
You can also check the user entry in /etc/shadow
file:
~]# grep user1 /etc/shadow
user1:!!$6$AeewgmcUF1pLhGxZ$iVR.itFeTUSMsitFVMG1po3UcUdNYGw7zdcyNt94PjSqZgix4nonuVspHw1EI6M7Lb5WtV7GuB41pr2N1hohm1:18727:0:99999:7:::
As you can see, we have two additional exclamation marks in the password field. But the output is different from Scenario 1 we discussed above. Here we do have an encrypted password (so password is not empty) but since the encrypted password has been modified, it is not recognised any more hence the user fails to login.
To unlock user password, we need to use --unlock
argument with passwd
command:
~]# passwd --unlock user1
Unlocking password for user user1.
passwd: Success
Or you can just go ahead and remove those exclamation marks from /etc/shadow
file for user1
and that should also unlock the user account:
~]# passwd --status user1
user1 PS 2021-04-10 0 99999 7 -1 (Password set, SHA512 crypt.)
3. Unlock user account when account is locked using usermod
We can use following usermod
command to lock the password of any Linux user account:
~]# usermod --lock user1
This option is similar to passwd --lock
as the above command will add a single exclamation mark in the second field of /etc/shadow
file for the respective user:
~]# grep user1 /etc/shadow
user1:!$6$AeewgmcUF1pLhGxZ$iVR.itFeTUSMsitFVMG1po3UcUdNYGw7zdcyNt94PjSqZgix4nonuVspHw1EI6M7Lb5WtV7GuB41pr2N1hohm1:18727:0:99999:7:::
Since the password field now contains additional character, the user login will be disabled.
The same can be verified using passwd
command:
~]# passwd --status user1
user1 LK 2021-04-10 0 99999 7 -1 (Password locked.)
To unlock such user account in Linux, just use --unlock
with usermod
with the username:
~]# usermod --unlock user1
OR just go ahead and manually remove that exclamation mark from the user1
entry in /etc/shadow
file and re-verify the user account status:
~]# passwd --status user1
user1 PS 2021-04-10 0 99999 7 -1 (Password set, SHA512 crypt.)
4. Unlock user account when account is expired
It is also possible that your user account on the Linux box may have expired due to which you are not allowed to login. In such case when you try to login, then you may get following message in /var/log/secure
:
Apr 10 22:50:01 server-2 sshd[6074]: Failed password for user1 from 10.0.2.2 port 51134 ssh2 Apr 10 22:50:01 server-2 sshd[6074]: fatal: Access denied for user user1 by PAM account configuration [preauth]
So first check the expiry date of the user using chage
command:
So as you can see, the expiry date of user1
is in the past, so it is quite obvious that the user account will be locked. To unlock such user account, you just have to change the expiry date of this user to a date from future.
For example the following can be used to set an account to expire in 180 days:
[root@server-2 ~]# chage -E $(date -d +180days +%Y-%m-%d) user1
Now check the user expiry date:
5. Unlock user account when locked after multiple failed login attempts
Now this is a more realistic and common scenario where a user account can get locked. So you forgot the password and kept on trying until finally you realised, Oh shit! my account is locked.
By default this feature is controlled via either pam_tally2
or pam_faillock
module. To check the active module on your environment you can use:
~]# rpm -ql pam | grep -E 'faillock|tally2'
Sample output from Linux server with both module:
[root@server ~]# rpm -ql pam | grep -E 'faillock|tally2'
/usr/lib64/security/pam_faillock.so
/usr/lib64/security/pam_tally2.so
/usr/sbin/faillock
/usr/sbin/pam_tally2
/usr/share/doc/pam-1.1.8/html/sag-pam_tally2.html
/usr/share/doc/pam-1.1.8/txts/README.pam_faillock
/usr/share/doc/pam-1.1.8/txts/README.pam_tally2
/usr/share/man/man8/faillock.8.gz
/usr/share/man/man8/pam_faillock.8.gz
/usr/share/man/man8/pam_tally2.8.gz
/var/run/faillock
In this case I have both the modules installed on my server so based on the module used to lock the user, you must choose the same module to unlock the user account. It is possible in later distros, only one module will be shipped.
For example, here only pam_faillock
module is available:
~]# rpm -ql pam | grep -E 'faillock|tally2'
/etc/security/faillock.conf
/usr/lib64/security/pam_faillock.so
/usr/sbin/faillock
/usr/share/doc/pam/txts/README.pam_faillock
/usr/share/man/man5/faillock.conf.5.gz
/usr/share/man/man8/faillock.8.gz
/usr/share/man/man8/pam_faillock.8.gz
/var/run/faillock
Here we don't have pam_tally2
module so we will only use faillock
module.
5.1 Using pam_faillock module
Assuming your admin is using pam_faillock
to lock the user account, you can execute faillock
from the terminal as root user to list the failed login attempts:
Here I have intentionally given wrong password to lock the user1
account, this can be confirmed using /var/log/secure
:
Apr 10 23:07:43 server-2 sshd[11752]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2 user=user1 Apr 10 23:07:43 server-2 sshd[11752]: pam_faillock(sshd:auth): Consecutive login failures for user user1 account temporarily locked
To unlock the user account here we will again use faillock
command as shown below:
[root@server-2 ~]# faillock --user user1 --reset
Now you will see that all the history of failed login attempts for user1
is cleared so now user1
can log back in:
~]# faillock user1: When Type Source Valid
5.2 Using pam_tally2 module
If you are using pam_tally2
module to count login attempts and allow or deny a user login then you must also use pam_tally2
to unlock a user account in Linux. For example, here user1
is locked after multiple failed login attempts:
~]# pam_tally2
Login Failures Latest failure From
user1 9 04/10/21 23:36:56 192.168.0.152
So to reset the failed login attempts we use:
~]# pam_tally2 --reset --user user1
Login Failures Latest failure From
user1 9 04/10/21 23:36:56 192.168.0.152
Next if you check the active failed login attempt count, the output would be empty which means your user is unlocked and you can try to login again:
~]# pam_tally2
Summary
In this article I have tried to cover different possible scenarios under which a user account can get locked and the steps to unlock the user account based on the scenario. These can become really complicated when a root user gets locked out so you must always have a backup plan when you are setting up such features, for example allow console based root access. Because most of these settings apply to SSH based access or su and sudo based access. So for worst case scenario you can allow console based access for root user so it can login and unlock itself.
Further Readings
How to check the lock status of any user account in Linux
man page of pam_tally2
man page of pam_faillock
Related Searches: linux unlock account, unlock user account linux, linux unlock password, passwd unlock account, unlock user password, unlock unix account, unlock linux account redhat, how to unlock password in linux, linux user status, linux user account status, cannot unlock the password for user in linux
Great explanation for passwd options to check/modify user password lock. I’ve not seen any help for a user locked out during initial boot up login. Simply cannot login as user1. User2 and root can login. I’ve modified /etc/lightdm/lightdm.conf to enable autologin-user=user1 but still not able to pass the initial boot up login screen. I can get remote access with ssh as user1 with password. Using Linux MX21.