5 effective ways to unlock user account in Linux

Advertisement

There can be multiple situations wherein your Linux user account may get locked. Some of the possible scenarios can be:

  • Password is explicitly locked by the administrator
  • Account is explicitly locked by the administrator
  • Password was never assigned hence unable to login
  • Multiple failed login attempts (controlled by pam_tally2 or pam_faillock)

We will cover the above mentioned scenarios and share methods to unlock Linux user account in such situation.

IMPORTANT NOTE:

This article assumes that one of the user from your Linux environment is locked out and you have root level access to the respective Linux server either via sudo, su or direct root user login. If in case you are stuck in a situation where you don't have these access then you can use the comment box to give me your environment details and I can help you unlock your user account based on your requirement.

 

1. Unlock user account when password was never assigned

Now this is not a typical scenario of user lockout. But it is definitely one possible use case. Many times the administrator create a user but forget to assign a password. In such case when the respective user tries to login then they may get "Access denied" and the log may contain "Failed password for XXXX".

First let's check if the password for this user is locked:

~]# passwd --status user1
user1 LK 2021-04-10 0 99999 7 -1 (Password locked.)

Yes, as expected the user account's password seems to be locked. We can try to unlock it using passwd --unlock command:

~]# passwd --unlock user1
Unlocking password for user user1.
passwd: Warning: unlocked password would be empty.
passwd: Unsafe operation (use -f to force)

This means that currently the user's password is empty? Which is most likely possible when the user's password is not SET. So we will confirm this by checking the content of this user in /etc/shadow file:

Advertisement
~]# grep user1 /etc/shadow
user1:!!:18727:0:99999:7:::

If you are aware of different field of /etc/shadow file then you should know that the second field contains the encrypted password. In our case the second field for user1 contains two exclamation marks (!!) "ONLY" which means password was never set for this user.

For example, here is an output snippet for root user where you can see that the second field contains encrypted password:

~]# grep root /etc/shadow
root:$6$2Q02Bth6X33J4pkY$fsAoDYSSd.JjSGfiLyqL3Ux/8UylBydeAkrD02qvPkvUPQs0bt6JJyWqPY4WuP7TKLcS2be.nSWZ9qymbKWUh1::0:99999:7:::

So in such scenario there is nothing to unlock, just go ahead and assign a password to this user using

# passwd USER

For example, I will assign password for user1:

[root@server-2 ~]# passwd user1
Changing password for user user1.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

and now I should be able to login with this user:

login as: user1
user1@127.0.0.1's password:
Web console: https://server-2.example.com:9090/ or https://192.168.0.152:9090/

Last failed login: Sat Apr 10 15:28:50 IST 2021 from 10.0.2.2 on ssh:notty
There were 2 failed login attempts since the last successful login.
[user1@server-2 ~]$

 

2. Unlock user account when password is locked

We can also lock a user account by locking the user's password with passwd command. For example here I have locked user1's password:

~]# passwd --lock user1
Locking password for user user1.
passwd: Success

Here,

-l, -lock     This  option  is  used to lock the password of specified account and it is available to root only.
              The locking is performed by rendering the encrypted password into an invalid string (by  prefixing
              the  encrypted  string  with an !). Note that the account is not fully locked - the user can still
              log in by other means of authentication such as the ssh public key authentication.

So as you can see from the man page of passwd, the password is locked but the user can still login using other means such as public key authentication.

Advertisement

To verify if the user account password is locked:

[root@server-2 ~]# passwd --status user1
user1 LK 2021-04-10 0 99999 7 -1 (Password locked.)

You can also check the user entry in /etc/shadow file:

~]# grep user1 /etc/shadow
user1:!!$6$AeewgmcUF1pLhGxZ$iVR.itFeTUSMsitFVMG1po3UcUdNYGw7zdcyNt94PjSqZgix4nonuVspHw1EI6M7Lb5WtV7GuB41pr2N1hohm1:18727:0:99999:7:::

As you can see, we have two additional exclamation marks in the password field. But the output is different from Scenario 1 we discussed above. Here we do have an encrypted password (so password is not empty) but since the encrypted password has been modified, it is not recognised any more hence the user fails to login.

To unlock user password, we need to use --unlock argument with passwd command:

~]# passwd --unlock user1
Unlocking password for user user1.
passwd: Success

Or you can just go ahead and remove those exclamation marks from /etc/shadow file for user1 and that should also unlock the user account:

~]# passwd --status user1
user1 PS 2021-04-10 0 99999 7 -1 (Password set, SHA512 crypt.)

 

3. Unlock user account when account is locked using usermod

We can use following usermod command to lock the password of any Linux user account:

~]# usermod --lock user1

This option is similar to passwd --lock as the above command will add a single exclamation mark in the second field of /etc/shadow file for the respective user:

~]# grep user1 /etc/shadow
user1:!$6$AeewgmcUF1pLhGxZ$iVR.itFeTUSMsitFVMG1po3UcUdNYGw7zdcyNt94PjSqZgix4nonuVspHw1EI6M7Lb5WtV7GuB41pr2N1hohm1:18727:0:99999:7:::

Since the password field now contains additional character, the user login will be disabled.

The same can be verified using passwd command:

~]# passwd --status user1
user1 LK 2021-04-10 0 99999 7 -1 (Password locked.)

To unlock such user account in Linux, just use --unlock with usermod with the username:

~]# usermod --unlock user1

OR just go ahead and manually remove that exclamation mark from the user1 entry in /etc/shadow file and re-verify the user account status:

 ~]# passwd --status user1
user1 PS 2021-04-10 0 99999 7 -1 (Password set, SHA512 crypt.)

 

4. Unlock user account when account is expired

It is also possible that your user account on the Linux box may have expired due to which you are not allowed to login. In such case when you try to login, then you may get following message in /var/log/secure:

Apr 10 22:50:01 server-2 sshd[6074]: Failed password for user1 from 10.0.2.2 port 51134 ssh2
Apr 10 22:50:01 server-2 sshd[6074]: fatal: Access denied for user user1 by PAM account configuration [preauth]

So first check the expiry date of the user using chage command:
5 effective ways to unlock user account in Linux

So as you can see, the expiry date of user1 is in the past, so it is quite obvious that the user account will be locked. To unlock such user account, you just have to change the expiry date of this user to a date from future.

For example the following can be used to set an account to expire in 180 days:

[root@server-2 ~]# chage -E $(date -d +180days +%Y-%m-%d) user1

Now check the user expiry date:
5 effective ways to unlock user account in Linux

 

5. Unlock user account when locked after multiple failed login attempts

Now this is a more realistic and common scenario where a user account can get locked. So you forgot the password and kept on trying until finally you realised, Oh shit! my account is locked.

By default this feature is controlled via either pam_tally2 or pam_faillock module. To check the active module on your environment you can use:

~]# rpm -ql pam | grep -E 'faillock|tally2'

Sample output from Linux server with both module:

[root@server ~]# rpm -ql pam | grep -E 'faillock|tally2'
/usr/lib64/security/pam_faillock.so
/usr/lib64/security/pam_tally2.so
/usr/sbin/faillock
/usr/sbin/pam_tally2
/usr/share/doc/pam-1.1.8/html/sag-pam_tally2.html
/usr/share/doc/pam-1.1.8/txts/README.pam_faillock
/usr/share/doc/pam-1.1.8/txts/README.pam_tally2
/usr/share/man/man8/faillock.8.gz
/usr/share/man/man8/pam_faillock.8.gz
/usr/share/man/man8/pam_tally2.8.gz
/var/run/faillock

In this case I have both the modules installed on my server so based on the module used to lock the user, you must choose the same module to unlock the user account. It is possible in later distros, only one module will be shipped.

For example, here only pam_faillock module is available:

 ~]# rpm -ql pam | grep -E 'faillock|tally2'
/etc/security/faillock.conf
/usr/lib64/security/pam_faillock.so
/usr/sbin/faillock
/usr/share/doc/pam/txts/README.pam_faillock
/usr/share/man/man5/faillock.conf.5.gz
/usr/share/man/man8/faillock.8.gz
/usr/share/man/man8/pam_faillock.8.gz
/var/run/faillock

Here we don't have pam_tally2 module so we will only use faillock module.

 

5.1 Using pam_faillock module

Assuming your admin is using pam_faillock to lock the user account, you can execute faillock from the terminal as root user to list the failed login attempts:
5 effective ways to unlock user account in Linux

Here I have intentionally given wrong password to lock the user1 account, this can be confirmed using /var/log/secure:

Apr 10 23:07:43 server-2 sshd[11752]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2  user=user1
Apr 10 23:07:43 server-2 sshd[11752]: pam_faillock(sshd:auth): Consecutive login failures for user user1 account temporarily locked

To unlock the user account here we will again use faillock command as shown below:

[root@server-2 ~]# faillock --user user1 --reset

Now you will see that all the history of failed login attempts for user1 is cleared so now user1 can log back in:

~]# faillock
user1:
When                Type  Source                                           Valid

 

5.2 Using pam_tally2 module

If you are using pam_tally2 module to count login attempts and allow or deny a user login then you must also use pam_tally2 to unlock a user account in Linux. For example, here user1 is locked after multiple failed login attempts:

 ~]# pam_tally2
Login           Failures Latest failure     From
user1               9    04/10/21 23:36:56  192.168.0.152

So to reset the failed login attempts we use:

~]# pam_tally2 --reset --user user1
Login           Failures Latest failure     From
user1               9    04/10/21 23:36:56  192.168.0.152

Next if you check the active failed login attempt count, the output would be empty which means your user is unlocked and you can try to login again:

 ~]# pam_tally2

 

Summary

In this article I have tried to cover different possible scenarios under which a user account can get locked and the steps to unlock the user account based on the scenario. These can become really complicated when a root user gets locked out so you must always have a backup plan when you are setting up such features, for example allow console based root access. Because most of these settings apply to SSH based access or su and sudo based access. So for worst case scenario you can allow console based access for root user so it can login and unlock itself.

 

Further Readings

How to check the lock status of any user account in Linux
man page of pam_tally2
man page of pam_faillock

 

Related Searches: linux unlock account, unlock user account linux, linux unlock password, passwd unlock account, unlock user password, unlock unix account, unlock linux account redhat, how to unlock password in linux, linux user status, linux user account status, cannot unlock the password for user in linux

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Leave a Comment