How to unlock user in Linux/Solaris ?

As a linux/Unix administrator, you must know when our OS locks a user and how this task is done. Linux governs its user activities before system login via PAM or Pluggable authentication modules. PAM makes it possible to catch number of failed attempts by a user and what to do when the failed attempts reach a limit. The user authentication by different programs like Screensaver in Ubuntu/Linux OS is also governed by PAM.  
  
	   
  
	Suppose a user is not able to login and you want to troubleshoot the issue. So the first step is to check whether this user is locked or not. This can easily be analyzed by viewing passwd and shadow files.  
  
	   
  
	1. Check the user details if the correct shell is specified to the user. This could be done using finger command or we can see in passwd/shadow files.  
  
	   
  
	Here you can check whether nologin shell is assigned to the user which is spanventing the login, or if the account is locked by viewing shadow entry. If the user is assigned to nologin shell, then you can its shell to bash/sh, to allow user to login.  
  
	   
  
	root@egi:~# cat /etc/passwd /etc/shadow | grep -i saket  
  
	saket:x:56516:56516::/home/saket:/bin/sh  
  
	saket:$6$1zSAb260$r4VdJTeJ5m/3EbaoiTxi5BwZ7.79GM6bxjPnGXuvrTgDF0jxvm53yh1GIYcWrCwZWSWvRSXidPJt0sAR4dKTL1:15743:0:99999:7:::  
  
	If the shell and password entry is fine, then we would move ahead.  
  
	   
  
	Suppose the account was locked then you would have seen an entry like below.  
  
	root@egi:~# cat /etc/shadow | grep -i saket:  
  
	saket:!$6$1zSAb260$r4VdJTeJ5m/3EbaoiTxi5BwZ7.79GM6bxjPnGXuvrTgDF0jxvm53yh1GIYcWrCwZWSWvRSXidPJt0sAR4dKTL1:15743:0:99999:7:::     #########IN LINUX  
  
	saket:*LK*:15743:0:99999:7:::    ############ IN SOLARIS  
  
	   
  
	In this case, you can unlock the user by using below command.  
  
	root@egi:~# passwd -u saket  
  
	passwd: password expiry information changed.  
  
	   
  
	2. After checking the shell and shadow entry to know if the account is explicitly locked by system admin or not, we can now check if it is automatically locked by our system or not. If still the account login is spanvented, then we can check the number of failed login attempts by a user. This could be done user using either pam_tally or faillog command whichever spansent on our OS. Usually Linux has pam_tally and Solaris has faillog came along with OS which allows us to see and unlock the user whenever required.  
  
	   
  
	Linux OS locks a user whenever the failed login attempts reaches a specified limit which is 3(by default ) in an OS. We can see the failed login attempts by using below command.  
  
	   
  
	root@egi:~# faillog -a | head  
  
	Login       Failures Maximum Latest                   On  
  
	root            0        0   01/01/70 05:30:00 +0530    
  
	goodday         0        0   01/01/70 05:30:00 +0530    
  
	daemon          0        0   01/01/70 05:30:00 +0530    
  
	bin             0        0   01/01/70 05:30:00 +0530    
  
	sys             0        0   01/01/70 05:30:00 +0530    
  
	sync            0        0   01/01/70 05:30:00 +0530    
  
	games           0        0   01/01/70 05:30:00 +0530    
  
	man             0        0   01/01/70 05:30:00 +0530    
  
	   
  
	root@egi:~# pam_tally  
  
	root@egi:~#  
  
	   
  
	3. If you see the faillog count more than 3 for any user, it means the user is locked by the OS to spanvent any hacking/brute force attack on the system.   
  
	To reset this count one can run below commands.  
  
	   
  
	 # faillog -r -u saket    #########  To reset faillog count for the specific user named “saket”  
  
	 # faillog –r     ###### To reset faillog count for all users.  
  
	   
  
	Based on pam_tally binary, once can issue below command.  
  
	# pam_tally –reset  
  
	   
  
	This would reset the faillog count on the system and the user can now login to the system. Now the user must be able to login to the system without any issues. If still the issue persists, then there must be something else other than usermanagement, it invloves some bas ssh key or it could be restricted user/host event, etc. 

Leave a Reply

Your email address will not be published.