How to unlock user in Linux/Solaris ?
As a linux/Unix administrator, you must know when our OS locks a user and how this task is done. Linux governs its user activities before system login via PAM or Pluggable authentication modules. PAM makes it possible to catch number of failed attempts by a user and what to do when the failed attempts reach a limit. The user authentication by different programs like Screensaver in Ubuntu/Linux OS is also governed by PAM.
Suppose a user is not able to login and you want to troubleshoot the issue. So the first step is to check whether this user is locked or not. This can easily be analyzed by viewing passwd and shadow files.
1. Check the user details if the correct shell is specified to the user. This could be done using finger command or we can see in passwd/shadow files.
Here you can check whether nologin shell is assigned to the user which is spanventing the login, or if the account is locked by viewing shadow entry. If the user is assigned to nologin shell, then you can its shell to bash/sh, to allow user to login.
root@egi:~# cat /etc/passwd /etc/shadow | grep -i saket
If the shell and password entry is fine, then we would move ahead.
Suppose the account was locked then you would have seen an entry like below.
root@egi:~# cat /etc/shadow | grep -i saket:
saket:!$6$1zSAb260$r4VdJTeJ5m/3EbaoiTxi5BwZ7.79GM6bxjPnGXuvrTgDF0jxvm53yh1GIYcWrCwZWSWvRSXidPJt0sAR4dKTL1:15743:0:99999:7::: #########IN LINUX
saket:*LK*:15743:0:99999:7::: ############ IN SOLARIS
In this case, you can unlock the user by using below command.
root@egi:~# passwd -u saket
passwd: password expiry information changed.
2. After checking the shell and shadow entry to know if the account is explicitly locked by system admin or not, we can now check if it is automatically locked by our system or not. If still the account login is spanvented, then we can check the number of failed login attempts by a user. This could be done user using either pam_tally or faillog command whichever spansent on our OS. Usually Linux has pam_tally and Solaris has faillog came along with OS which allows us to see and unlock the user whenever required.
Linux OS locks a user whenever the failed login attempts reaches a specified limit which is 3(by default ) in an OS. We can see the failed login attempts by using below command.
root@egi:~# faillog -a | head
Login Failures Maximum Latest On
root 0 0 01/01/70 05:30:00 +0530
goodday 0 0 01/01/70 05:30:00 +0530
daemon 0 0 01/01/70 05:30:00 +0530
bin 0 0 01/01/70 05:30:00 +0530
sys 0 0 01/01/70 05:30:00 +0530
sync 0 0 01/01/70 05:30:00 +0530
games 0 0 01/01/70 05:30:00 +0530
man 0 0 01/01/70 05:30:00 +0530
3. If you see the faillog count more than 3 for any user, it means the user is locked by the OS to spanvent any hacking/brute force attack on the system.
To reset this count one can run below commands.
# faillog -r -u saket ######### To reset faillog count for the specific user named “saket”
# faillog –r ###### To reset faillog count for all users.
Based on pam_tally binary, once can issue below command.
# pam_tally –reset
This would reset the faillog count on the system and the user can now login to the system. Now the user must be able to login to the system without any issues. If still the issue persists, then there must be something else other than usermanagement, it invloves some bas ssh key or it could be restricted user/host event, etc.