How to unlock an account disabled with pam_lastlog

Latest response

The system is set up to disable an account that has been inactive for X number of days using the pam_lastlog module. Once the user is in that situation how can the root user re-enable the users account. I looked at faillock, pam_tally2, and passwd -u. Nothing seems to work, the user is still prevented from accessing the system. This is on a RHEL 6.7 system.

Responses

Did you try:

/usr/sbin/pam_tally2 --user=username --reset

I did try that before. /var/log/secure still shows that user cannot log in due to an inactive account.

This works for me:

cat /dev/null > /var/log/lastlog

Be aware that if you null or delete that log-file, you're impacting the tracking of all users, not just the targeted user. If you're only trying to undisable one user (or otherwise only reset the clock for specific users), this may not be the best approach.

What does chage -l output shows?

Probably a silly question, but, what proved insufficient about using the standard password aging mechanisms? This use-case seems like something you'd normally resolve by setting aging/expiry policies via chage than trying to finagle lastlog.

It turns out this was related to an issue that using su [user] did not update the lastlog data file. I followed this,

https://access.redhat.com/solutions/977213

to correct that issue and was able to reset the login in time by using su [user]

@ Matthew,

This was definitely the solution. I can verify this because after I secure a box, went back to administer the box after a long period of time and ran into this issue. Tried resetting the password and all without a good solution. Using that fix worked! Great find!

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.