How to reset the account after crossing MaxAuthTries
Hi All,
I have a test account through which i am not able to login to the server xxx from server yyy. Receiving the below error.
[root@yyy ~]# ssh test@xxx
Authorized users only. All activity may be monitored and reported.
Received disconnect from xxx: 2: Too many authentication failures for test
But I am successfully able to login to the server xxx from other servers and putty session directly.
my MaxAuthTries is set to 4.
Can someone help me to fix this issue.
Responses
Guru
6435 points
Depending on EL version in use (and whether you enabled the functionality - check your /etc/pamd.d/auth* files for a "pam_tally" line) this can be coming from either pam_tally or pam_tally2: if you're on EL6, it's pam_tally2; if you're on EL 5.x - where X < 5/6, you're likely on pam_tally. Should be able to reset with pam_tally --reset --user <USERNAME> or pam_tally2 --reset --user <USERNAME>.
Guru
6827 points
To add on to the good tip from Tom Jones above, if you do (as Tom said, EL version depending)
"pam_tally --reset" (or pam_tally2 --reset) that will do all users.
Guru
6435 points
If your system's bound against a large central authentication source, not specifying the user is a Bad Idea(TM). Nothing like telling RedHat to do that kind of operation when the backing authentication store is 50-300,000 users in size.
Guru
6827 points
Love the use of (TM) there.
That's a valid point if you have thousands of users indeed, or centralized accounts.
I was thinking though of a specific server in my environment where only a few known people are allowed to log in - but that's a valid point you bring up Tom. the addition of the --user directive is a very good practice.
Guru
6435 points
Other than console, only real login method to our Linux systems is via SSH. ILO/OA allow you to AD-integrate but limit who can do what (by group) - so only a very few people have access to physical remote consoles. Similar for ESX vConsoles. OpenSSH's AllowGroups option is good for restricting SSH logins.
Even so, the AD integration utilities see the entire namespace. Not using the --user flag results in pam_tally going out to lunch for quite a long time. :p
Guru
6827 points
Good point there...
Tom,
do you (or anyone else) know an easier method to list locked accounts than the below (for centralized accounts like ldap)?
The example below has just one locked account, named elvis.
[root@someserver ~]# getent passwd | grep -v nologin | cut -d : -f 1 | perl -ne 'chomp;system("passwd -S $_ | grep locked")'
elvis LK 2014-03-24 0 99999 7 -1 (Password locked.)
Thanks
Guru
6435 points
Depends where they're locked. If it's just a locally-maintained lock, excuting pam_tally2 with no options will list all accounts that have failed login attempts and/or locked accounts. If it's in the centralized auth system, the answer is specific to that central auth store (you have to know what attribute to query for, then issue an appropriate query against the remote store).
It happened for root, How can I fix this?
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.