1. Overview
A common Linux security feature is locking a user’s account for some time after several failed sign-in attempts. This is done to prevent brute force attacks, by not allowing a large number of sign-in attempts in a short period. However, it’s possible that a user legitimately attempting to sign in may get locked out after incorrectly entering their password.
In this tutorial, we’ll discuss a couple of ways to unlock an account when this happens. The specific ways to do so vary based on the system and what software it uses. We’ll cover faillock and pam_tally2, two typical implementations of this security feature. We’ll look both at ways that work with any root access, and ways that work with filesystem access.
2. With faillock
The command faillock manages the pam_faillock module, which handles user login attempts and locking on many distributions.
Some systems inform a user attempting to log in to a locked account:
examplesystem login: baeldung
The account is locked due to 3 failed logins.
(10 minutes left to unlock)
Password:
Many systems don’t display this message. So an account may be locked and only display “Login incorrect” even when a correct password is entered into a locked account:
examplesystem login: baeldung
Password:
Login Incorrect
examplesystem login:
This is deliberately indistinguishable from an incorrect password to prevent an attacker from discerning what accounts exist on the system.
C****hecking a user’s locked status or unlocking a user requires access to a different account with root permissions.
Running faillock without any arguments lists all tracked login attempts from all users:
# faillock
baeldung:
When Type Source Valid
2022-06-21 18:32:16 RHOST 192.168.0.22 V
2022-06-21 18:32:29 RHOST 192.168.0.22 V
2022-06-21 18:32:41 RHOST 192.168.0.22 V
user:
When Type Source Valid
2022-06-21 19:12:23 TTY pts/0 V
There’s a lot there, so let’s break it down. The output contains sections for each user. Here, there are two sections, for the users baeldung and user.
Each row contains one failed login attempt. The first column, When, is the time of the login attempt.
The second, Type, is the type of the login attempt. Two common types are TTY and RHOST, for a login from a TTY shell or remote host, for example, over SSH.
The third column, Source, is the origin of the attempt. For local attempts, it will usually be pts/0, for pseudo-terminal 0, and for remote attempts, an IP address.
The last column, Valid, shows either V or I, denoting valid or invalid. This tells if the attempt counts toward locking the account. For example, an attempt older than the fail_interval will be marked as invalid.
2.1. Checking the Locked Status of a User
We can specify a user to faillock with the –user option.
Let’s look at just baeldung‘s logs:
# faillock --user baeldung
baeldung:
When Type Source Valid
2022-06-21 18:32:16 RHOST 192.168.0.22 V
2022-06-21 18:32:29 RHOST 192.168.0.22 V
2022-06-21 18:32:41 RHOST 192.168.0.22 V
This has faillock operate on a single user. In this case, it truncates the output.
Most systems will lock an account after three failed attempts in 15 minutes. As such, the baeldung user is locked in the previous output.
To check if a system is configured to allow more or less than the usual three failed logins, we can check the value of deny in the /etc/security/faillock.conf file:
# Deny access if the number of consecutive authentication failures
# for this user during the recent interval exceeds n tries.
# The default is 3.
deny = 3
2.2. Unlocking Account Using faillock
To unlock a user, we can call faillock with the –reset flag. Combining this with the –user flag unlocks a specific user.
Let’s use that on the user baeldung:
# faillock --user baeldung --reset
This command doesn’t return any output when it succeeds.
2.3. Unlocking Account Using /var/run/faillock File
Sometimes there can be a situation where it’s easiest to alter the filesystem to unlock a user. If so, we can delete the files that faillock uses to track a user’s login attempts.
Let’s look at those files as they existed in the example above. The default directory in which faillock stores these files is /var/run/faillock. Listing them with ls shows:
$ ls /var/run/faillock
baeldung
user
This shows logs for the user and baeldung.
To unlock baeldung, we can delete the corresponding log with rm:
# rm /var/run/faillock/baeldung
As such, faillock removes any logged failed attempts and unlocks the user.
3. With pam_tally2
Though pam_tally2 is deprecated for faillock, some systems still use it. While both pam_tally2 and faillock behave similarly, there are some differences.
Let’s check the status of the user baeldung, using the same syntax as faillock:
# pam_tally2 --user baeldung
Login Failures Latest failure From
baeldung 3 06/21/22 18:32:37 pts/0
A difference from faillock is that pam_tally2 only shows data of the latest attempt. Let’s go over the information presented in each column.
The first column shows the target username of the login attempt. The second column gives the current number of counted fail attempts, similar to faillock‘s Valid column. Next, we see the date and time of the most recent attempt in the third column. Lastly, the From column is similar to faillock‘s Source column. It shows the origin of the attempt, usually pts/0 or an IP address.
3.1. Unlocking Account Using pam_tally2
Let’s now unlock baeldung:
# pam_tally2 --user baeldung --reset
Login Failures Latest failure From
baeldung 3 06/21/22 18:32:37 pts/0
pam_tally2 reports the log of failed attempts before the reset when it succeeds.
3.2. Unlocking Account Using /var/log/tallylog File
Also, like faillock, we can delete the file where pam_tally2 stores login attempts to reset a user.
In contrast, pam_tally2 only uses a single file for all logs, so we cannot only reset only one user by deleting the file.
By default, this file is located at /var/log/tallylog. Removing it would reset all login attempts:
# rm /var/log/tallylog
4. Conclusion
In this article, we discussed how to unlock users locked out due to failed login attempts. We looked at doing so with faillock and pam_tally2, and methods that only used filesystem changes.