A common Linux security feature is locking a user’s account for some time after several failed sign-in attempts. This is done to prevent brute force attacks, by not allowing a large number of sign-in attempts in a short period. However, it’s possible that a user legitimately attempting to sign in may get locked out after incorrectly entering their password.
In this tutorial, we’ll discuss a couple of ways to unlock an account when this happens. The specific ways to do so vary based on the system and what software it uses. We’ll cover faillock and pam_tally2, two typical implementations of this security feature. We’ll look both at ways that work with any root access, and ways that work with filesystem access.
2. With faillock
Some systems inform a user attempting to log in to a locked account:
examplesystem login: baeldung The account is locked due to 3 failed logins. (10 minutes left to unlock) Password:
Many systems don’t display this message. So an account may be locked and only display “Login incorrect” even when a correct password is entered into a locked account:
examplesystem login: baeldung Password: Login Incorrect examplesystem login:
This is deliberately indistinguishable from an incorrect password to prevent an attacker from discerning what accounts exist on the system.
Checking a user’s locked status or unlocking a user requires access to a different account with root permissions.
Running faillock without any arguments lists all tracked login attempts from all users:
# faillock baeldung: When Type Source Valid 2022-06-21 18:32:16 RHOST 192.168.0.22 V 2022-06-21 18:32:29 RHOST 192.168.0.22 V 2022-06-21 18:32:41 RHOST 192.168.0.22 V user: When Type Source Valid 2022-06-21 19:12:23 TTY pts/0 V
There’s a lot there, so let’s break it down. The output contains sections for each user. Here, there are two sections, for the users baeldung and user.
Each row contains one failed login attempt. The first column, When, is the time of the login attempt.
The second, Type, is the type of the login attempt. Two common types are TTY and RHOST, for a login from a TTY shell or remote host, for example, over SSH.
The third column, Source, is the origin of the attempt. For local attempts, it will usually be pts/0, for pseudo-terminal 0, and for remote attempts, an IP address.
The last column, Valid, shows either V or I, denoting valid or invalid. This tells if the attempt counts toward locking the account. For example, an attempt older than the fail_interval will be marked as invalid.
2.1. Checking the Locked Status of a User
We can specify a user to faillock with the –user option.
Let’s look at just baeldung‘s logs:
# faillock --user baeldung baeldung: When Type Source Valid 2022-06-21 18:32:16 RHOST 192.168.0.22 V 2022-06-21 18:32:29 RHOST 192.168.0.22 V 2022-06-21 18:32:41 RHOST 192.168.0.22 V
This has faillock operate on a single user. In this case, it truncates the output.
Most systems will lock an account after three failed attempts in 15 minutes. As such, the baeldung user is locked in the previous output.
# Deny access if the number of consecutive authentication failures # for this user during the recent interval exceeds n tries. # The default is 3. deny = 3
2.2. Unlocking Account Using faillock
To unlock a user, we can call faillock with the –reset flag. Combining this with the –user flag unlocks a specific user.
Let’s use that on the user baeldung:
# faillock --user baeldung --reset
This command doesn’t return any output when it succeeds.
2.3. Unlocking Account Using /var/run/faillock File
Sometimes there can be a situation where it’s easiest to alter the filesystem to unlock a user. If so, we can delete the files that faillock uses to track a user’s login attempts.
Let’s look at those files as they existed in the example above. The default directory in which faillock stores these files is /var/run/faillock. Listing them with ls shows:
$ ls /var/run/faillock baeldung user
This shows logs for the user and baeldung.
To unlock baeldung, we can delete the corresponding log with rm:
# rm /var/run/faillock/baeldung
As such, faillock removes any logged failed attempts and unlocks the user.
3. With pam_tally2
Let’s check the status of the user baeldung, using the same syntax as faillock:
# pam_tally2 --user baeldung Login Failures Latest failure From baeldung 3 06/21/22 18:32:37 pts/0
A difference from faillock is that pam_tally2 only shows data of the latest attempt. Let’s go over the information presented in each column.
The first column shows the target username of the login attempt. The second column gives the current number of counted fail attempts, similar to faillock‘s Valid column. Next, we see the date and time of the most recent attempt in the third column. Lastly, the From column is similar to faillock‘s Source column. It shows the origin of the attempt, usually pts/0 or an IP address.
3.1. Unlocking Account Using pam_tally2
Let’s now unlock baeldung:
# pam_tally2 --user baeldung --reset Login Failures Latest failure From baeldung 3 06/21/22 18:32:37 pts/0
pam_tally2 reports the log of failed attempts before the reset when it succeeds.
3.2. Unlocking Account Using /var/log/tallylog File
Also, like faillock, we can delete the file where pam_tally2 stores login attempts to reset a user.
In contrast, pam_tally2 only uses a single file for all logs, so we cannot only reset only one user by deleting the file.
By default, this file is located at /var/log/tallylog. Removing it would reset all login attempts:
# rm /var/log/tallylog
In this article, we discussed how to unlock users locked out due to failed login attempts. We looked at doing so with faillock and pam_tally2, and methods that only used filesystem changes.