The error “Account locked due to XXX failed logins” appears before I enter the login password.
This issue may be caused by the pam_tally2.so
configuration in /etc/pam.d/login
file. For VNC login, /etc/pam.d/login
is called for authentication, while pam_tally2.so
indicates to automatically lock the user account temporarily or permanently after the specified number of consecutive failed logins. When an account is permanently locked, you need to unlock it manually.
The login account will be locked when the number of consecutive failed logins exceeds the configured value. Note that the account may also be locked for brute force attacks.
See below for the parameters of pam_tally2
module.
Parameter | Description |
---|---|
deny=n |
Lock the account if the number of consecutive failed logins exceeds n . |
lock_time=n |
Lock the account for n seconds when the number of consecutive failed logins exceeds the limit |
un lock_time=n |
Unlock the account automatically n seconds later |
no_lock_time |
Do not use .fail_locktime field in /var/log/faillog |
magic_root |
If the module is invoked by a root user (uid=0), the counter is not incremented. |
even_deny_root |
The root user will be locked after deny=n consecutive failed logins. |
root_unlock_time=n |
This parameter is required if even_deny_root is configured. It indicates how long the the root user is locked when the number of consecutive failed logins exceeds the limit. |
pam_limits.so
module.vim /var/log/secure
This file records the security information, mostly CVM login logs. You can check the error logs of pam_tally2
as shown below.
3. Run the following commands in sequence to open /etc/pam.d
directory and search for pam_tally2
.
cd /etc/pam.d
find . | xargs grep -ri "pam_tally2" -l
If the result similar to the following figure is returned, pam_tally2
is included in login
file.
4. Run the following command to temporarily comment out the pam_tally2.so
configurations. Then you can log in normally.
sed -i "s/.*pam_tally.*/#&/" /etc/pam.d/login
Was this page helpful?