I recently locked myself out of my vCenter Server Appliance when I was attempting to perform an upgrade through VAMI. The VAMI just says “invalid password”, but logging in on the console displayed a message indicating I had failed authentication 12 times. I had only tried four times! Regardless of whether it was me or someone else, now that I knew I had the right password, I was locked out. I waited 5 minutes but still couldn’t get in, so it looked like it was time to do a password reset. However, I wanted to explore something I had done with vRealize Orchestrator recently: disable the account lockout.
KB2147144 documents the process for booting into a privileged shell without a password. Unlike in 6.0, you hit ‘e’ instead of ‘space’ at the GRUB prompt, but otherwise it’s the same. You do have about half a second to hit ‘e’, so pay attention or you’ll find yourself rebooting a few times! For those who are not locked out already, you can just ssh into the VCSA and make this change without a reboot
Once you’re in, search for the word tally in the pam setup with
grep tally /etc/pam.d/*. You will find these two lines in
auth require pam_tally2.so file=/var/log/tallylog deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300 auth require pam_tally1.so file=/var/log/tallylog deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300
Comment those two lines out (prepend with a
#) and save the file:
# cat /etc/pam.d/system-auth # Begin /etc/pam.d/system-auth auth required pam_unix.so # End /etc/pam.d/system-auth #auth required pam_tally2.so file=/var/log/tallylog deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300 #auth required pam_tally1.so file=/var/log/tallylog deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300
If you know your password and are just dealing with lockouts, you can type
reboot -f now. Otherwise, type
passwd and enter the new password twice and then reboot. You can now enter your password wrong a million times – or someone else can – and you will not lose the ability to log in without waiting an extraordinary amount of time or requiring a reboot.
I upgraded from VCSA 6.5U1b to 6.5U1c and this persisted. I assume that when going to vNext (6.6 or 7.0) this change will be reverted, but I am not sure how it will behave when VCSA 6.5U2 is released, this may need to be re-done, so add disabling the lockout to your upgrade checklists alongside disabling the root account expiration.
how to do the same on 6.0 ?
I do not have a 6.0 VCSA to check with, but I believe it’s pretty similar, you’re looking for `pam_tally` in files in /etc/pam.d to comment out, even if the filenames are different than those in 6.5. I am pretty confident that will work, but of course, test any such changes before making them to a production server based on a blog post comment 🙂
Thank you, I think I found it
had to comment pam_tally2.so line on