- How to Lock and Unlock User account in Linux Easily
- How to Lock and Unlock User account in Linux Easily
- How to lock users in Linux?
- How to unlock users in Linux?
- How to check the status of the users is locked or not?
- 5 effective ways to unlock user account in Linux
- 1. Unlock user account when password was never assigned
- 2. Unlock user account when password is locked
- 3. Unlock user account when account is locked using usermod
- 4. Unlock user account when account is expired
- 5. Unlock user account when locked after multiple failed login attempts
- 5.1 Using pam_faillock module
- 5.2 Using pam_tally2 module
- Summary
- Further Readings
- 1 thought on “5 effective ways to unlock user account in Linux”
How to Lock and Unlock User account in Linux Easily
How to Lock and Unlock User account in Linux Easily
In this post, we will show you how to lock and unlock user account in Linux. Before locking or unlocking the users, we should know how to check the status of the users.
How to lock users in Linux?
How to unlock users in Linux?
How to check the status of the users is locked or not?
Find the user in the /etc/shadow file for exclamation(!) sign after the username.
If the user is locked using «passwd -l username» command, we could see a single exclamation as below.
[root@localhost ~]# grep username /etc/shadow
username:!$6$pmQO0ZPH$CodOZ5xfPHmgdR8czIFFL07wPipBpczjeXz5wapGUNj1NLsnrlCEzxOyk6/oL.WIFSoCCppwbCi7bQ//HJAn8.:16052:0:99999:7.
If the user is locked using the «usermod -l username», then we could see double exclamation as below.
root@localhost ~]# grep username /etc/shadow
username:!$6$pmQO0ZPH$CodOZ5xfPHmgdR8czIFFL07wPipBpczjeXz5wapGUNj1NLsnrlCEzxOyk6/oL.WIFSoCCppwbCi7bQ//HJAn8.:16052:0:99999:7.
Hope this post helped you to know How to Lock and Unlock User account in Linux Easily. Related Content on Linux might be useful to you to improve your Linux Skills.
Keep practicing and have fun. Leave your comments if any. Support Us: Share with your friends and groups.
5 effective ways to unlock user account in Linux
There can be multiple situations wherein your Linux user account may get locked. Some of the possible scenarios can be:
- Password is explicitly locked by the administrator
- Account is explicitly locked by the administrator
- Password was never assigned hence unable to login
- Multiple failed login attempts (controlled by pam_tally2 or pam_faillock)
We will cover the above mentioned scenarios and share methods to unlock Linux user account in such situation.
This article assumes that one of the user from your Linux environment is locked out and you have root level access to the respective Linux server either via sudo, su or direct root user login. If in case you are stuck in a situation where you don’t have these access then you can use the comment box to give me your environment details and I can help you unlock your user account based on your requirement.
1. Unlock user account when password was never assigned
Now this is not a typical scenario of user lockout. But it is definitely one possible use case. Many times the administrator create a user but forget to assign a password. In such case when the respective user tries to login then they may get «Access denied» and the log may contain » Failed password for XXXX «.
First let’s check if the password for this user is locked:
~]# passwd --status user1 user1 LK 2021-04-10 0 99999 7 -1 (Password locked.) Yes, as expected the user account’s password seems to be locked. We can try to unlock it using passwd —unlock command:
~]# passwd --unlock user1 Unlocking password for user user1. passwd: Warning: unlocked password would be empty. passwd: Unsafe operation (use -f to force) This means that currently the user’s password is empty? Which is most likely possible when the user’s password is not SET. So we will confirm this by checking the content of this user in /etc/shadow file:
~]# grep user1 /etc/shadow user1:!!:18727:0:99999:7. If you are aware of different field of /etc/shadow file then you should know that the second field contains the encrypted password. In our case the second field for user1 contains two exclamation marks ( !! ) «ONLY» which means password was never set for this user.
For example, here is an output snippet for root user where you can see that the second field contains encrypted password:
~]# grep root /etc/shadow root:$6$2Q02Bth6X33J4pkY$fsAoDYSSd.JjSGfiLyqL3Ux/8UylBydeAkrD02qvPkvUPQs0bt6JJyWqPY4WuP7TKLcS2be.nSWZ9qymbKWUh1::0:99999:7. So in such scenario there is nothing to unlock, just go ahead and assign a password to this user using
For example, I will assign password for user1 :
[root@server-2 ~]# passwd user1 Changing password for user user1. New password: Retype new password: passwd: all authentication tokens updated successfully. and now I should be able to login with this user:
login as: user1 user1@127.0.0.1's password: Web console: https://server-2.example.com:9090/ or https://192.168.0.152:9090/ Last failed login: Sat Apr 10 15:28:50 IST 2021 from 10.0.2.2 on ssh:notty There were 2 failed login attempts since the last successful login. [user1@server-2 ~]$ 2. Unlock user account when password is locked
We can also lock a user account by locking the user’s password with passwd command. For example here I have locked user1’s password:
~]# passwd --lock user1 Locking password for user user1. passwd: Success -l, -lock This option is used to lock the password of specified account and it is available to root only. The locking is performed by rendering the encrypted password into an invalid string (by prefixing the encrypted string with an !). Note that the account is not fully locked - the user can still log in by other means of authentication such as the ssh public key authentication. So as you can see from the man page of passwd, the password is locked but the user can still login using other means such as public key authentication.
To verify if the user account password is locked:
[root@server-2 ~]# passwd --status user1 user1 LK 2021-04-10 0 99999 7 -1 (Password locked.) You can also check the user entry in /etc/shadow file:
~]# grep user1 /etc/shadow user1:!!$6$AeewgmcUF1pLhGxZ$iVR.itFeTUSMsitFVMG1po3UcUdNYGw7zdcyNt94PjSqZgix4nonuVspHw1EI6M7Lb5WtV7GuB41pr2N1hohm1:18727:0:99999:7. As you can see, we have two additional exclamation marks in the password field. But the output is different from Scenario 1 we discussed above. Here we do have an encrypted password (so password is not empty) but since the encrypted password has been modified, it is not recognised any more hence the user fails to login.
To unlock user password, we need to use —unlock argument with passwd command:
~]# passwd --unlock user1 Unlocking password for user user1. passwd: Success Or you can just go ahead and remove those exclamation marks from /etc/shadow file for user1 and that should also unlock the user account:
~]# passwd --status user1 user1 PS 2021-04-10 0 99999 7 -1 (Password set, SHA512 crypt.) 3. Unlock user account when account is locked using usermod
We can use following usermod command to lock the password of any Linux user account:
This option is similar to passwd —lock as the above command will add a single exclamation mark in the second field of /etc/shadow file for the respective user:
~]# grep user1 /etc/shadow user1:!$6$AeewgmcUF1pLhGxZ$iVR.itFeTUSMsitFVMG1po3UcUdNYGw7zdcyNt94PjSqZgix4nonuVspHw1EI6M7Lb5WtV7GuB41pr2N1hohm1:18727:0:99999:7. Since the password field now contains additional character, the user login will be disabled.
The same can be verified using passwd command:
~]# passwd --status user1 user1 LK 2021-04-10 0 99999 7 -1 (Password locked.) To unlock such user account in Linux, just use —unlock with usermod with the username:
OR just go ahead and manually remove that exclamation mark from the user1 entry in /etc/shadow file and re-verify the user account status:
~]# passwd --status user1 user1 PS 2021-04-10 0 99999 7 -1 (Password set, SHA512 crypt.) 4. Unlock user account when account is expired
It is also possible that your user account on the Linux box may have expired due to which you are not allowed to login. In such case when you try to login, then you may get following message in /var/log/secure :
Apr 10 22:50:01 server-2 sshd[6074]: Failed password for user1 from 10.0.2.2 port 51134 ssh2 Apr 10 22:50:01 server-2 sshd[6074]: fatal: Access denied for user user1 by PAM account configuration [preauth]
So first check the expiry date of the user using chage command:
So as you can see, the expiry date of user1 is in the past, so it is quite obvious that the user account will be locked. To unlock such user account, you just have to change the expiry date of this user to a date from future.
For example the following can be used to set an account to expire in 180 days:
[root@server-2 ~]# chage -E $(date -d +180days +%Y-%m-%d) user1
Now check the user expiry date:
5. Unlock user account when locked after multiple failed login attempts
Now this is a more realistic and common scenario where a user account can get locked. So you forgot the password and kept on trying until finally you realised, Oh shit! my account is locked.
By default this feature is controlled via either pam_tally2 or pam_faillock module. To check the active module on your environment you can use:
~]# rpm -ql pam | grep -E 'faillock|tally2'
Sample output from Linux server with both module:
[root@server ~]# rpm -ql pam | grep -E 'faillock|tally2' /usr/lib64/security/pam_faillock.so /usr/lib64/security/pam_tally2.so /usr/sbin/faillock /usr/sbin/pam_tally2 /usr/share/doc/pam-1.1.8/html/sag-pam_tally2.html /usr/share/doc/pam-1.1.8/txts/README.pam_faillock /usr/share/doc/pam-1.1.8/txts/README.pam_tally2 /usr/share/man/man8/faillock.8.gz /usr/share/man/man8/pam_faillock.8.gz /usr/share/man/man8/pam_tally2.8.gz /var/run/faillock In this case I have both the modules installed on my server so based on the module used to lock the user, you must choose the same module to unlock the user account. It is possible in later distros, only one module will be shipped.
For example, here only pam_faillock module is available:
~]# rpm -ql pam | grep -E 'faillock|tally2' /etc/security/faillock.conf /usr/lib64/security/pam_faillock.so /usr/sbin/faillock /usr/share/doc/pam/txts/README.pam_faillock /usr/share/man/man5/faillock.conf.5.gz /usr/share/man/man8/faillock.8.gz /usr/share/man/man8/pam_faillock.8.gz /var/run/faillock Here we don’t have pam_tally2 module so we will only use faillock module.
5.1 Using pam_faillock module
Assuming your admin is using pam_faillock to lock the user account, you can execute faillock from the terminal as root user to list the failed login attempts:
Here I have intentionally given wrong password to lock the user1 account, this can be confirmed using /var/log/secure :
Apr 10 23:07:43 server-2 sshd[11752]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2 user=user1 Apr 10 23:07:43 server-2 sshd[11752]: pam_faillock(sshd:auth): Consecutive login failures for user user1 account temporarily locked
To unlock the user account here we will again use faillock command as shown below:
[root@server-2 ~]# faillock --user user1 --reset
Now you will see that all the history of failed login attempts for user1 is cleared so now user1 can log back in:
~]# faillock user1: When Type Source Valid
5.2 Using pam_tally2 module
If you are using pam_tally2 module to count login attempts and allow or deny a user login then you must also use pam_tally2 to unlock a user account in Linux. For example, here user1 is locked after multiple failed login attempts:
~]# pam_tally2 Login Failures Latest failure From user1 9 04/10/21 23:36:56 192.168.0.152 So to reset the failed login attempts we use:
~]# pam_tally2 --reset --user user1 Login Failures Latest failure From user1 9 04/10/21 23:36:56 192.168.0.152 Next if you check the active failed login attempt count, the output would be empty which means your user is unlocked and you can try to login again:
Summary
In this article I have tried to cover different possible scenarios under which a user account can get locked and the steps to unlock the user account based on the scenario. These can become really complicated when a root user gets locked out so you must always have a backup plan when you are setting up such features, for example allow console based root access. Because most of these settings apply to SSH based access or su and sudo based access. So for worst case scenario you can allow console based access for root user so it can login and unlock itself.
Further Readings
Related Searches: linux unlock account, unlock user account linux, linux unlock password, passwd unlock account, unlock user password, unlock unix account, unlock linux account redhat, how to unlock password in linux, linux user status, linux user account status, cannot unlock the password for user in linux
Didn’t find what you were looking for? Perform a quick search across GoLinuxCloud
If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.
For any other feedbacks or questions you can either use the comments section or contact me form.
Thank You for your support!!
1 thought on “5 effective ways to unlock user account in Linux”
Great explanation for passwd options to check/modify user password lock. I’ve not seen any help for a user locked out during initial boot up login. Simply cannot login as user1. User2 and root can login. I’ve modified /etc/lightdm/lightdm.conf to enable autologin-user=user1 but still not able to pass the initial boot up login screen. I can get remote access with ssh as user1 with password. Using Linux MX21. Reply