Reading Time: 2minutes
As part of my daily sysadmin job I had to unlock the user of a colleague who had been locked on some obscure AIX UNIX machine.
IBM AIX Operating System is used mainly for corporate crtical applications within Airports, Financial institutions Banks, U.S Army, Navy, the Stock Exchange etc.
Due to its complexity and price and the lack of people with any expertise, it is now only used for a critical businesses for its great possibilities of Native Application clustering etc.
But enough rant if you happen to come around AIX and need to reset failed login counter which is part of AIX integrated Login Security and blocks the user
after a preset count number here is how.
1. Become superuser
# su – root
2. Check the number of previous unsucessful logins for the account to confirm it is blocked
# lsuser -a unsuccessful_login_count <userid>
# lsuser -a unsuccessful_login_count hipo
3. Reset unsucessful login counter
# chsec -f /etc/security/lastlog -a unsuccessful_login_count=0 -s hipo
4. Unlock the locked account
# chuser account_locked=false hipo
5. Lock account
If for some reason you need to lock some old and no longer used user (instead of completely deleting it).
# chuser account_locked=true hipo
6. Check account lock / unlock state
# lsuser hipo
hipo id=2086 pgrp=group groups=users,admin home=/home/hipo shell=/usr/bin/bash gecos=Official Name login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=7 registry=files SYSTEM=compat logintimes= loginretries=3 pwdwarntime=14 account_locked=false minage=1 maxage=13 maxexpired=12 minalpha=1 minloweralpha=0 minupperalpha=0 minother=1 mindigit=1 minspecialchar=0 mindiff=3 maxrepeats=2 minlen=8 histexpire=40 histsize=10 pwdchecks= dictionlist= default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_login=XXXXXXXXXXXX time_last_unsuccessful_login=XXXXXXXXXXX tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=10.10.10.1 host_last_unsuccessful_login=220.127.116.11 unsuccessful_login_count=0 roles=
7. How to reset failed login counter on RedHat / CentOS Linux
Corporate Linux distributions like RHEL / CentOS and SLES have also a similar security feature that allows the sysadmin to block user after a number of unsucessful login count.
To unblock a prohibited to login user, less say due to multiple failure to remember his own password do:
[root@linux: ~]# pam_tally2 –user=Username pam_tally2 –user=Username –reset