Welcome to Dell Technologies’ VxRail - Break Fix series.
’Remote access for ESXi local user account ‘root’ has been locked for 900 seconds after many failed login attempts.′ Reference: Dell Knowledge Article number 542558.
This video was created to unlock remote root access when the account of one or more ESXi hosts has been locked due to a number of failed login attempts.
Starting with vSphere6.0, account locking is supported for access through SSH and through the vSphere Web Services SDK. By default, a maximum of five failed attempts is allowed before the account is locked.
The account is unlocked after 15 minutes by default. This video shows how to log into the ESXi shell and how to re-enable locked remote connection.
This issue can occur when some third party app, such as a monitoring application, has been configured with invalid root credentials or has not been updated with the most recent root credentials.
This can cause multiple failed logins, which will lock the root account for at least 15 minutes. Starting with vSphere 6.0, account locking is supported for access through SSH and through the vSphere Web Services SDK.
The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout. By default, a maximum of 5 failed attempts is allowed before the account is locked.
The account is unlocked after 15 minutes by default. Before you begin, please have iDRAC credentials and ESXi root password in hand. Gather, as well, the management IP of the impacted host and related iDRAC IP information.
During the reproduction, we will first log into the iDRAC and open a console. We will then log into the ESXi shell and reset the password failure counter. Finally, we will test a successful login over SSH.
After logging on vCenter, the alert is reported on the summary tab for the affected node. We can now open iDRAC on the related node and then open a virtual console.
Now, let’s open a shell with Alt + F1 and log in as root. After logging in, please review the auth.log for failed attempts to authenticate. Verify the number of failed attempts using pam_tally2 tool.
We can reset the counter for user root and check again if counter is reset to zero. We can now test a remote connection over SSH to confirm remote root access has been restored.
Please be aware the error message on vSphere UI may not disappear immediately. To test if reset has worked, new SSH connection can be opened to confirm account is unlocked.
The account is unlocked after 15 minutes by default, but only if no further attempt to connect is made, even with a valid password.
If an account with root privileges is configured on the ESXi, then user can connect via SSH with this account and use pam tally tool to reset root failed attempts counter.
Thank you for watching.