VMware ESXi Root Account is Locked for 900 s After Login Attempts Fails
Summary: This article provides a resolution when remote access for the ESXi local user account root is locked for 900 s after failed login attempts. Connect to the iDRAC console to access the ESXi shell then run the reset command. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
The root account of one or more ESXi hosts is locked due to several failed login attempts.
Unable to connect to the node using SSH or the web UI.
Confirm the issue using the iDRAC console to the ESXi shell.
In vCenter, a warning message is shown similar to the following:
Remote access for ESXi local user account 'root' has been locked for 900s after 14 failed login attempts.
Figure 1: Remote access is locked.
Logs similar to the following are found on the affected host:
/var/log/vobd.log
2020-04-03T17:27:58.790Z: [GenericCorrelator] 8202447897096us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 32 failed login attempts.
2020-04-03T17:27:58.790Z: [UserLevelCorrelator] 8202447897096us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 32 failed login attempts.
2020-04-03T17:27:58.791Z: [UserLevelCorrelator] 8202447897325us: [esx.audit.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 32 failed login attempts.
/var/log/auth.log
2020-04-03T17:29:06Z sshd[701694298]: Connection from 192.168.100.40 port 55682
2020-04-03T17:29:06Z sshd[701333862]: pam_tally2(sshd:auth): user root (0) tally 34, deny 5
2020-04-03T17:29:08Z sshd[701694298]: error: PAM: Authentication failure for root from 192.168.100.40
2020-04-03T17:29:08Z sshd[701694492]: pam_tally2(sshd:auth): user root (0) tally 35, deny 5
2020-04-03T17:29:08Z sshd[701694492]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.100.40 user=root
2020-04-03T17:29:10Z sshd[701694298]: error: PAM: Authentication failure for root from 192.168.100.40
2020-04-03T17:29:10Z sshd[701694298]: error: Received disconnect from 192.168.100.40 port 55682:3: com.jcraft.jsch.JSchException: Auth cancel [preauth]
2020-04-03T17:29:10Z sshd[701694298]: Disconnected from authenticating user root 192.168.100.40 port 55682 [preauth]
Cause
The root password for the node may have been changed, but the third-party monitoring software has not been updated with the new root password.
This causes multiple failed logins (sometimes hundreds or even thousands). This locks the root account for 15 minutes which leads to the inability to SSH to the node or log in to the node web UI.
You can log in through the DCUI and the ESXi shell.
Starting with vSphere 6.0, account locking is supported for access through SSH and through the vSphere Web Services SDK. The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout. By default, a maximum of five failed attempts are allowed before the account is locked. The account is unlocked after 15 minutes by default.
This causes multiple failed logins (sometimes hundreds or even thousands). This locks the root account for 15 minutes which leads to the inability to SSH to the node or log in to the node web UI.
You can log in through the DCUI and the ESXi shell.
Starting with vSphere 6.0, account locking is supported for access through SSH and through the vSphere Web Services SDK. The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout. By default, a maximum of five failed attempts are allowed before the account is locked. The account is unlocked after 15 minutes by default.
Resolution
To address this issue:
Figure 2: ESXi commands and output
- Connect to the iDRAC console and then to the ESXi shell.
- Enable the shell by logging in to the DCUI and enabling the ESXi shell under troubleshooting options.
- You can also do a
Cntrl-Alt-F1to access the shell. - After connecting to the ESXi shell, run the commands below. The output should match the screenshot below, except the "From" entry says "unknown."
#pam_tally2 --user root #pam_tally2 --user root --reset #pam_tally2 --user root
Figure 2: ESXi commands and output
- After running the above commands, log in to the ESXi node web UI.
- Go to Monitor and then Events. You should see an IP address that was trying to log in that is listed as failed.
- You must identify the application based on the IP address that is listed here. Either stop it or configure it with the correct credentials.
Additional Information
For more information, see VMware article ESXi Passwords and Account Lockout
Watch this video on ESXi Break Fix Unlock root User Account.
Affected Products
PowerFlex rack, VxRail, ScaleIO, VxRail D560, VxRail D560F, VxRail E460, VxRail E560, VxRail E560F, VxRail E560N, VxRail E660, VxRail E660F, VxRail E660N, VxRail E665, VxRail E665F, VxRail E665N, VxRail G560, VxRail G560F, VxRail P470, VxRail P570
, VxRail P570F, VxRail P580N, VXRAIL P670F, VxRail P670N, VxRail P675F, VxRail P675N, VxRail S470, VxRail S570, VxRail S670, VxRail V470, VxRail V570, VxRail V570F, VXRAIL V670F, VxRail VE-660, VxRail VE-6615, VxRail VP-760, VxRail VP-7625, VxRail VS-760
...
Article Properties
Article Number: 000071365
Article Type: Solution
Last Modified: 06 Mar 2025
Version: 17
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.