Showing results for 
Search instead for 
Did you mean: 

lock an user account

Arun Jain
Frequent Advisor

lock an user account

Hi All,

I have "Red Hat Enterprise Linux Server release 5.5 (Tikanga)" on an Itanium Machine.

I want to set user privilege such that when a user attempts certain amount of unsuccessful logins, his account gets locked.

Arun Jain
speak less say more
Frequent Advisor

Re: lock an user account

From GUI you can configure through "Users & Groups" Optin in Administrative Menu. Or from X Window use the Command system-config-users this will give you the menu based screen.

For Command Base Configuration follow the below link for reference.
Super Advisor

Re: lock an user account

Check out file /etc/pam.d/system-auth

and edit the below line

auth required /lib/security/$ISA/ onerr=fail no_magic_root deny=3

this defines that when the user trying to login with unsuccessful logins for 3 times, user gets locked.

To unlock faillog -r -a
Wilfred Chau_1
Respected Contributor

Re: lock an user account

along with the pam settings. vi /etc/login.defs and change LOGIN_RETRIES from 5 to 3.
Super Advisor

Re: lock an user account

Still the thread is not closed? Do u except some more, please post you view.
Frequent Advisor

Re: lock an user account

Configure Policy to track and log failed login attempt recoreds.

/var/log/faillog file were log gets generated.PAM Configuration to recored failed login attempts. Open /etc/pam.d/system-auth file:

[root@rac1 ishwar]# vi /etc/pam.d/system-auth

Append following 2 entry of modules:

auth required no_magic_root
account required deny=3 no_magic_root lock_time=180

How to unlock the Lock Account
Syntax :-
/sbin/pam_tally: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]

[root@rac1 ishwar]# /sbin/pam_tally --user vivek --reset --quiet

How do I display all failed login attempts for user vivek?

[root@rac1 ishwar]# faillog -u vivek

Login Failures Maximum Latest On
vivek 3 0 12/19/07 14:12:53 -0600 64.11.xx.yy

Display faillog records for all users.
Use the -a option:

[root@rac1 ishwar]# faillog -a

How do I reset the counters of login failures?
The -r option can reset the counters of login failures or one record if used with the -u USERNAME option:

[root@rac1 ishwar]# faillog -r
[root@rac1 ishwar]# faillog -r -u vivek <-- only reset counter for vivek user

Steven E. Protter
Exalted Contributor

Re: lock an user account


To do this, you will need to write a shell script that checks output from lastb and issues a passwd -l command.

Or you can install a third party product like E-trust.

Or you can use a ldap/nis central login server that can be configured to this task.

Linux out of the box seems to just let bad logins go on, and on and on and on...etc

Steven E Protter
Owner of ISN Corporation