This is a short KB on how to ssh inside of the BOSH director when the vcap user password isn't working in a Tanzu Operations Manager deployed environment.

The vcap user credentials are located in the Operations Manager BOSH tile -> Credentials tab -> VM Credentials. When too many authentication failures occur for the vcap user, the user user is locked out. Future ssh attempts will be denied, even when using the correct password.

Product Version: 2.9

To unlock the vcap user, we can ssh into the director with the Bbr Ssh Credentials key:

1. Create a file named bbrkey.pem

2. Obtain the private key from the Operations Manager BOSH tile -> Credentials tab -> Bbr Ssh Credentials -> private_key_pem value.

3. Excluding the leading and trailing double quotes - paste the entire key as is into the bbrkey.pem file. 

4. Format the file with the following command:

echo -e $(cat bbrkey.pem) > bbrkey.pem

5. Change the permissions for the bbrkey.pem to read only:

chmod 400 bbrkey.pem

6. ssh into the BOSH director with the bbr user and key:

ssh -i bbrkey.pem bbr@<IP-OF-BOSH-DIRECTOR> -o IdentitiesOnly=true

7. Check to see that the vcap user is locked:

sudo pam_tally2 --user=vcap

If pam_tally2 command is not available, use faillock instead:

faillock --user vcap

A locked user would show up with one or several "V" in the "Valid" column:

bosh/0:~$ faillock --user vcap
vcap:
When                Type  Source                                           Valid
2024-03-13 09:21:33 TTY   /dev/pts/1                                           V
2024-03-13 09:21:36 TTY   /dev/pts/1                                           V
2024-03-13 09:21:39 TTY   /dev/pts/1                                           V

8. Unlock the vcap user:

sudo pam_tally2 --user=vcap --reset

If pam_tally2 command is not available, use faillock instead:

faillock --user vcap --reset

The vcap user should now be able to successfully log into the BOSH director again.

Note: Remove the bbrkey.pem file if no longer needed.