ERROR: Remote access for ESXi local user account 'root' has been locked for 120 seconds
search cancel

ERROR: Remote access for ESXi local user account 'root' has been locked for 120 seconds

book

Article ID: 340038

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Remote access to an ESXi host fails for the local root user despite valid credentials.
  • Rebooting the host temporarily resolves the issue but does not prevent recurrence. 
  • The account is locked for 120 seconds following a large number of failed login attempts, as indicated in the below log entries from /var/run/log/vobd.log of the host logs.

    YYYY-MM-DDTHH:MM:SSZ: [GenericCorrelator] 1222053089769us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 120 seconds after 44090 failed login attempts.
    YYYY-MM-DDTHH:MM:SSZ: [UserLevelCorrelator] 1222053089978us: [esx.audit.account.locked] Remote access for ESXi local user account 'root' has been locked for 120 seconds after 44090 failed login attempts.
    YYYY-MM-DDTHH:MM:SSZ: [UserLevelCorrelator] 1222061520175us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 120 seconds after 44091 failed login attempts.
    YYYY-MM-DDTHH:MM:SSZ: [GenericCorrelator] 1222061520175us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 120 seconds after 44091 failed login attempts.

Environment

  • VMware vSphere 6.x
  • VMware vSphere 7.x
  • VMware vSphere 8.x

Cause

  • The lockout is triggered by repeated authentication failures originating from a third-party service or tool.
  • This behavior may be observed in environments with Nutanix clusters, where the CVM (Customer Virtual Machine) service was identified as the source of excessive login attempts.

Resolution

  • Identifying and preventing the source of the logins is the recommended action to resolve the issue.
  • The <IP Address> can be identified via the logging of hostd.log (/var/run/log/hostd.log) of the host logs as shown below:

    YYYY-MM-DDTHH:MM:SSZ Wa(164) Hostd[2098850]: [Originator@6876 sub=Vimsvc.HaSessionManager opID=######## sid=########] Rejected password for user root from <IP Address> - session=########-####-####-####-############
    YYYY-MM-DDTHH:MM:SSZ Wa(164) Hostd[2098880]: [Originator@6876 sub=Vimsvc.HaSessionManager opID=######## sid=########] Rejected password for user root from <IP Address> - session=########-####-####-####-############
    YYYY-MM-DDTHH:MM:SSZ Wa(164) Hostd[2098856]: [Originator@6876 sub=Vimsvc.HaSessionManager opID=######## sid=########] Rejected password for user root from <IP Address> - session=########-####-####-####-############

  • Additionally syslog.log and rhttpproxy.log located at /var/run/log/ can also be compared to gain further information on the logins.

Workaround :-

Temporarily Prevent Account Lockout by changing the following Advanced Configuration:   

  1. Navigate to Configuration > Advanced Options in the ESXi host settings.  
  2. Set Security.AccountLockFailures to 0 to disable account lockouts after failed login attempts.

Nutanix Cluster-Specific Steps (if applicable):
Follow this Procedure of Action (POA):   

  1. On all hosts, set Security.AccountLockFailures to 0.  
  2. Stop the Genesis cluster service on the Nutanix CVM using the command.
    allssh genesis stop
  3. Unlock the root account via console access on each host:
    pam_tally2 -u root -r
  4. Run the Nutanix CVM script to update SSH keys:
    /usr/local/nutanix/cluster/bin/fix_host_ssh
  5. Restart the Genesis cluster service:
    cluster restart_genesis
  6. Restore Security.AccountLockFailures to its original/default value (typically 5)
Powered by Wolken Software