Symptoms

Users may experience the following symptoms on vCenter Server Appliance (VCSA) 9.x:

• Attempting to switch to the root user using sudo -i fails with an "Authentication failure" error, even with the correct password.
• When the root user's default shell is set to /bin/appliancesh, a single incorrect password entry may incorrectly increment the failure counter or trigger an immediate lockout.
• Checking the lockout status with /usr/sbin/faillock --user root shows multiple failures attributed to the passwd service or external IP addresses.
  or with log "Consecutive login failures for user root account temporarily locked" in /var/log/audit/sshinfo.log.See Investigating VCSA SSH logins for user "ROOT"

VMware vCenter Server 9

The default account lockout policy in vCenter 9.x is managed by the faillock module. If the lockout threshold (the deny parameter) is set too low (e.g., the default of 3), automated services or the behavior of the /bin/appliancesh wrapper can cause the root account to lock prematurely during authentication transitions.

To resolve this issue, increase the allowed number of failed login attempts before a lockout occurs by modifying the faillock configuration

1. Log in to the vCenter Server Appliance via SSH as root
   If root is already locked, you can rotate it via SDDC manager. This will unlock root account.
2. Back up the existing faillock.conf file:
   cp /etc/security/faillock.conf /etc/security/faillock.conf.bak
3. Edit the /etc/security/faillock.conf file using a text editor (e.g., vi):
   vi /etc/security/faillock.conf
4. Locate the deny parameter. Change the value to allow more attempts (e.g., change deny = 3 to deny = 9):
   deny = 9
5. Save and close the file.

For more details on configuring user account lockout policies, see How to configure user account lockout policy.