Accounts unexpectedly unlock every 6 hours when Security.AccountUnlockTime is set to 9999999
search cancel

Accounts unexpectedly unlock every 6 hours when Security.AccountUnlockTime is set to 9999999

book

Article ID: 441657

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

When attempting to prevent automatic unlocking of local ESXi users by setting Security.AccountUnlockTime to 9999999, the lockout is unexpectedly released after 6 hours.
As a result, users are able to log in again despite the maximum unlock time constraint.

The following log is observed in syslog.log every 6 hours: USER root pid ###### cmd /bin/pam_tally2 --reset

syslog.log

YYYY-MM-DDT06:00:00.864Z In(##) crond[######]: USER root pid ###### cmd /bin/pam_tally2 --reset
YYYY-MM-DDT12:00:00.864Z In(##) crond[######]: USER root pid ###### cmd /bin/pam_tally2 --reset

 

Environment

ESXi 8.0 U2 and later

Cause

This issue occurs because a cron job on ESXi regularly executes the /bin/pam_tally2 --reset command, which resets the failed authentication counter. When this command runs, the login attempt count is cleared, allowing users to log in before the configured lockout time expires.

This cron job was initially introduced in ESXi 8.0 U2 as a temporary workaround to prevent accidental user lockouts. If your security policy requires strict management of account lockout durations, disabling this cron job will not impact system operations.

Resolution

To prevent unintended account unlocks, comment out the cron job that executes the reset command.
Additionally, since manual changes to the cron file do not survive an ESXi host reboot by default, you must also configure the script to persist across reboots.

Step 1: Comment out the cron job in the current environment

  1. Log in to the ESXi host via SSH with root privileges.
  2. Stop the cron daemon:
    /bin/kill $(cat /var/run/crond.pid)
  3. Create a backup of the root crontab file:
    cp /var/spool/cron/crontabs/root /var/spool/cron/crontabs/root.old
  4. Temporarily grant write permissions to the crontab file:
    chmod +w /var/spool/cron/crontabs/root
  5. Comment out the target cron entry using the following command:
  6. sed -i '\/bin\/pam_tally2 --reset/s/^/#/' /var/spool/cron/crontabs/root
  7. Restore the file permissions to read-only:
  8. chmod 1444 /var/spool/cron/crontabs/root
  9. Start the cron daemon:
  10. /usr/lib/vmware/busybox/bin/busybox crond
  11. Verify that the line has been successfully commented out:
    cat /var/spool/cron/crontabs/root | grep pam_tally2

Step 2: Configure the changes to persist across ESXi host reboots

  1. Open /etc/rc.local.d/local.sh

    vi /etc/rc.local.d/local.sh

  2. Append the following lines right before the exit 0 statement, then save and close the file.

    sleep 30
chmod +w /var/spool/cron/crontabs/root
sed -i '\/bin\/pam_tally2 --reset/s/^/#/' /var/spool/cron/crontabs/root
chmod 1444 /var/spool/cron/crontabs/root
/bin/kill $(cat /var/run/crond.pid)
/usr/lib/vmware/busybox/bin/busybox crond

  3. Run the backup script to save the changes made to local.sh to the system configuration.

    auto-backup.sh

  4. (Optional) Reboot the ESXi host and verify that the changes in /var/spool/cron/crontabs/root persist.

Additional Information

Making cron job / entries persistent across reboot on ESXi host

Security.AccountUnlockTime が 9999999 に設定されているにもかかわらず、アカウントが 6 時間ごとに予期せずロック解除される

 

Powered by Wolken Software