I've been having a mysterious problem of being unable to login to my root account via SSH or Console. This is a real physical machine, not a VM. Luckily I still have a sudo user to experiment with.
RHEL6
$ su rootfrom another user works fine, so the password is correct- Login via Putty SSH does not work. Returns
Access denied - Login directly via keyboard also does not work. Returns
Incorrect login
My pam.d settings are set to lock accounts and I can see the locked accounts with
$ sudo failock --root.
If enter the wrong password wrong 3 times, my root will be blocked due to pam settings, and at that point, $ su root will also stop working. So I reset my blocked accounts with:
$ sudo faillock --user root reset
Looking at $ sudo failock --root, I can see the denied access being logged as I am doing them.
Trying to connect via SSH or keyboard directly with correct password also makes a log entry
Anyway - my root account is locked somewhere and I don't know how to unlock it
Some other settings:
$ sudo chage -l root
Last password change : Feb 14, 2020
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
# /etc/passwd
root:x:0:0:root:/root:/bin/bash
# /etc/shadow
root:$6$SALTSALT$HASH_HASH_HASH_HASH_HASH_HASH_HASH_HASH_HASH_HASH_HASH_HASH_HASH_HASH_HASH_HASH_HASH_H:18306:0:99999:7:::
# /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faillock.so preauth silent even_deny_root deny=3 unlock_time=604800 fail_interval=900
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail even_deny_root deny=3 unlock_time=604800 fail_interval=900
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
# /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faillock.so preauth silent even_deny_root deny=3 unlock_time=604800 fail_interval=900
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail even_deny_root deny=3 unlock_time=604800 fail_interval=900
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
This was caused by 2 separate problems:
1
File
/etc/securettyfile was empty, so I added:tty1to it.unitstackexchange answer
2
File
/etc/ssh/sshd_confighadPermitRootLoginuncommented, so I commented it and restartred sshd service.I still do have a problem, since there is a service that is creating an empty
/etc/securettyfile if it does not exist, but I will try to track this down eventually.