Is your ESXi Root Account Locked?

ESXi-Root-Account-Locked

You might be wondering why your ESXi Root Account get’s Locked. Well, if you see VMware is tightening the security of ESXi for its every version of vSphere ESXi.

When you try to log in your ESXi root account with a wrong password you would be locked for sure, but you get locked even if you try with a correct password. You might wonder what the heck going on! You would probably get the below error:

‘’Remote access for ESXi local user account ‘root’ has been locked for n seconds after xxx failed login attempts’’.

But what this really means…

When you or someone tries to connect as user root using a wrong password, and if this happens quite frequently you would get the above error.

Vmware is supporting account locking for access through SSH and vSphere Web Services SDK, but it does not support lockout for Direct Console Interface (DCUI) and the ESXi Shell.

If you get stuck on any issues, our friendly experts are ready to fix it for you.

You can have 5 failed attempts by default and after 15 mins your account gets unlocked.

You have the option to configure the login behavior too, lets see that:

  • Security.AccountLockFailures. Maximum number of failed login attempts before a user’s account is locked. Zero disables your account locking.
  • Security.AccountUnlockTime. Number of seconds that a user is locked out.

Note: Your access to the host via vSphere client or API calls is also prevented when the root account is locked out!

Now let’s fix ESXi root Account Locked Out

First login to DCUI using F2 -> then choose the Troubleshooting Options

Select “Disable ESXi Shell” now you can see that the status will change from Disabled to Enabled.

Next, select “Disable SSH” and ensure SSH is enabled, if not you can enable it.

Finally when you are in DUCI, Press ALT+F1 and then you can enter the User name as root and password to log in the prompt.

To view the number of login failure occurred you can use the below command:

pam_tally2 –user root

If you want to unlock you can enter the below command:

pam_tally2 –user root –reset

Now you can successfully login as root using SSH. You can also get DUCI back as normal ESXi interface by using ALT+F2.

Hope this was useful and if you require any assistance feel free to Contact Us.

Take a look at:
Troubleshooting ESXi hosts
Monitor VMware ESXi Host Using LibreNMS

Join us for the latest updates: Facebook, Twitter, LinkedIn

Subscribe to get free blog content to your Inbox