VMware Cloud Community
ehj52n
Contributor
Contributor
‎10-30-2015 06:10 AM

ESXi: 6.0 - 'root' lock out cause by pam_tally with correct credentials

Dear all,

I am using the ESXi free edition version 6.0.0 (2494585) and once a week I have a problem with the vSphere client which cannot connect to the ESXi host. I narrowed the problem down to the new feature to lock account using pam_tally in the case of failed logins.

The SSH port is protected by the ESXi hosts own firewall configured via host -> configuration -> Security profiles. There, I defined two IPs for SSH server and vSphere Web Client. Hence, I expect that only the configured IPs can connect to the server. In the auth.log I cannot see any other than the allowed IPs. The logins are cause by scripts that always use the same credentials but every Friday, the access is somehow blocked:

2015-10-30T09:39:35Z sshd[3067862]: pam_unix(sshd:session): session opened for user root by (uid=0)

2015-10-30T09:39:35Z sshd[3067861]: User 'root' running command 'some command'

2015-10-30T09:39:35Z sshd[3067862]: User 'root' running command 'some other command'

2015-10-30T09:39:35Z sshd[3067861]: Received disconnect from allowed IP: 11: disconnected by user

2015-10-30T09:39:35Z sshd[3067861]: pam_unix(sshd:session): session closed for user root

2015-10-30T09:39:35Z sshd[3067862]: Received disconnect from allowed IP: 11: disconnected by user

2015-10-30T09:39:35Z sshd[3067862]: pam_unix(sshd:session): session closed for user root

2015-10-30T09:44:34Z sshd[3069026]: Connection from allowed IP port 20228

2015-10-30T09:44:34Z sshd[3069027]: Connection from allowed IP port 20229

2015-10-30T09:44:34Z sshd[3069028]: pam_tally2(sshd:auth): user root (0) tally 117, deny 10

2015-10-30T09:44:34Z sshd[3069037]: pam_tally2(sshd:auth): user root (0) tally 118, deny 10

2015-10-30T09:44:36Z sshd[3069026]: error: PAM: Authentication failure for root from allowed IP

2015-10-30T09:44:36Z sshd[3069027]: error: PAM: Authentication failure for root from allowed IP

2015-10-30T09:44:36Z sshd[3069055]: pam_tally2(sshd:auth): user root (0) tally 120, deny 10

2015-10-30T09:44:36Z sshd[3069064]: pam_tally2(sshd:auth): user root (0) tally 121, deny 10

Do you have any idea what can cause this? I would like to add a dedicated user for each script to identify the cause. Can you tell me which privileges are required for a user to execute any shell script?

0 Kudos
2 Replies
cfizz34vmware
Enthusiast
Enthusiast
‎10-16-2017 11:34 AM

I keep seeing this and getting lockouts

2017-10-16T07:51:40Z ^T: pam_unix(openwsman:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root

2017-10-16T07:51:43Z ^T: pam_tally2(openwsman:auth): user root (0) tally 7869, deny 5

2017-10-16T07:51:43Z addVob[1256326]: Could not expand environment variable HOME.

2017-10-16T07:51:43Z addVob[1256326]: Could not expand environment variable HOME.

2017-10-16T07:51:43Z addVob[1256326]: DictionaryLoad: Cannot open file "/usr/lib/vmware/config": No such file or directory.

2017-10-16T07:51:43Z addVob[1256326]: DictionaryLoad: Cannot open file "~/.vmware/config": No such file or directory.

2017-10-16T07:51:43Z addVob[1256326]: DictionaryLoad: Cannot open file "~/.vmware/preferences": No such file or directory.

0 Kudos
Nick_Andreev
Expert
Expert
‎10-19-2017 02:38 AM

There are many protocol endpoints in vSphere that you can connect to, it's not limited only by SSH and Web Client.

If it happens on Friday, my guess maybe it has something to do with a backup solution connecting via vSphere APIs using wrong credentials?

---
If you found my answers helpful please consider marking them as helpful or correct.
VCIX-DCV, VCIX-NV, VCAP-CMA | vExpert '16, '17, '18
Blog: http://niktips.wordpress.com | Twitter: @nick_andreev_au
0 Kudos