waxcab​ Asking the questions in right community will help you to get quicker answer.

Try posting the question under VMware vSphere™  Forum.

Are you sure you created the user correctly?

Log on to an ESXi host -> Manage -> Security & users -> Users -> Add user -> complete "Add a user"

When completed:

Host -> Actions -> Permissions -> Add user -> enter newly created user name -> select read-only from the right drop down menu -> optional: propagate to all children

Which user have you used to add the Host to vCenter? Does this Account work via SSH and Host Client?

I'm sure, I made exact these steps as root, which can login via ssh

Try the following procedure:

1. Set "Security.PasswordQualityControl" -> "retry=3 min=disabled,disabled,disabled,7,7" (Example: ESXi Passwords and Account Lockout )
2. Make sure Lockdown mode is not anbaled
3. Reset the password of the new user via SSH (passwd <you user>) as root
4. Try login via SSH with the new user

Security.PasswordQualityControl is already set to retry=3 min=disabled,disabled,disabled,7,7

Lockdown mode disabled on host

I can see my user in host's permission as read-only

I set a new password for my user, but still can't login nor with ssh or web ui

Open a SSH session with root and fire up this command;

tail -f /var/log/auth.log

Open a new SSH session and try to login with the other user. What is the error shown in the first screen (the one with the tail command)

The account may be locked:

pam_tally2 --user root

[root@srv-hyp-4:~] tail -f /var/log/auth.log

2019-12-01T05:06:27Z sshd[1141668]: /etc/ssh/sshd_config line 21: Unsupported option PrintLastLog

2019-12-01T05:06:27Z sshd[1141668]: Connection from 172.29.129.136 port 25097

2019-12-01T05:06:31Z sshd[1141670]: pam_access(sshd:auth): access denied for user `esximon' from `172.29.129.136'

2019-12-01T05:06:36Z sshd[1141670]: [module:pam_lsass]pam_sm_authenticate: failed [error code:40017]

2019-12-01T05:06:37Z sshd[1141668]: error: PAM: Permission denied for esximon from 172.29.129.136

2019-12-01T05:06:37Z sshd[1141672]: pam_tally2(sshd:auth): user esximon (1000) tally 143, deny 5

2019-12-01T05:06:37Z sshd[1141672]: pam_access(sshd:auth): access denied for user `esximon' from `172.29.129.136'

[root@srv-hyp-4:~] pam_tally2 --user esximon

Login           Failures Latest failure     From

esximon           145    12/01/19 05:08:03  172.29.129.136

Web ui: "Remote access for ESXi local user account 'esximon' has been locked for 900 seconds after 145 failed login attempts."

I didn't disable zabbix monitoring for host, but changed username that it uses to "esximontest" so there are logs:

Please try to unlock your account and try again:

pam_tally2 --user esximon --reset

pam_tally2 --user esximon --reset won't help, still can't login

cat /etc/security/access.conf

+:dcui:ALL

+:root:ALL

+:vpxuser:ALL

+:vslauser:ALL

-:esximon:ALL

-:ALL:ALL

I guess the clue is in the minus?

So I just edited cat /etc/security/access.conf to

+:dcui:ALL

+:root:ALL

+:vpxuser:ALL

+:vslauser:ALL

+:esximon:ALL

-:ALL:ALL

and now esximon is able to login. I think the problem is solved but I still have some questions about the access.conf and its rules.

Good to read you fixed it, here some reading on how access.conf works;

https://linux.die.net/man/5/access.conf

Is this change persistent on ESXi?

I believe so. As long as the ESXi host is not AD joined there should be no reason for the file to change.

Hi, 

I had the same problem as initially describe here. I also changed /etc/security/access.conf but there is this line present at the very top:

# This file is autogenerated and must not be edited.

Therefore, my changes are always wiped out. How can I make this persistent? Which service/process is changing this file?

Thanks.