Unlocking the Root Account on Unified Access Gateway (UAG): A Step-by-Step Guide
Unified Access Gateway (UAG) is a critical component of many organizations' infrastructure, providing secure remote access to internal resources. One of the key security features of UAG is the root account, when you log in as root to the Unified Access Gateway console or SSH with the correct username and password , you might see "Account is locked due to X failed logins"
There can be multiple reasons for the root account getting locked out. Below are few common symptoms what I observed.
Typing a wrong password multiple times
Password has been forgotten / expired
In my previous document I have explained step by step guide on how to reset root password however, In this we will walk through the process of unlocking the root account on Unified Access Gateway.
Steps to Unlock the Root account using GRUB
Confirming that the root account is locked
Restart the UAG or Photon OS virtual appliance from the vSphere or Hyper-V management console and press the "e" keyboard key as soon as you see the Photon OS splash screen which looks like this:
Photon OS Splash Screen - Press 'e' when you see this screen.
In the GNU GRUB edit menu, go to the line that starts with linux and remove the rest of the first line (it kind of cuts into the second line due to it's length depending on console size) after root=$rootpartition ( highlighted in red box ), then add a space, and then add the following code exactly as it appears below:
After you add this code, the GNU GRUB edit menu should look exactly like this:
Press the F10 key and at the command prompt enter "pam_tally2 – – user root” to check the failed attempts.
To unlock the account, type “pam_tally2 – – user root – – reset”. It will show you the same result as above but will also unlock the account.
Now to confirm if the root account has been unlocked, retype same command as previously used “pam_tally2 – – user root” to check the failed attempts. It should reset to 0
Now lets change the password, type “passwd”. If the password has been used previously, It ll give the message its already used , it will ask you to re-enter the password. Enter the password which is not used earlier.
Now Reboot the appliance reboot -f
Once the appliance rebooted, you'll be able to log in to your UAG appliance with the new root password.
Now Confirm if you are able to login using the newly updated password.
I will share more on the VMware UAG in my upcoming post, stay tuned …