This topic describes the causes of and solutions for the "Maximum amount of failed attempts was reached" error when you connect to a Linux ECS instance with an SSH client.
Problem description
When you connect to a Linux ECS instance with an SSH client, you receive the error message "Maximum amount of failed attempts was reached".
Cause
This issue occurs because multiple consecutive failed password attempts trigger the system's Pluggable Authentication Modules (PAM) security policy. This policy locks the user account and prevents remote connections to the ECS instance.
In Linux, the following three PAM configuration files are primarily related to SSH. If PAM authentication is configured to restrict remote connections, for example, with the settingauth required pam_tally2.so deny=3 unlock_time=50, it locks an account for 50 seconds after three consecutive failed login attempts by a regular or root user.
-
/etc/pam.d/login: The PAM configuration file for VNC. -
/etc/pam.d/sshd: The PAM configuration file for the SSH service. -
/etc/pam.d/system-auth: The system-wide PAM configuration file.
Solution
Select a solution based on whether the root user is locked.
The root user is not locked
This section shows how to comment out the PAM restriction in the system-wide PAM configuration file (/etc/pam.d/system-auth). A similar method applies to/etc/pam.d/sshd or/etc/pam.d/login.
-
Connect to the instance as the root user using VNC.
For more information, see Log on to a Linux instance by using a password.
-
Run the following command to check the PAM configuration file for authentication restrictions.
cat /etc/pam.d/system-authFor example, the following output indicates that if a regular user or the root user enters an incorrect password three consecutive times, the account is locked for 50 seconds.
auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so auth required pam_tally2.so deny=3 unlock_time=50 account required pam_unix.so no_pass_expiry account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so -
Modify the system-auth configuration file.
-
Run the following command to open the system-auth configuration file.
vim /etc/pam.d/system-auth -
Press
ito enter Insert mode. -
As needed, comment out, modify, or delete the configuration.
This example comments out the configuration.
auth required pam_tally2.so deny=3 unlock_time=50 # Original line: Locks the user account after three consecutive failed login attempts. The account is unlocked after 50 seconds. #auth required pam_tally2.so deny=3 unlock_time=50 # After commenting outNote-
This example uses the
pam_tally2module. Ifpam_tally2is not supported, you can use thepam_tallymodule. Settings can vary by PAM version. For specific usage, refer to the documentation for the relevant module. For more information, seeLinux PAM SAG. -
Both the
pam_tally2andpam_tallymodules can be used for account lockout policy control, butpam_tally2supports automatic unlocking after a specified time. -
even_deny_rootrestricts the root user. -
denysets the maximum number of consecutive failed login attempts for regular and root users before the user account is locked. -
unlock_timesets the automatic unlock duration in seconds for a locked regular user account. -
root_unlock_timesets the automatic unlock duration in seconds for a locked root user account.
-
-
-
Try to connect to the instance again. The issue is resolved if the connection is successful.
The root user is locked
-
Connect to the instance in single-user mode.
For more information, seeEnter single-user mode on a Linux instance.
-
Run the following commands to unlock the root user.
pam_tally2 -u root # Check the number of consecutive failed login attempts for the root user. pam_tally2 -u root -r # Clear the count of consecutive failed login attempts for the root user. authconfig --disableldap --update # Update the PAM security authentication records. -
Reboot the instance.
For more information, seeReboot an instance.
-
In the relevant PAM configuration file, comment out, modify, or delete the corresponding configuration.
For detailed steps, seeThe root user is not locked.
-
Try to connect to the instance again. The issue is resolved if the connection is successful.