Unlock a locked out account.

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
tjbenator
OpenVpn Newbie
Posts: 1
Joined: Mon Mar 18, 2013 10:55 pm

Unlock a locked out account.

Post by tjbenator » Mon Mar 18, 2013 11:01 pm

Been searching the web trying to figure out how to unlock an account. We are using PAM for authentication. I thought maybe it was locking the unix account but it isn't. How do I unlock an account to allow the user to login again.

Thanks,
Travis

alexb
OpenVpn Newbie
Posts: 2
Joined: Thu Jan 05, 2012 10:30 am

Re: Unlock a locked out account.

Post by alexb » Fri May 17, 2013 1:10 pm

I've searched for this a few times now and haven't found any information on it.

There is nothing in the web ui that I can see, I suspect that restart openvpnas would fix it but that seems pretty hardcore.

We are also using PAM authentication but had the same issue when using Radius.

If anyone knows an elegant way of unlocking a user account that has failed too many password attempts that would be great to hear.

Thanks

Alex

alexb
OpenVpn Newbie
Posts: 2
Joined: Thu Jan 05, 2012 10:30 am

Re: Unlock a locked out account.

Post by alexb » Fri May 24, 2013 2:41 pm

I haven't had chance to try this yet but I noticed this in the CLI readme file:
Ban a user from logging into the VPN or Web server
(doesn't affect a user who is already logged in -- for this,
use DisconnectUser below):

./sacli --user <USER> --key prop_deny --value true UserPropPut

Re-admit a user who was previously banned:

./sacli --user <USER> --key prop_deny --value false UserPropPut
I'm wondering if that would work to unlock an account immediately.
Will give that a go next time someone is locked out and let you know.

sthenral
OpenVpn Newbie
Posts: 2
Joined: Wed Sep 11, 2013 10:50 pm

Re: Unlock a locked out account.

Post by sthenral » Thu Nov 21, 2013 11:28 pm

Not worked... Any solution ...

def
OpenVpn Newbie
Posts: 2
Joined: Thu Jan 16, 2014 2:23 pm

Re: Unlock a locked out account.

Post by def » Thu Jan 16, 2014 2:34 pm

I found that running "/etc/init.d/openvpnas restart" will reset all lockouts. I haven't found a way to do it for a specific user though.

ameenibrahim
OpenVpn Newbie
Posts: 1
Joined: Mon Jul 04, 2016 6:57 pm

Re: Unlock a locked out account.

Post by ameenibrahim » Mon Jul 04, 2016 6:58 pm

The easiest method I've found is to toggle the User Authentication method in the admin web portal.

1. Log into the webportal at "https://[your-url-or-ip]:943/admin"

2. Click on "General" under the "Authentication" section.

3. Change the authentication method.

Note: It doesn't matter what you change the authentication method to, just that you change the method. For example, I use an LDAP server. So I'll change the method to "Local".

4. Click "Save Settings", then click "Update Running Server".

5. Now immediately change the authentication method back to it's original setting.

6. Click "Save Settings", then click "Update Running Server".

At this point, all lockouts are now reset and previously locked out users can attempt to log in. In my experience, this trick does NOT affect currently logged in users. It will, however, affect anyone who tries to log in while you're performing this toggle. But seeing as how this toggle takes all of 10 seconds, I've never experienced someone trying to log in while I was performing this reset.

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: Unlock a locked out account.

Post by novaflash » Wed Jul 06, 2016 6:03 pm

There is no way to reset the lockout for a specific user, sorry.

If you have a user that is locked out now and you need a fast way to unlock the user, run this command in an SSH or console session on the Access Server. Note, this is one line, just copy and paste it. It will reset the lock out of all currently locked out users:

/usr/local/openvpn_as/scripts/confdba -mk vpn.server.lockout_policy.reset_time -v 1;/usr/local/openvpn_as/scripts/sacli start;sleep 2;/usr/local/openvpn_as/scripts/confdba -mk vpn.server.lockout_policy.reset_time -v 900;/usr/local/openvpn_as/scripts/sacli start

What this will do is simply set the lockout period to 1 second, then wait 2 seconds, and put it back to the default of 900 seconds.

If you run into the problem a lot consider simply changing the threshold for when lockout triggers.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

mbelcherit
OpenVpn Newbie
Posts: 1
Joined: Tue Jan 24, 2017 4:56 pm

Re: Unlock a locked out account.

Post by mbelcherit » Tue Jan 24, 2017 4:57 pm

have to be sudo

cd /usr/local/openvpn_as/scripts/

./sacli -u username GoogleAuthRegen

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: Unlock a locked out account.

Post by novaflash » Tue Jan 24, 2017 5:03 pm

mbelcherit; that's something different than a password lockout, but okay, thanks for the contribution.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

Post Reply