If the root account gets locked out you will not be able access ESXi using SSH or vSphere Web client, please follow below procedure to unlock the account.
Please note you will get incorrect username/password error even though you are trying to login with correct username/password .
By default the ESXi 6.x password requirements for lockout behavior are:
- A maximum of ten failed attempts is allowed before the account is locked
- Password lockout is active on SSH and the vSphere Web Service SDK
- Password lockout is not active on the Direct Console Interface (DCUI) and the ESXi Shell
Steps to unlock the ESXi host account at the console
- At the console press CTRL+ALT+F2 to get to the ESXi shell. If a login shows up continue with step 3, otherwise continue with step 2.
- Login to the DCUI (to enable the ESXi Shell if not already done)
- Login with root and the correct password.
- Go to Troubleshooting Options
- Select Enable ESXi Shell
- Press CTRL+ALT+F1
- At the ESXi shell login with root and the password
Run the following commands to show number of failed attempts:
#pam_tally2 --user root
Run the following command to unlock the root account:
#pam_tally2 --user root --reset #reboot -f