Purpose
To demonstrate a workaround towards resolving the below condition where TACACS users, with admin privilege, are blocked access to shell
User1@NV-WC1-cli> shell
This account is currently not available.
Details
The above condition mostly occurs, in the case of TACACS users, if any one of the TACACS users end up locking the “aaaadmin” account by entering the wrong password 10 times.
Note: when a user logs in to the cli, using his/her specific username, and then enters shell, the user name would be aaaadmin – so you always login to shell as aaaadmin while logging in via TACACS authentication.
If any TACACS user ends up executing 10 or more unsuccessful attempts at the password, while entering shell, the aaaadmin account will be blacklisted/locked and there would be an entry in the /etc/passwd file with “nologin” associated with this account – as seen highlighted below
admin@NV-WC1:~$ sudo vi /etc/passwd
[sudo] password for admin:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
versa:x:1001:1000::/home/versa:/bin/bash
admin:x:1002:1000::/home/admin:/bin/bash
_ansible:x:999:999::/usr/local/home/_ansible:
sensu:x:998:998:Sensu Monitoring Framework:/opt/sensu:/bin/false
backupuser:x:1004:1000::/home/backupuser:/bin/bash
oper:x:1005:1000::/home/oper:/opt/versa/confd/bin/confd_cli
engg:x:1007:1000::/home/engg:/bin/bash
tss:x:104:110::/var/lib/tpm:/bin/false
strongswan:x:105:65534::/var/lib/strongswan:/usr/sbin/nologin
aaauser:x:1011:1000::/home/aaauser:/bin/rbash
aaaadmin:x:1012:1000::/home/aaaadmin:/usr/sbin/nologin
deploy:x:1013:1000::/home/deploy:/usr/sbin/nologin
Of course, you can only check this file by logging in as “admin” which is the local user (you would have to disable TACACS to login as the local user admin).
Solution
At this point, you cannot unlock the aaaadmin account using the below cmd "request system unlock-user". Though it presents the status as “unlocked” it does not change the permission of aaaadmin user in the /etc/passwd file and it stays associated with “nologin” profile
User1@NV-WC1-cli> request system unlock-user aaaadmin
status Unlocked
[ok][2020-06-05 09:37:56]
rdragomi@NV-WC1-FRA-cli> shell
This account is currently not available.
[error][2020-06-05 09:37:58]
This issue will be fixed in the upcoming releases post 20.2.2 or 16.1R2S12
For now the only workaround is to employ below action
Step1: Disable TACACS authentication by deleting the TACACS configuration (either via cli (system/external-aaa) or via the template configuration in director GUI
Step 2: Login as “admin” using local user authentication
Step 3: Enter shell as admin user
Step 4: Edit the /etc/passwd file to change the entry associated with aaaadmin user as “/bin/bash”
aaaadmin:x:1012:1000::/home/aaaadmin:/bin/bash
Step 5: Re-enable TACACS authentication
Post the above change you should be able to login to shell via the TACACS user.
To determine the deviant user, who caused the lockup of the aaaadmin account, you can check the syslog files present in /var/log directory – look for “Failed password” logs for aaaadmin user and the cli user who logged in just before these logs were generated.