AHV/CentOS Root Lockout

You may find yourself in a situation where you have been locked out of interactive login on the root account of your AHV node. The good news is, assuming you have access to your cvm, you should still be able to ssh into the node. Nutanix stores keys to allow ssh between the cvm and the host without password. I recently used this technique to unlock the interactive login without waiting for the 30 minute lockout period to expire.


  1. Connect to the CVM on the AHV node the root account is locked out on via SSH.
  2. Inside your SSH session connect to the AHV host.
    192.168.5.1 will always reference the hypervisor from the cvm.
nutanix@cvm:~$ ssh root@192.168.5.1 

3. Check the current fail lock table.

[root@ahv~]# faillock --user root

root:
When                Type  Source                                           Valid
2020-10-23 04:30:36 RHOST 172.13.41.152                                        V
2020-10-23 04:30:44 RHOST 172.13.41.152                                        V
2020-10-23 04:30:56 RHOST 172.13.41.152                                        V
Output from the faillock command

4. Unlock the AHV root account

faillock --user root --reset