Search guides

Fix a user that cannot log in

We'll check the account exists, password expiry, PAM, and SSH keys—or tell you when to escalate.

Troubleshooting · Servers & Linux
10–25 min
What you'll need
  • Root or sudo on the server
  • Console access if SSH is the only login method and it fails
Step 1 of 7

Quick triage — pick your path

Get started

Choose the option that matches what you see. You can jump straight to that section.

Show full guide

Steps

Goal: Confirm the account exists, rule out lock and expiry, then fix SSH keys or PAM.

  • Run getent passwd username and sudo chage -l username. If the account does not exist, create it. If locked, run sudo usermod -U username. If password expired, run sudo passwd username.
  • Good: Account exists and is not locked. Proceed to Check auth logs or Fix SSH keys.
  • Bad: Account missing or LDAP-managed—create or escalate.

Check account and lock status

Goal: Confirm the account exists and is not locked or expired.

  • Run getent passwd username and sudo chage -l username. Note lock status and password expiry.
  • Confirm you should see the account and that it is not locked or expired.

Check auth logs

Goal: Identify the exact failure reason from logs.

  • Run journalctl -u sshd -n 50 or grep "username" /var/log/auth.log. Look for “Failed password”, “Account locked”, “Permission denied”, or PAM errors.
  • Confirm you should see the failure reason in the log.

Fix SSH keys

Goal: Fix authorized_keys and permissions for SSH login.

  • Check ~username/.ssh is 700 and ~username/.ssh/authorized_keys is 600. Add the client public key if missing.
  • Confirm you should see the correct modes and the key in authorized_keys.

When to escalate

Gather getent passwd, chage -l, and auth log excerpts before escalating. Escalate if:

  • The account is in LDAP or Active Directory.
  • PAM or sshd config is managed by config management (Puppet, Ansible).
  • You cannot access the console to make changes.

Verification

  • The user can log in via SSH or console with the correct password or key.
  • chage -l username shows the account is not locked and password is not expired.
  • Auth logs show successful authentication.

Escalation ladder

Work from the device outward. Stop when the problem is fixed.

  1. Confirm account exists getent passwd; id username.
  2. Clear lock and password chage -l; usermod -U; passwd.
  3. Auth logs journalctl -u sshd; grep auth.log.
  4. SSH keys and PAM authorized_keys, permissions; check PAM.
  5. Escalate Provide getent, chage -l, auth log excerpts.

What to capture if you need help

Before calling support or posting for help, have these ready. It speeds everything up.

  • getent passwd username
  • chage -l username
  • Auth log excerpts (journalctl or /var/log/auth.log)
  • Steps already tried

Does the account exist and is it locked?

Check getent passwd and chage -l.

Run `getent passwd username` and `sudo chage -l username`. Account missing: create with useradd. Locked: `sudo usermod -U username`. Password expired: `sudo passwd username`.

Yes No

You can change your answer later.

Fix account

Create account or clear the lock with usermod -U. Reset password with passwd if expired. Retry login.

Done

Is this SSH or console login?

SSH has key and config checks; console uses PAM directly.

SSH: Check ~/.ssh/authorized_keys, permissions (700 dir, 600 keys), sshd_config AllowUsers/DenyUsers. Console: Check PAM in /etc/pam.d/login and auth logs.

SSH Console

You can change your answer later.

Are SSH keys and permissions correct?

authorized_keys must have the client key; .ssh 700, authorized_keys 600.

Check `ls -la ~username/.ssh`. Fix with chmod 700 .ssh and 600 authorized_keys. Add the client public key to authorized_keys if missing.

Yes No

You can change your answer later.

Fix SSH keys

chmod 700 ~username/.ssh; chmod 600 ~username/.ssh/authorized_keys. Add client public key. Retry SSH.

Done

Does sshd_config AllowUsers/DenyUsers block this user?

grep AllowUsers DenyUsers /etc/ssh/sshd_config. If user is denied or not in AllowUsers list, edit and restart sshd.

Done

Is PAM blocking?

Check auth logs and /etc/pam.d/login.

Check journalctl or /var/log/auth.log for PAM errors. Review /etc/pam.d/login and /etc/pam.d/sshd. Fix pam_faillock or pam_tally2 if lockout is too aggressive.

Done

Reviewed by Blackbox Atlas

Frequently asked questions

Why would a user not be able to log in?
Account locked, password expired, wrong password, PAM blocking, SSH key missing or wrong permissions, or account disabled. Check getent, chage -l, and auth logs.
Can I fix login failures myself?
Yes. Clear the lock with usermod -U, reset password with passwd, fix SSH key permissions, add key to authorized_keys. Root or sudo access required.
When should I escalate login issues?
If PAM or sshd config is managed by config management, the account is in LDAP/AD, or you cannot access the console.

Rate this guide

Was this helpful?

Continue to