Troubleshooting
Problem
This document covers common login restriction errors, and what to look for if you see them. During an ssh login attempt, error messages are hidden, so you might only see them if running sshd in debug mode.
In the instances where it is mentioned to check a local file for a certain attribute, there is also the possibility that if the user you are checking is defined remotely (like through LDAP), the attribute could be stored in the remote user definition.
Diagnosing The Problem
Following are a list of login restriction errors, and what to check in relation to them -
"You are not allowed to login at this time."
Check for 'logintimes' settings in /etc/security/user - it may be set to a string that restricts logins to a certain time range (logintimes = 0-6:0900-1200), or it may be set to an invalid string (logintimes = -1 or logintimes = 0) that can't be properly parsed. If it is set to an invalid string, lsuser output will seem to indicate it is not set at all, so be sure to manually check /etc/security/user to see if it is set to an invalid value.
If logintimes is not intended to be set, it should be set to a blank string:
logintimes =
"This terminal can not be used at this time."
Check for 'logintimes' settings in /etc/security/login.cfg to see if it is set to a restrictive or invalid string.
"You entered an invalid login name or password."
This is a general authentication error, which could indicate something like a bad username and password combination, the user's UID number can not be determined, or an improper configuration or general failure of PAM, LDAP, Kerberos, or other authentication modules.
This could also indicate that 'maxulogs' is set for a user in /etc/security/user and they have exceeded their maximum allowed logins, or that a user's password stanza in /etc/passwd is set to '*'.
"Your account has been locked; please see the system administrator."
This could be caused by the user having 'account_locked = true' - check lsuser output or /etc/security/user.
Other possibilities -
If the user's hashed password (in /etc/security/passwd) is set to '*', it could cause this message.
If a user is remotely defined, the remote authentication method may respond to an authentication attempt saying that the account is locked due to its own internal method of locking an account - for example, if a user defined on Windows AD and has its account disabled.
"Your account has expired; please see the system administrator."
Check to see if the 'expires' setting for a user is set to an already-expired MMDDmmhhYY format, or an invalid string. This can be checked in lsuser output or in /etc/security/user.
A similar error can be seen if PAM authentication is in use, and a module such as pam_ckfile, pam_prohibit, or pam_permission is used to deny access to the user.
"There have been too many unsuccessful login attempts; please see the system administrator."
A user's unsuccessful_login_count (/etc/security/lastlog) exceeds their loginretries (/etc/security/user). For a remotely-defined user, to regain access, ensure that the attribute is cleared both locally in lastlog as well as remotely - but not all remote modules will store this value, so it might only need to be done locally.
"Local logins are not allowed for this account."
A user has 'login = false' set in /etc/security/user.
"Remote logins are not allowed for this account."
A user has 'rlogin = false' set in /etc/security/user.
"You are not allowed to su to this account."
A user has 'su = false' set in /etc/security/user, or they have 'sugroups' set and the user attempting the su does not belong to one of the specified groups.
"You are not allowed to access the system via this terminal."
A user has 'ttys' set (/etc/security/user) to something that restricts their access.
"This terminal has been locked; please see the system administrator."
This error will be shown if a console login is being attempted, but logindisabled and logininterval are set in /etc/security/login.cfg and too many failed login attempts have occurred. The port can be unlocked with the command:
chsec -f /etc/security/portlog -s /dev/vty0 -a locktime=0
"All available login sessions are in use."
The number of login licenses - defined as maxlogins in /etc/security/login.cfg and displayed with the lslicense command - has been exceeded. Use the chlicense command to increase the value immediately, as well as have it persist after reboot:
chlicense -I -u 32767
"Root has been disabled; please login using alternate account."
root user has been disabled with the setsecconf command.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzlAAA","label":"Security-\u003EAuthentication"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"5.3.0;6.1.0;7.1.0;7.2.0;7.3.0"}]
Was this topic helpful?
Document Information
Modified date:
23 September 2025
UID
ibm17245949