Puppet Enterprise Console Lockpicking

Puppet Enterprise 3.1 introduced a new feature to the PE console: account lockouts. After 10 unsuccessful login attempts, console accounts will be locked out until this state is manually cleared by an admin.

Unlocking a user account is simple enough if you have another admin user handy. But what happens if your sole admin account is locked out?

You could create a new admin user, remove the lock on your existing account, then remove the new admin user. Or you can change the flag on the existing user in the database. To do the latter, you can follow these steps (Note: These instructions assume you're using a PE-installed Postgres database, as configured by the installer and PE modules]:

  1. On the host with the PE Postgres role backing your console, run
    sudo su pe-postgres -s /bin/bash -c "/opt/puppet/bin/psql console_auth" This will invoke the Postgres client and connect you to the console_auth database.



  2. Replacing user@domain.com with the correct username for the locked-out user you wish to unlock, run
    update authorized_users SET status='enabled',login_failure_count=0 WHERE username='user@domain.com'; on the psql prompt.



  3. Run \q to log out of the psql client and end your session as the pe-postgres user.

You should now be able to log into the console normally with the newly unlocked account!

Learn More

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.