No one at work cares about this, so I'll tell the world here since I never found the answer during my 45-minute Googling session last night.
AIX, like any other system, has a lockout policy: a pre-determined number of unsuccessful logon attempts results in the account being denied access until an administrator unlocks the account and/or resets the number of failed logins. Pretty straightforward and simple, huh?
The problem presents itself when that locked-out user tries to establish an SSH session to the box. All they get is Access denied, and authentication fails. Enter the administrator (me, last night). SMIT showed that the account was not locked, and logins were enabled. First thought: reset the password. Okay - done.
Access denied. Shit.
We know from the obvious that the user has locked himself out, but how do we absolutely know that when SMIT says it's not locked? The user attributes showed the account lockout threshold was 5 unsuccessful attempts. Under Solaris, the account unlocks when we reset the password. Not AIX.
I ended up resetting the unsuccessful login count to 0 through SMIT and the user successfully logged in. Problem solved, but where's my indicator for next time? How can I tell that the threshold has been exceeded?
Even after the password reset, I had tried su - username, and finally got something other than Access denied. It told me that the maximum number of unsuccessful logon attempts had been exceeded. There's a clue....
The user doesn't see that when they're trying to SSH to the box - sshd just says "No. You go away."
Resetting the unsuccessful login count in SMIT showed me that the command is
chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s 'username'
It turns out that the count is kept in that file: /etc/security/lastlog. There is a line under the user stanza with, you guessed it,
unsuccessful_login_count=n
if n is greater than the maximum number specified in the user attributes, it's not going to show TRUE for Is Account LOCKED? It will just be there.
So just reset the unsuccessful login count whenever you reset a password. Chances are you're getting a call to reset the password because they have tried too many times.
This was on AIX 5.3.
