Updated on May 19, 2026 in #linux

Locked Out of Sudo on Arch Linux? Skip the 10 Minute Wait

This could happen if you've fat fingered your password too many times, we'll go over how to reset it and configure the limits.

This post applies to Arch Linux, Fedora and other distros where pam_faillock is enabled out of the box. If you’re on most Debian based distros, you’ll first need to configure PAM to use faillock and then you can follow this post.

You might incorrectly type your password a few times or maybe your keyboard has a key that’s sticking that’s yielding a bad password even though you thought you typed it correctly. In any case, after a few times you might see this:

$ sudo whoami
[sudo] password for nick:
Sorry, try again.
[sudo] password for nick:
Sorry, try again.
[sudo] password for nick:
sudo: 3 incorrect password attempts

Then you re-run it and carefully enter your password and it still says “Sorry, try again”. There’s no hint that you’re locked out or you’ve used the correct password this time around. You are currently locked out. This is a security feature, not a bug.

On a number of Linux distros the default action is to lock you out for 10 minutes after 3 incorrect passwords.

If you’re locked out, you can confirm with:

# My user in the output below is "nick", yours will likely be different.
$ faillock --user $USER
nick:
When                Type  Source                                           Valid
2026-05-16 08:00:42 TTY   /dev/pts/30                                          V
2026-05-16 08:00:51 TTY   /dev/pts/30                                          V
2026-05-16 08:00:57 TTY   /dev/pts/30                                          V

The V can be confusing because it doesn’t mean you used a valid password. It’s the opposite. It means you’ve entered an invalid password. The entry here is a valid case of reporting an invalid password and is counting towards your deny limit.

You have 3 options to unlock your user, any one of them will work:

1. Switch to your root user with su, input your root user’s password successfully and then run faillock --user $USER --reset and now your user should be good to go
2. Reboot which will clear your user’s faillock file /var/run/faillock/nick (“nick” is my user, yours will likely be different)
3. Technically you can switch to root with su and rm /var/run/faillock/$USER which is comparable to the first option, the file is owned by root so you’ll need to be the root user, otherwise it wouldn’t protect against much if your regular user can delete the file
   • Using option 1 would be preferred over this method since it uses built-in tools to handle manipulating this file correctly instead of doing it directly by hand

If you wanted to experiment you can run cat /var/run/faillock/$USER after each time you’ve unsuccessfully put in your password. You’ll see it grow over time for each invalid attempt, until you’ve hit your limit:

# After 1 time.
$ cat /var/run/faillock/$USER
/dev/pts/30jj%

# After 2 times.
$ cat /var/run/faillock/$USER
/dev/pts/30jj/dev/pts/30sj%

# After 3 times.
$ cat cat /var/run/faillock/$USER
/dev/pts/30jj/dev/pts/30sj/dev/pts/30yj%

# Customize Lock Out Attempts and the Time

If you don’t want to use the default settings (typically deny after 3 times with a 10 minute lockout period) you can modify these settings in /etc/security/faillock.conf.

There’s 3 settings that are note worthy for here, I’ve pasted them from my default config:

# Deny access if the number of consecutive authentication failures
# for this user during the recent interval exceeds n tries.
# The default is 3.
# deny = 3

# The access will be re-enabled after n seconds after the lock out.
# The value 0 has the same meaning as value `never` - the access
# will not be re-enabled without resetting the faillock
# entries by the `faillock` command.
# The default is 600 (10 minutes).
# unlock_time = 600
#
# Root account can become locked as well as regular accounts.
# Enabled if option is present.
# even_deny_root

• deny is how many times you can enter an invalid password before getting locked
• unlock_time is the number of seconds you’ll be locked out for
• even_deny_root controls whether or not the root user itself is subject to these rules
  • This is normally not enabled so your root user never gets locked out

There’s quite a few other settings to tinker with too, it’s worth skimming the full file.

You don’t need to reload or restart any services after modifying this config.

# Keeping Your sudoers File in Sync

The sudo tool itself has its own separate counter that usually defaults to 3 so if you change the faillock deny value to something different it could be a good idea to adjust your sudoers file too. It’s not necessary but it offers a more consistent user experience if both numbers are the same.

As the root user you can run visudo or create a new /etc/sudoers.d/99-password-retries file and add this line, replacing “3” with whatever value you used in the faillock config:

Defaults passwd_tries=3

If you used 5 for both, sudo will allow up to 5 incorrect password attempts in one prompt.

I personally use the defaults because I found it to be really rare to lock myself out but the above gets you going if you want to adjust it or unlock yourself without waiting.

The video below demos all of the above.

# Demo Video

Timestamps

• 0:32 – Getting locked out
• 1:10 – Check if you’re locked out
• 1:48 – 2 ways to unlock yourself
• 2:40 – Checking out the faillock file in /var/run
• 3:39 – Configure the deny amount and duration of the lockout
• 5:15 – Demo the newly configured values
• 5:51 – Configure sudoers to be in sync with faillock

When was the last time you locked yourself out of using sudo? Let me know below.