Vmware esxi сбросить пароль root через vcenter

Vmware esxi сбросить пароль root через vcenter Техника

There isn’t really much more to add other than to urge you to get into a habit of saving your passwords using a reliable password manager. While unsupported by VMware, the procedure of resetting a default ESXi root password outlined today works every time, at least on but it should also work with older releases. I have not come across any side-effects when using this hack for ESXi root recovery, understandably so, considering we’re simply zeroing out a hash value from a password file. Ever lost your password and was frozen out of ESXi? What did you do? Let me know in the comments below. And if you need any help about how to reset ESXi root password, I’m happy to help out.

Forgetting passwords is something that unfortunately happens to everyone, and resetting the ESXi root password requires a bit of attention from your side. And that’s why password managers exist. No, it’s not ok to write them down on yellow sticky notes stuck to your monitor unless you want to give your security guys a heart attack. I guess, given this post’s title, you know where I’m going with this if you forgot your ESXi root password

It’s 10 in the evening. You get a call and start troubleshooting right away. You figure that a management services restart will fix the issue. Your host is connected to a remote KVM switch, so you press F2 and type in the password. No dice. Maybe, it’s a typo maybe not. You try again, and again and end up locking yourself out because of a forgotten root password. You did save the ESXi password but along the way, you changed it and forgot to update it in your password manager. According to VMware, the only supported fix is to re-install ESXi unless you’re still running ESX which is highly unlikely.

In today’s post, I’ll show you how you can use a Live Linux CD/DVD, to change the root password on your ESXi host. VMware does not support this method citing complexity, but I don’t buy this – there is nothing really complex about it. ESXi saves the root password encrypted in as is standard with Linux.

An invalid password typed in at the console

An invalid password typed in at the console

To cut a long story short, I found myself trying to log in as root on a test VCSA I had recently set up and, for the life of me, I could not recall the password. As luck would have it, I neither saved the password to KeePass nor did I write it down in VM’s annotation field. So much for good habits!

Figure 1 - The Annotations / Notes fields as displayed in the vSphere traditional and Web clients

Figure 1 – The Annotations / Notes fields as displayed in the vSphere traditional and Web clients

As I wasn’t particularly keen on reinstalling the appliance from scratch, I googled around to see if resetting a root password on vCSA can be done. Surely enough it can, hence today’s post! So, if you ever found yourself locked out of VCSA because you forgot the root password, read on!

Disclaimer: I tested the procedure on VCSA 6.0 U2 and VCSA 6.5. In theory, it should work on earlier releases but I do not have the time to test this out on every version released to date. Do so at your own risk and always back up the appliance before effecting any changes.


First, shut down the VCSA and take a snapshot.

1. Start the appliance up and press the space bar to freeze the GRUB menu. Note that you need to be somewhat quick here.

2. Press e to enable edit mode.

3. Append rw init=/bin/bash to the list of options as shown in Fig. 2.

Figure 2 - Setting the boot options in GRUB

Figure 2 – Setting the boot options in GRUB

4. Press F10 to reboot. The appliance will now boot up in bash or root shell.

5. Type passwd to change the root password. Type it twice and press Enter to confirm.

6. Optionally, you can unmount the file system using umount /

Figure 3 - Changing the root password and unmounting the file system

Figure 3 – Changing the root password and unmounting the file system

7. Reboot the appliance using the power options from the VMRC or vSphere client menu.

Figure 4 - Rebooting the appliance from VMRC or vSphere client

Figure 4 – Rebooting the appliance from VMRC

You should now be able to log in with root using the new password as shown in this next video.

Этот способ подходит для версий VMware vSphere 6.5 / 6.7 / 7.0

Самое смешное, что VMware говорит: единственное поддерживаемое исправление – это переустановка ESXi.

Итак, Вы получаете в ответ на ввод пароля: Authentication failed. Invalid login or password.

Делается это достаточно быстро, при должном опыте. Сперва выключаем хост. Нам понадобится ISO образ GParted LiveCD. Записываем диск или монтируем его через менеджмент сервера. Включаем и загружаемся.

Загрузка GParted LiveCD

Сейчас мы будем работать с разделом /dev/sda5

Разделы диска в GParted сервера ESXi для сброса пароля root

Теперь открываем терминал и выполняем следующие команды:

sudo su
mkdir /boot /temp
mount /dev/sda5 /boot
cd /boot
cp state.tgz /temp
cd /temp
tar -xf state.tgz
tar -xf local.tgz
rm *.tgz
cd etc

Выполнение команд для сброса пароля root на VMware ESXi

После этого открываем файл shadow с паролями, например, с помощью редактора vim. И удаляем то, что находится в первой строке между первыми двоеточиями (это и есть пароль) с помощью клавиши Del. Получится что-то вроде того, что на скриншоте ниже.

Как сбросить пароль root в VMware ESXi

Затам нажимаем : потом x и потом Enter. Так мы сохранили изменения в файле. Собираем все обратно и перезагружаемся.

cd ..
tar -cf local.tgz etc/
tar -cf state.tgz local.tgz
mv state.tgz /boot
umount /boot
reboot

Как только сервер VMware ESXi загрузится, Вы сможете зайти на него под пользователем root без пароля. Установите пароль в веб-интерфейсе или через SSH командой passwd root.

Заключение

В этой записи мы рассмотрели как можно быстро сбросить пароль root в VMware ESXi. На самом деле больше нечего добавить, кроме как призвать Вас привыкнуть сохранять свои пароли с помощью надежного менеджера паролей. Дайте мне знать в комментариях ниже, если вам нужна какая-либо помощь с вышеприведенной информацией, я буду рад помочь.





Иногда возникают ситуации, когда по тем или иным причинам авторизоваться в консоли управления ESXi не представляется возможным в виду отсутствия актуального пароля. Это может произойти в результате взлома системы, системного сбоя, утери пароля либо в случае если вам в наследство передали ESXi без документации и надлежащего административного контроля. Это неприятная ситуация и с ней придётся что-то делать. Возможно не сразу, а когда что-то пойдёт не так и понадобится вмешиваться в работу до сих пор нормально функционирующей системы. Для таких случаев и написанная данная инструкция.

Существует несколько способов сброса пароля. Однако приведенный в этой статье – универсальный и подойдёт не только для 7.х версий но и более ранних. Он опробован на практике и является в подавляющем большенстве случаев рабочим. Итак приступим.

Для начала нам необходимо загрузиться с любого Live CD. Это может быть установочный образ Ubuntu, либо, как в нашем случае – Finnix . Это debian-based дистрибутив с широкими возможностями для диагностики и аварийного восстановления.

После загрузки вы увидите приглашение консоли:

Vmware esxi сбросить пароль root через vcenter

В том случае если ваш сервер расположен удаленно и вы подключены по нему по IP-KVM, работать в таком режиме не очень удобно из-за высокого времени отклика консоли. Что бы это не терпеть, можно поднять ssh-сервер. Если же это не является проблемой, вы моете пропустит этот шаг

# зададим пароль root для live системы
passwd
# подымаем ssh-сервер
service ssh star

Далее можно подключиться к серверу используя ваш любимый ssh-клиент либо из консоли:

Теперь необходимо определить какой диск содержит необходимый нам раздел. Для этого сперва определим, какие именно диски у нас имеются.

Основной наш критерий поиска – раздел диска с размером 250Мб. Как видим, диск nvme0n1 содержит такой раздел, давайте посмотрим на него поближе:

fdisk -l /dev/nvme0n1

Vmware esxi сбросить пароль root через vcenter

Наша цель – раздел, который начинается с сектора 8224 и имеет размер 250МБ. Именно он содержит данные которые нам нужны

Для продолжения, создадим 2 директории, одну для монтирования диска и вторую для данных которые необходимо отредактировать.

mkdir /mnt/vmware && mkdir /tmp/vmware

Монтируем найденный раздел

mount /dev/nvme0n1p5 /mnt/vmware

Внутри много чего всякого, но нам нужен конкретный файл

img

Его необходимо распаковать в ранее созданную директорию

tar -xf /mnt/vmware/state.tgz -C /tmp/vmware/
tar -xf /tmp/vmware/local.tgz -C /tmp/vmware/
rm /tmp/vmware/local.tgz

Теперь если мы перейдём в /tmp/vmware/ и посмотрим её содержимое, то обнаружим там знакомую нам директорию etc.

Далее необходимо отредактировать файл shadow и удалить из него хеш пароля root. Таким образом в ESXi после нашей манипуляции будет думать что пароль пользователя пустой. 

Делать это надо аккуратно. Необходимо удалить содержимое между первым и вторым двоеточием

Vmware esxi сбросить пароль root через vcenter

и должно получиться вот так

Vmware esxi сбросить пароль root через vcenter

Сохраняем файл кнопкой F3. На Этом самая ответственная часть завершена. Далее необходимо запаковать всё и положить обратно, где взяли.

Дополнительно:  Kingo ROOT 4.8 (2.8.1)

cd /tmp/vmware/
tar -czf local.tgz etc
tar -czf state.tgz local.tgz
mv state.tgz /mnt/vmware/

Отмонтируем диск ESXi и перезагружаемся.

После перезагрузки, заходим на web-интерфейс ESXi под пользователем root и пустым паролем и меняем его на нужный нам штатными средствами через верхнее правое меню.
Всё! Цель достигнута! Рекомендуем сохранить новы пароль и больше не терять его!

Recently I got assigned one of the VMware project, while taking handover I found esxi root passwords are not documented properly for the VMware infrastructure project, Luckily 40% Esxi host were joined into domain and I was able to reset password using Reset forgotten ESXi root password on Domain joined Esxi using vSphere web client and Powercli with few AD changes (group creation), Next thing was on the remaining server where servers are not in domain, there is second way to reset Esxi root password using vCenter host profiles (only the condition is Esxi server must be added to Vmware vCenter server (POWERCLI — CREATE DATACENTER AND ADD ESXI HOST IN VCENTER).

VMware Host Profiles accessible through VMware vCenter Server, it is kind of ESXi template, permits you to create typical configurations for VMware ESXi hosts and to automate compliance to these configurations, streamlining functioning management of across-the-board environments and dropping faults produced by mis-configurations.

Reset forgotten ESXi root password on Domain joined Esxi using vSphere web client and Powercli
Reset ESXi root password using Host Profiles on  vCenter server: VMWare vSphere Web client
Resolved: Reset Esxi forgotten root password using hiren bootCD step by step

To open host profile view on the VMware vSphere Web Client, click home icon, In the Operations and Policies choose Host Profiles.

Vmware vsphere vcenter web client, esxi, reset password, using vcenter, Host profiles configuration, forgot root password

My very first task is to create a standard profile from existing host. In the Host Profiles, On the right side, objects tab, click green plus button — Extract profile from a host. In the Select Host, Click any of one esxi host. Go to next button.

vmware vsphere esxi client, vcenter server, host profiles, select host, extract profile from a host, reset esxi root password from vcenter, web client, configure forgotten esxi password

On the Name and Description wizard, Enter the meaningful name and description (optional) for the profile, on the last page Ready to complete page review settings and finish wizard.

Vmware esxi сбросить пароль root через vcenter

vmware vsphere web client, reset esxi root password, edit host profiles, Security and services, User configuration, Fix password configuration password If you are using Esxi version 6, its password modification information is stored under Security Configuration.

vmware vsphere web client root password reset edit host proiles, security configuration , secuirty and services, administrator configure host with this password, reset change password of root

Here again right click on the Reset_Root_Password host profile, click Attach/Detach Hosts and Clusters, In the Select Host/Clusters, choose cluster or ESXi server in the list, and hit Attach button and you will see the corresponding entity is moved from left to right. There are no configurable item on the Customize hosts, leave it unchecked and it says none of the hosts require additional customizations.

Vmware vsphere web client, reset esxi root password using vcenter, host profiles, Attach detach hosts and clusters, select esxi host, customize host

You can use same actions and wizard by selecting ESXi host or cluster, right click server, from the context menu select Host profiles and you will see same related menu. From Host and clusters view I will remediate esxi server.

vmware vsphere web client esxi, vcenter, host profiles, host and clusters view, extract host profile, attach, remedite, change, detach, check compliance, reset host customizations, export host profile

Another wizard launches and here esxi host is already selected for remediate, Review the remediation tasks that will be executed on the hosts below once the wizard is complete. To see if the selected hosts are ready for remediation and how it will affect them use «Pre-check Remediation». The operation might take more than a minute. After clicking the button State/Tasks from Not checked to Green icon with Ready to remediate. 

vmware vsphere web client, remediate hosts based on host profile, select hosts, esxi, and cluster

When tested One thing to be note, This task reseting root password, doesn’t require reboot or host need to be put into maintenance mode.

Rebooting Hosts: Some hosts might require a reboot to complete the remediation process. If you wish to manually reboot hosts at the end of the process deselect the checkbox.

vmware vsphere web client, esxi, vcenter, remediate hosts based on host profile, pre-check remediation, reset root password, ready to remediate host profile

Once you apply host configurations, Pre-check Remediation all the task are listed in the recent tasks and can be viewed, they are successfully applied with no error and without reboot. To verify I used putty to SSH to view if new reseted password is working. VMWARE SECURITY BEST PRACTICES: POWERCLI ENABLE OR DISABLE ESXI SSH

vmware vsphere web client, recent tasks, batch apply host configuration, pre-check remeditation, check host customization status, host profiles esxi, vcenter, test and confirm reset root password with ssh.png

Useful Articles
INSTALLING AND CONFIGURING ESXI EMBEDDED WEB CLIENT
ESXI VIB SOFTWARE INSTALLATION ERROR
ESXI 6.5 UPGRADE INSTALLATION AND UI HTML WEB CLIENT

Passwords are the things people tend to forget. Well, ESXi root passwords are not an exception either! Without the root password, you lose control over your hosts, so it’s good to know how to reset it. Well, resetting an ESXi host password is the thing I gonna talk about in this article.

For this article, I use ESXi 6.7.0, 8169922, but everything I write here works good for ESXi 6.x or 5.x versions. Some methods to reset the passwords may be pretty risky. So, don’t blame me in case you mess things up.

Some theoretical findings

After thinking through some cases of how you guys lose passwords, I realized that these two scenarios are pretty common: you forgot the password, but you still can access the hosts via vCenter, and you lost the standalone host password from the standalone ESXi host and there’s no way to access it.

Well, the last one looks really tough. But, I’ll teach you today how to restore the password in both cases.

Changing the pass with vCenter

First, let’s look at how to change the password via the flash vCenter Webclient. Note that things I write here do not work in the html one! Also note that you need your ESXi edition to be not lower than Enterprise Plus.

In order to reset the password, you need to extract, edit, and upload Host Profile. Here’s how you do that.

Go to vCenter, and extract the host profile exactly how I do in the screenshot below.

C:\6b70993e7112e8c027c28465e6ddb028

While extracting, specify the host name and add some description if needed.

C:\133f535d5e619e2f54600e757d7adf03

Check the entered information and press Finish.

C:\8cfd15e8a581f08458e22712b642b36d

In vCenter, navigate to the Home tab and go to Host Profiles there.

C:\c5dfd12d00f57d52a4169e71e561a62e

Right-click the Host Profile and edit its settings.

C:\19112e43524eee3d3efd220630b99c65

There, you can specify the new name and description if needed.

C:\906e9d42655ed896fe5a77403820bad5

Once you are done with changing Name and host description, go to the Edit host profile tab itself. Actually, you can change a bunch of settings there, but let’s stick to the initial plan and change only root password, ok? To accomplish this task, type the new password and confirm it in the self-titled fields.

C:\e8364ff01e1e490c13e3dace249841cf

Congratulations, you have changed the password! Let’s add the the host to the cluster now and apply the settings.

C:\cef51ddca5af06d7e25f2d4754c6785a

In the Attach/Detach Hosts and Clusters menu, select the host where you have changed the password. At this point, I’d like to mention that you can apply the changes to multiple hosts.

C:\66bbb311a93eae41e4d25dda00ffb83f

Right after adding the host, you can play around with the network settings, if you need it. Well, you can just click Finish to have the settings applied.

C:\40d5abbfdf99fe3c755d904d116e666e

Next, you need to put the node in the maintenance mode, otherwise you won’t be able to apply any settings at all!

C:\64fab0ac6e5db2f758f2bc58b947db23

Confirm putting the selected host (or hosts, whatever) in maintenance mode. Note that you need to migrate your VMs unless you can shut down them for a while. In my case, there are no mission critical VMs on the host, so I’ve just powered them off beforehand.

C:\b6c8f8c8a2ff92964f699af12c8dd785

Now, go back to the Objects tab and, finally, implement the host settings. Right-click the Host Profile and press Remediate.

C:\0ecfa91bc47a12afd2cd797a7a3303f0

Select the required host.

C:\79c87a73c999b930cd3e71c82f02308b

Verify all the settings and check whether you can apply the changes at all. Press Finish.

C:\21cc214aad91530665df07e1235bc513

After the host reboots, exit the maintenance mode.

C:\5cacbc8ad8aca4bb19aaec38ef123b31

Now, let’s check whether the password reset has run smoothly. For that purpose, log in at the ESXi node via the Web Console, or the terminal using the new password.

Resetting the root password using Active Directory and vCenter

You can also change the password in vCenter using the Active Directory. You see, if you can add the ESXi host to the domain, you are able to use the domain credentials to access the node and reset the root password. Here’s how you do that.

C:\f5063898d5f9a8aaea28f8d1d8219816

Add the host with the forgotten password to the domain.

C:\f52d3124058360bab70ecc1cb4d7f73c

C:\4afbb2dfb3b8c2553329847217217fd9

C:\0b06657b067a54c4760ca262a231d732

From now on, you can use the new root password! Don’t forget to leave from the domain if you do not need the host to be in the domain anymore.

C:\62c47d88bfcd6f949880290ac20ae3bd

To apply the changes, reboot the host.

Note that changing the password with vCenter is pretty easy, but VMware does not recommend it for some reason after all.

Resetting root password on the standalone ESXi hosts

Now, as we know how to reset the password with vCenter, let’s look at some tough cases. Let’s say, you don’t have vCenter installed on the host. Once again, I do not want to re-install the server OS as VMware says. Seriously, that’s not fun! Let’s look at something more interesting instead. Well, let’s say, what about changing the password right on the node itself?

Before I start, I’d like to mention that you won’t be able to trick ESXi security and change the root password on the node without shutting it down. This means that you, like it or not, do need to shut down each VM from the inside! If you screw things up, you won’t be able to start VMs without ESXi re-installation.

Also, you need the boot the CD image. I used Ubuntu GNOME in this article. Find out how to create a boot CD and download Ubuntu GNOME here. You also need Rufus to write the boot CD image on the flash drive.

Дополнительно:  Что делать, если не работает видеокарта

C:\21a983d22b51938355d6c52e7f69741e

So, you need to boot from the flash disk, mount the required ESXi datastore, unpack the archive, and edit the file with passwords. Next, you upload the file back into the initial directory, and, after rebooting the host, you can access the it without the password.

Editing the “shadow” file

What’s “shadow” is?

Here’s how the disk is formatted in ESXi 6.0 or higher:

Among of all those volumes, we need only the /bootbank one as it keeps the ESXi archive. In this way, “shadow” should be somewhere there.

Chasing the “shadow”

So, let’s boot the host from the flash disk first and start the terminal.

See through the disk names and find the one you need.

C:\c7eb70e4332b280e897bc91da2843eb5

Well, it seems that we need that 250 MB /dev/sda5 directory. Create the mnt directory.

# mkdir /mnt/sda5

Create the directory for the temporary files now.

And, mount the /dev/sda5 directory using the cmdlet below.

# mount /dev/sda5 /mnt/sda5

Now, look for that state.tgz archive I was talking above.

# ls -l /mnt/sda5/state.tgz

Extract both state.tgz and local.tgz. Here are the commands you can use for that purpose:

# tar -xf /mnt/sda5/state.tgz –C /temp/

# tar -xf /temp/local.tgz –C /temp/

Once you are done with unpacking, get rid of those old archives with the cmdlet below:

Now, you are ready to do some magic with “shadow”. Open the file, edit it, and close it. As simple as it! To double-check the changes, open the file one more time.

C:\5cfa53db6df27f3419c38304e61a1937

To reset the password, just delete everything between the double colons. Remember, everything is encrypted? That’s why passwords look that weird.

C:\569ce0a0bd6088cfe538f3b76c1872b3

Next, go to the work directory.

Now, add the “shadow” back to the archive.

# tar -czf local.tgz etc

# tar -czf state.tgz local.tgz

Move the new archive to the initial directory.

Unmount the /sda5 disk with the cmdlet below:

And, eventually reboot the host.

Well, to make the stuff I’ve just written above more reader-friendly, here’re all commands you need to deploy step-by-step.

C:\786a70bf9387ec447bd86ea06e01bd12

C:\67ddfd5b95a9399d71561e4f7e82fe71

Now, select Configure Password, and type a new password in the self-titled field.

C:\659a2f378848ab4f9e11135e321968d9

Ok, this time, please write the root password, or just try no to forget it!

Replace one “shadow” with another

There’s another way to reset the ESXi root password using “shadow”. Actually, that’s nothing more than a variation of the method I described above.

So, another thing you can do to reset the ESXi password is just using another host “shadow” file! Yes, you can just copy the “shadow” file from another ESXi  host with the known root password to the one more flash disk. To get the file with passwords from another host, you need WinSCP. The utility is available here. The nice thing is that you can retrieve that file from the host with the known ESXi root password without even shutting it down.

C:\c538c5686ddc4ba551ea1f5237280e1b

Next, call the terminal with the Ubuntu GNOME and reset the password.

Now, let’s see what you have on the disk.

Create two temporary volumes afterward.

# mount /dev/sda5 /mnt/sda5

# mount /dev/sdb1 /mnt/sdb1

Now, create the temporary volume for further work with archives.

Create the volume where you are going to keep the state.tgz copy just in case something goes wrong.

Find the necessary file in the archive.

# ls -l /mnt/sda5/state.tgz

Copy the archive.

# cp /mnt/sda5/state.tgz /mnt/sdb1/save

# ls -l /mnt/sdb1/save

Extract state.tgz using the cmdlet below:

# tar -xf /mnt/sda5/state.tgz –C /temp/

Find the temp file.

# ls –l /temp

# tar -xf /temp/local.tgz –C /temp/

Make sure that you extracted the /etc directory.

# ls –l /temp

C:\8b102fd08f266e9fca099d664a77e2c6

Now, delete the local.tgz volume to ensure that it won’t be included into the new archive by accident.

Find “shadow” in the /etc directory.

# ls -l /temp/etc

# cp /mnt/sdb1/shadow /temp/etc

C:\8045c097389c9a0cbc8a78ed1e5805fe

C:\91a5a7a5552948a084c9c8bbbd4c4d1c

C:\601a3512f8477b298365221f92dcfed7

Check whether all changes have been applied.

Archive the /etc directory.

# tar -czf local.tgz etc

Check whether archiving has run smoothly.

# ls -l /temp/

Now, create the state.tgz volume.

# tar -czf state.tgz local.tgz

Again, check whether the volume has been created.

# ls -l /temp/

Move the archive to the working ESXi directory.

# mv state.tgz /mnt/sda5/

Check the result one more time.

# ls -l /mnt/sda5/

Unmount the sda5 directory.

Eventually, reboot the host.

Enjoy! If everything is done right, you can access the host with the known password. Well, to make everything more or less convenient here’s the entire set of commands I used for this method.

C:\aa3e81917d7434ea1863f161d7985514

# cp /mnt/sdb1/save/state.tgz /mnt/sda5/

Conclusion


The GRUB Password


While carrying out research for this post, most of the info I came across stated that the GRUB password on VCSA is set to vmware by default unless the root password was changed via VAMI, in which case both the GRUB and root password are set to be the same. When I installed VCSA 6.0 U2 (version 6.0.0.20000-3634791) I found that this was not the case. The GRUB password was by default set the same as that for root. At no point during the vCSA installation do you get to set the GRUB password and you also cannot skip setting one for root.  So, I don’t know how and when the GRUB password is set to vmware. And yes, I’m positive that I did not change the root password using VAMI or otherwise.

Figure 9 - Setting the root password while installing VCSA 6.0 U2

Figure 9 – Setting the root password while installing VCSA 6.0 U2

Note: On VCSA 6.5 you’ll find that access to GRUB is not password protected much to the horror of the security folk!

Summary

This article introduced how to reset VMware ESXi root password without reinstalling ESXi host, which saves a lot of time. When you are resetting ESXi root password, if your virtual machines do not have downtime, you should migrate your virtual machines, as well as backup VMware ESXi VMs.

How to reset VMware ESXi root password (2 ways)

  • Upgrade VMware ESXi.
  • vCenter goes haywire and is inaccessible and requires the local root account remains for authentication.

If you forget your password and don’t want to reinstall your ESXi hosts, what should you do? Remember to take a backup or snapshot before you start again to avoid data loss due to the risk of operation.

Way 1. Reset ESXi root password via Host Profile

1. Login to the vCenter Web client.

2. Navigate to Home, and then choose Host Profiles >> Extract Host Profile.

Host Profiles to reset VMware root password

3. In the Extract Host Profile menu wizard, enter a name and description for the selected Host Profile and click Next and then Finish to complete the capture of the host profile template.

extract host profile

4. Right-click the new Host Profile and choose Edit Settings.

edit setting

5. In the opened wizard, from Edit host profile, search for root and reset a new password and confirm it.

reset ESXi root password

6. You have changed the password. Then right-click the Host Profile and select Attach/Detach Hosts and Clusters. Select the host you have changed the password, and click Attach.

attach host and cluster

Tips: It’s possible to apply the changes to multiple ESXi hosts by hitting Attach All.

7. From the Action Menu, select Maintenance Mode >> Enter Maintenance Mode. During this period, the virtual machine needs to be shut down, so please ensure if your task has downtime.

enter Maintenance Mode

8. From the Action Menu, select Remediate, then select host to remediate.

select Remediate

9. Check Host Compliance.

10. After the host reboots, exit the maintenance mode.

Way 2. Reset VMware root password by editing the “shadow” file

If it’s not available for you to use vCenter to reset your password, you can try another method: use a Live Linux CD/DVD/USB to reset VMware root password. ESXi saves the root password encrypted in a password file located in /etc/shadow . I will remove the password hash in located in 2 partitions in order to create a new password in the DCUI console.

1. Download a live Linux CD/DVD, and I choose the Gparted LiveCD.

2. Burn a USB or CD/DVD with the Live CD/DVD and boot your host off it.

locate partition

● Run these commands to get to the shadow password file.

mkdir /boot /temp

mount /dev/sda5 /boot

cp state.tgz /temp

tar -xf state.tgz

tar -xf local.tgz

run commands to get shadow files

● Then use vi to edit the shadow password file.

edit shadow password file

tar -cf local.tgz etc/

tar -cf state.tgz local.tgz

mv state.tgz /boot

Tips: Boot back into the Gparted Live media. We will be repeating steps 4 except we will be editing the /dev/sda6 partition rather than /dev/sda5. The only difference in this process is to change the command to mount the correct partition.

5. Remove the Gparted media and boot the ESXi host. Once the ESXi host has completed booting, log on as root from the DCUI console. You should be able to log in without typing in a password. Now you may reset a new password.

This method is not supported by VMware, but it works on various versions of ESXi. When resetting VMware root password, the most important thing is to make a VMware backup before performing this operation.

How to reset VMware ESXi 6. 7 root password

Is there a way to reset forgotten root password on ESXi host 6.7? Per VMware, the only way is to reinstall ESXi on the host, but I would hate to migrate my VM’s to another host.

— Question from Spiceworks Community

Дополнительно:  How do I create a self-signed certificate for code signing on Windows?

According to VMware, reinstalling an ESXi host is the only supported method for resetting VMware root password. However, Starting with ESXi 4.1, the host profile feature was introduced. If the host is managed by vCenter and is still connected, you can reset ESXi root password by taking advantage of the host profile feature.

Tips: For the host profile feature, you must have an Enterprise Plus license.

reset VMware ESXi root password

Protect VMware VM from data-loss

A reliable VM backup appliance is able to reduce operational errors and protect business from security threats. AOMEI Cyber Backup, a free backup software, provides you with the best VM backup practices and schedules virtual machine backup to secure your business continuously.

If your original virtual machine fails, you can achieve fast disaster recovery from any point. It restores the virtual machine to its previous state based on a few clicks without any complicated setup, which greatly reduces business downtime and financial losses.

Please hit the button below to download and use AOMEI Cyber Backup for free.

*You can choose to install this VM backup software on either Windows or Linux system.

Free VM backup solution with AOMEI Cyber Backup

1. Download AOMEI Cyber Backup and add your host. Click Source Device > VMware > + Add VMware Device, then you can choose to Add vCenter or Standalone ESXi.

add VMware ESXi

2. Click Backup Task >> Create New Task to create an insurance for your VMs.

✦ In the opened wizard, enter a task name and choose VMware ESXi Backup.

✦ On Device Name pane, select the host and virtual machines you want to backup.

select multiple virtual machines

✦ On Target pane, select a destination to store virtual machine files. It offers local or network location. You can connect external hard drive to VM to store the backup files such as a flash drive or USB hard drive, or backup VM to NAS.

VM target

✦ On Schedule pane, enable backup schedule plan. It offers flexible backup strategies such as full / incremental / differential backup to safeguard VMware data comprehensively. You can specify the backup time as daily / weekly / monthly, which will keep tracking the changed data and offers continuous protection.

schedule backup

✦ Click Start Backup.

3. Recovery: click Restore, then choose the restore content and target. If the original VM corrupts, you can restore the entire VM to the previous state including OS, configuration, application, personal data and system state.

restore VM

✍ While the Free Edition covers most of the VM backup needs, you can also upgrade to enjoy:
Batch VM backup: batch backup large numbers of VMs managed by vCenter Server or on standalone ESXi hosts.
Backup Cleanup: Configure retention policy to auto delete the old backup files and save storage space.
Restore to new location: Easily make a clone of a virtual machine in the same or another datastore/host, without reinstalling or configuring a new VM.

AOMEI Cyber Backup always protects your virtual machines and business security with its efficient VMware backup solution. It also reduces business downtime and extra cost.

How it all works

First off, SSH to your host and have a look at . You should see something like this.

ESXi password

This is from a test ESXi host I use, so be my guest and try to reverse hash the password. Good luck with that. The string boxed in red is what we’re after. Deleting it will reset the password to null. Of course, if you can’t root to your host, there’s no way you can do this, hence why we use a live CD. Booting off a Linux Live CD/DVD allows us to access and change the file. The trick is knowing which file to change. Changing the one that’s accessible when SSH’ed to the host is of no use since the changes are overwritten once you boot up the host.

As you probably know, ESXi uses several disk partitions. One, in particular, is called This partition contains the hypervisor core files and the host’s configuration which is what ends up being loaded into memory. The partition, by default, is called /dev/sda5.

file we’re after is found in a compressed archive called which is found under . So, here’s what we need to do.

    • Download a Live Linux CD/DVD. Take your pick from this . I chose the Gparted LiveCD one.
    • Burn a USB or CD/DVD with the Live CD/DVD and boot your host off it.
    • to a temp folder.
    • and edit the shadow file.
    • Recompress the archive and overwrite
    • Unmount and reboot the host.

It is of utmost importance to note that you will not be able to ‘deceive’ ESXi’s security and change the node’s root password without powering it off. Meaning you need to evacuate the VMs to other hosts in the cluster or shut them down to place the host in maintenance mode.

For this post, in order to reset the ESXi root password, I’m using a nested host for convenience’s sake alone. And, yes, I carried out this same procedure a number of times on physical ESXi hosts. Note also, that the host must be powered down for this to work so unless migrated, all hosted VMs will obviously stop working.

Booting off the GParted LiveCD

Booting off the GParted LiveCD

– Locate the 2 partitions sized 250MB. As mentioned, is what we’re after assuming you installed ESXi on the first available disk. This may differ if, for instance, you installed ESXi on a USB device.

vSphere 6.x partitions layout.”

Note that the partition layout changed dramatically in vSphere 7 compared to vSphere 6.x. It is now consolidated in fewer partitions leveraging dynamic sizing and VMFS-L.

vSphere 6.x vs vSphere 7 partitions layout

vSphere 6.x vs vSphere 7 partitions layout

mkdir /boot /temp

mount /dev/sda5 /boot

cp state.tgz /temp

tar -xf state.tgz

tar -xf local.tgz

terminal window

The first batch of commands that need to be run to get to the shadow password file

use vi to edit the shadow password file

Delete the encrypted root password to reset it to null i.e. the root account will not have a set password

tar -cf local.tgz etc/

tar -cf state.tgz local.tgz

mv state.tgz /boot

– Once the ESXi host is back online, try logging in as either from the DCUI (console) or via SSH using or similar. You should be able to log in without keying in a password although you will be reminded to set one which is what you should do.

How do I recover my root password?

Here’s a video demonstrating how to carry out the password recovery procedure from start to finish and reset the root password

Changing the root password and expiration settings


There will be times where you will not be able to log in as root despite being sure that you’re typing in the correct password. This will occur whenever the root password expires after the default password lifetime of 365 days. Additionally, it is very common to set the expiration period to 90 days or less to tighten up security. You can disable password expiry altogether but this is definitely not recommended.

The root password and expiry settings are easily managed using VAMI which you will access via this https://<VCSA FQDN or IP>:5480> link. Figures 10-11, show the root account management pages for VCSA 6.0 U2 and 6.5 respectively.

Figure 10 - VCSA 6.0 U2: Root password and expiration settings in VAMI

Figure 10 – VCSA 6.0 U2: Root password and expiration settings in VAMI

Figure 10 - VCSA 6.5: Root password and expiration settings in VAMI

Figure 10 – VCSA 6.5: Root password and expiration settings in VAMI

Alternatively, use the chage command from the ESXi shell as shown in Figure 11 which consists of a screen grab of the root settings in VAMI next to a screen grab of the VCSA VM’s console while in shell. Here’s a step by step explanation of the commands used.

1. chage -l root : Displays the account details for root which include the account and password expiry dates, the date at which the password was last changed, etc.

3. chage -M 30 root : Here I’ve used the chage command to set the password expiration period to 30 days from when the password was last changed.

4. Same as (1). You can see that the “Maximum number of days between password change“value – which is a bit misleading if you ask me – is now set to 30. The change is also reflected in the VAMI settings screens when it is refreshed.

Figure 11 - Changing the expiration period of an account using chage

Figure 11 – Changing the expiration period of an account using chage

This concludes today’s post. As always, make sure to take a snapshot or a backup of the appliance when committing these type of changes. This allows you to quickly revert to a working vCSA instance should you hit a dead end.

VCSA 6. 0 Update 2


The process is very similar to the one for VCSA 6.5. First, shut down the VCSA and take a snapshot.

1. Press the space bar to freeze the GRUB menu.

2. Press p and type in the password to unlock the advanced features in GRUB (refer to The GRUB Password section further down).

Figure 5 - Accessing advanced features in GRUB

Figure 5 – Accessing advanced features in GRUB

3. Press e to enable Edit mode

Figure 6 - Editing the boot up options in GRUB

Figure 6 – Editing the boot up options in GRUB

5. Append init=/bin/bash to the kernel boot options

Figure 7 - Setting the VCSA to boot up as a root shell

Figure 7 – Setting the VCSA to boot up as a root shell

7. Type in the passwd command. Type in the new password twice and press Enter to confirm.

Figure 8 - Changing the root password from a root shell

Figure 8 – Changing the root password from a root shell

Here’s a second video illustrating the password change procedure on 6.0 U2.

Оцените статью
Master Hi-technology
Добавить комментарий