There isn’t really much more to add other than to urge you to get into a habit of saving your passwords using a reliable password manager. While unsupported by VMware, the procedure of resetting a default ESXi root password outlined today works every time, at least on but it should also work with older releases. I have not come across any side-effects when using this hack for ESXi root recovery, understandably so, considering we’re simply zeroing out a hash value from a password file. Ever lost your password and was frozen out of ESXi? What did you do? Let me know in the comments below. And if you need any help about how to reset ESXi root password, I’m happy to help out.
Forgetting passwords is something that unfortunately happens to everyone, and resetting the ESXi root password requires a bit of attention from your side. And that’s why password managers exist. No, it’s not ok to write them down on yellow sticky notes stuck to your monitor unless you want to give your security guys a heart attack. I guess, given this post’s title, you know where I’m going with this if you forgot your ESXi root password
It’s 10 in the evening. You get a call and start troubleshooting right away. You figure that a management services restart will fix the issue. Your host is connected to a remote KVM switch, so you press F2 and type in the password. No dice. Maybe, it’s a typo maybe not. You try again, and again and end up locking yourself out because of a forgotten root password. You did save the ESXi password but along the way, you changed it and forgot to update it in your password manager. According to VMware, the only supported fix is to re-install ESXi unless you’re still running ESX which is highly unlikely.
In today’s post, I’ll show you how you can use a Live Linux CD/DVD, to change the root password on your ESXi host. VMware does not support this method citing complexity, but I don’t buy this – there is nothing really complex about it. ESXi saves the root password encrypted in as is standard with Linux.
An invalid password typed in at the console
To cut a long story short, I found myself trying to log in as root on a test VCSA I had recently set up and, for the life of me, I could not recall the password. As luck would have it, I neither saved the password to KeePass nor did I write it down in VM’s annotation field. So much for good habits!
Figure 1 – The Annotations / Notes fields as displayed in the vSphere traditional and Web clients
As I wasn’t particularly keen on reinstalling the appliance from scratch, I googled around to see if resetting a root password on vCSA can be done. Surely enough it can, hence today’s post! So, if you ever found yourself locked out of VCSA because you forgot the root password, read on!
Disclaimer: I tested the procedure on VCSA 6.0 U2 and VCSA 6.5. In theory, it should work on earlier releases but I do not have the time to test this out on every version released to date. Do so at your own risk and always back up the appliance before effecting any changes.
First, shut down the VCSA and take a snapshot.
1. Start the appliance up and press the space bar to freeze the GRUB menu. Note that you need to be somewhat quick here.
2. Press e to enable edit mode.
3. Append rw init=/bin/bash to the list of options as shown in Fig. 2.
Figure 2 – Setting the boot options in GRUB
4. Press F10 to reboot. The appliance will now boot up in bash or root shell.
5. Type passwd to change the root password. Type it twice and press Enter to confirm.
6. Optionally, you can unmount the file system using umount /
Figure 3 – Changing the root password and unmounting the file system
7. Reboot the appliance using the power options from the VMRC or vSphere client menu.
Figure 4 – Rebooting the appliance from VMRC
You should now be able to log in with root using the new password as shown in this next video.
Этот способ подходит для версий VMware vSphere 6.5 / 6.7 / 7.0
Самое смешное, что VMware говорит: единственное поддерживаемое исправление – это переустановка ESXi.
Итак, Вы получаете в ответ на ввод пароля: Authentication failed. Invalid login or password.
Делается это достаточно быстро, при должном опыте. Сперва выключаем хост. Нам понадобится ISO образ GParted LiveCD. Записываем диск или монтируем его через менеджмент сервера. Включаем и загружаемся.
Сейчас мы будем работать с разделом /dev/sda5
Теперь открываем терминал и выполняем следующие команды:
sudo su
mkdir /boot /temp
mount /dev/sda5 /boot
cd /boot
cp state.tgz /temp
cd /temp
tar -xf state.tgz
tar -xf local.tgz
rm *.tgz
cd etc
После этого открываем файл shadow с паролями, например, с помощью редактора vim. И удаляем то, что находится в первой строке между первыми двоеточиями (это и есть пароль) с помощью клавиши Del. Получится что-то вроде того, что на скриншоте ниже.
Затам нажимаем : потом x и потом Enter. Так мы сохранили изменения в файле. Собираем все обратно и перезагружаемся.
cd ..
tar -cf local.tgz etc/
tar -cf state.tgz local.tgz
mv state.tgz /boot
umount /boot
reboot
Как только сервер VMware ESXi загрузится, Вы сможете зайти на него под пользователем root без пароля. Установите пароль в веб-интерфейсе или через SSH командой passwd root.
- Заключение
- Some theoretical findings
- Changing the pass with vCenter
- Resetting the root password using Active Directory and vCenter
- Resetting root password on the standalone ESXi hosts
- Editing the “shadow” file
- What’s “shadow” is?
- Chasing the “shadow”
- Replace one “shadow” with another
- Conclusion
- The GRUB Password
- Summary
- How to reset VMware ESXi root password (2 ways)
- Way 1. Reset ESXi root password via Host Profile
- Way 2. Reset VMware root password by editing the “shadow” file
- How to reset VMware ESXi 6. 7 root password
- Protect VMware VM from data-loss
- Free VM backup solution with AOMEI Cyber Backup
- How it all works
- Changing the root password and expiration settings
- VCSA 6. 0 Update 2
Заключение
В этой записи мы рассмотрели как можно быстро сбросить пароль root в VMware ESXi. На самом деле больше нечего добавить, кроме как призвать Вас привыкнуть сохранять свои пароли с помощью надежного менеджера паролей. Дайте мне знать в комментариях ниже, если вам нужна какая-либо помощь с вышеприведенной информацией, я буду рад помочь.
Иногда возникают ситуации, когда по тем или иным причинам авторизоваться в консоли управления ESXi не представляется возможным в виду отсутствия актуального пароля. Это может произойти в результате взлома системы, системного сбоя, утери пароля либо в случае если вам в наследство передали ESXi без документации и надлежащего административного контроля. Это неприятная ситуация и с ней придётся что-то делать. Возможно не сразу, а когда что-то пойдёт не так и понадобится вмешиваться в работу до сих пор нормально функционирующей системы. Для таких случаев и написанная данная инструкция.
Существует несколько способов сброса пароля. Однако приведенный в этой статье – универсальный и подойдёт не только для 7.х версий но и более ранних. Он опробован на практике и является в подавляющем большенстве случаев рабочим. Итак приступим.
Для начала нам необходимо загрузиться с любого Live CD. Это может быть установочный образ Ubuntu, либо, как в нашем случае – Finnix . Это debian-based дистрибутив с широкими возможностями для диагностики и аварийного восстановления.
После загрузки вы увидите приглашение консоли:
В том случае если ваш сервер расположен удаленно и вы подключены по нему по IP-KVM, работать в таком режиме не очень удобно из-за высокого времени отклика консоли. Что бы это не терпеть, можно поднять ssh-сервер. Если же это не является проблемой, вы моете пропустит этот шаг
# зададим пароль root для live системы
passwd
# подымаем ssh-сервер
service ssh star
Далее можно подключиться к серверу используя ваш любимый ssh-клиент либо из консоли:
Теперь необходимо определить какой диск содержит необходимый нам раздел. Для этого сперва определим, какие именно диски у нас имеются.
Основной наш критерий поиска – раздел диска с размером 250Мб. Как видим, диск nvme0n1 содержит такой раздел, давайте посмотрим на него поближе:
fdisk -l /dev/nvme0n1
Наша цель – раздел, который начинается с сектора 8224 и имеет размер 250МБ. Именно он содержит данные которые нам нужны
Для продолжения, создадим 2 директории, одну для монтирования диска и вторую для данных которые необходимо отредактировать.
mkdir /mnt/vmware && mkdir /tmp/vmware
Монтируем найденный раздел
mount /dev/nvme0n1p5 /mnt/vmware
Внутри много чего всякого, но нам нужен конкретный файл
Его необходимо распаковать в ранее созданную директорию
tar -xf /mnt/vmware/state.tgz -C /tmp/vmware/
tar -xf /tmp/vmware/local.tgz -C /tmp/vmware/
rm /tmp/vmware/local.tgz
Теперь если мы перейдём в /tmp/vmware/ и посмотрим её содержимое, то обнаружим там знакомую нам директорию etc.
Далее необходимо отредактировать файл shadow и удалить из него хеш пароля root. Таким образом в ESXi после нашей манипуляции будет думать что пароль пользователя пустой.
Делать это надо аккуратно. Необходимо удалить содержимое между первым и вторым двоеточием
и должно получиться вот так
Сохраняем файл кнопкой F3. На Этом самая ответственная часть завершена. Далее необходимо запаковать всё и положить обратно, где взяли.
cd /tmp/vmware/
tar -czf local.tgz etc
tar -czf state.tgz local.tgz
mv state.tgz /mnt/vmware/
Отмонтируем диск ESXi и перезагружаемся.
После перезагрузки, заходим на web-интерфейс ESXi под пользователем root и пустым паролем и меняем его на нужный нам штатными средствами через верхнее правое меню.
Всё! Цель достигнута! Рекомендуем сохранить новы пароль и больше не терять его!
Recently I got assigned one of the VMware project, while taking handover I found esxi root passwords are not documented properly for the VMware infrastructure project, Luckily 40% Esxi host were joined into domain and I was able to reset password using Reset forgotten ESXi root password on Domain joined Esxi using vSphere web client and Powercli with few AD changes (group creation), Next thing was on the remaining server where servers are not in domain, there is second way to reset Esxi root password using vCenter host profiles (only the condition is Esxi server must be added to Vmware vCenter server (POWERCLI — CREATE DATACENTER AND ADD ESXI HOST IN VCENTER).
VMware Host Profiles accessible through VMware vCenter Server, it is kind of ESXi template, permits you to create typical configurations for VMware ESXi hosts and to automate compliance to these configurations, streamlining functioning management of across-the-board environments and dropping faults produced by mis-configurations.
Reset forgotten ESXi root password on Domain joined Esxi using vSphere web client and Powercli
Reset ESXi root password using Host Profiles on vCenter server: VMWare vSphere Web client
Resolved: Reset Esxi forgotten root password using hiren bootCD step by step
To open host profile view on the VMware vSphere Web Client, click home icon, In the Operations and Policies choose Host Profiles.
My very first task is to create a standard profile from existing host. In the Host Profiles, On the right side, objects tab, click green plus button — Extract profile from a host. In the Select Host, Click any of one esxi host. Go to next button.
On the Name and Description wizard, Enter the meaningful name and description (optional) for the profile, on the last page Ready to complete page review settings and finish wizard.
If you are using Esxi version 6, its password modification information is stored under Security Configuration.
Here again right click on the Reset_Root_Password host profile, click Attach/Detach Hosts and Clusters, In the Select Host/Clusters, choose cluster or ESXi server in the list, and hit Attach button and you will see the corresponding entity is moved from left to right. There are no configurable item on the Customize hosts, leave it unchecked and it says none of the hosts require additional customizations.
You can use same actions and wizard by selecting ESXi host or cluster, right click server, from the context menu select Host profiles and you will see same related menu. From Host and clusters view I will remediate esxi server.
Another wizard launches and here esxi host is already selected for remediate, Review the remediation tasks that will be executed on the hosts below once the wizard is complete. To see if the selected hosts are ready for remediation and how it will affect them use «Pre-check Remediation». The operation might take more than a minute. After clicking the button State/Tasks from Not checked to Green icon with Ready to remediate.
When tested One thing to be note, This task reseting root password, doesn’t require reboot or host need to be put into maintenance mode.
Rebooting Hosts: Some hosts might require a reboot to complete the remediation process. If you wish to manually reboot hosts at the end of the process deselect the checkbox.
Once you apply host configurations, Pre-check Remediation all the task are listed in the recent tasks and can be viewed, they are successfully applied with no error and without reboot. To verify I used putty to SSH to view if new reseted password is working. VMWARE SECURITY BEST PRACTICES: POWERCLI ENABLE OR DISABLE ESXI SSH
Useful Articles
INSTALLING AND CONFIGURING ESXI EMBEDDED WEB CLIENT
ESXI VIB SOFTWARE INSTALLATION ERROR
ESXI 6.5 UPGRADE INSTALLATION AND UI HTML WEB CLIENT
Passwords are the things people tend to forget. Well, ESXi root passwords are not an exception either! Without the root password, you lose control over your hosts, so it’s good to know how to reset it. Well, resetting an ESXi host password is the thing I gonna talk about in this article.
For this article, I use ESXi 6.7.0, 8169922, but everything I write here works good for ESXi 6.x or 5.x versions. Some methods to reset the passwords may be pretty risky. So, don’t blame me in case you mess things up.
Some theoretical findings
After thinking through some cases of how you guys lose passwords, I realized that these two scenarios are pretty common: you forgot the password, but you still can access the hosts via vCenter, and you lost the standalone host password from the standalone ESXi host and there’s no way to access it.
Well, the last one looks really tough. But, I’ll teach you today how to restore the password in both cases.
Changing the pass with vCenter
First, let’s look at how to change the password via the flash vCenter Webclient. Note that things I write here do not work in the html one! Also note that you need your ESXi edition to be not lower than Enterprise Plus.
In order to reset the password, you need to extract, edit, and upload Host Profile. Here’s how you do that.
Go to vCenter, and extract the host profile exactly how I do in the screenshot below.
While extracting, specify the host name and add some description if needed.
Check the entered information and press Finish.
In vCenter, navigate to the Home tab and go to Host Profiles there.
Right-click the Host Profile and edit its settings.
There, you can specify the new name and description if needed.
Once you are done with changing Name and host description, go to the Edit host profile tab itself. Actually, you can change a bunch of settings there, but let’s stick to the initial plan and change only root password, ok? To accomplish this task, type the new password and confirm it in the self-titled fields.
Congratulations, you have changed the password! Let’s add the the host to the cluster now and apply the settings.
In the Attach/Detach Hosts and Clusters menu, select the host where you have changed the password. At this point, I’d like to mention that you can apply the changes to multiple hosts.
Right after adding the host, you can play around with the network settings, if you need it. Well, you can just click Finish to have the settings applied.
Next, you need to put the node in the maintenance mode, otherwise you won’t be able to apply any settings at all!
Confirm putting the selected host (or hosts, whatever) in maintenance mode. Note that you need to migrate your VMs unless you can shut down them for a while. In my case, there are no mission critical VMs on the host, so I’ve just powered them off beforehand.
Now, go back to the Objects tab and, finally, implement the host settings. Right-click the Host Profile and press Remediate.
Select the required host.
Verify all the settings and check whether you can apply the changes at all. Press Finish.
After the host reboots, exit the maintenance mode.
Now, let’s check whether the password reset has run smoothly. For that purpose, log in at the ESXi node via the Web Console, or the terminal using the new password.
Resetting the root password using Active Directory and vCenter
You can also change the password in vCenter using the Active Directory. You see, if you can add the ESXi host to the domain, you are able to use the domain credentials to access the node and reset the root password. Here’s how you do that.
Add the host with the forgotten password to the domain.
From now on, you can use the new root password! Don’t forget to leave from the domain if you do not need the host to be in the domain anymore.
To apply the changes, reboot the host.
Note that changing the password with vCenter is pretty easy, but VMware does not recommend it for some reason after all.
Resetting root password on the standalone ESXi hosts
Now, as we know how to reset the password with vCenter, let’s look at some tough cases. Let’s say, you don’t have vCenter installed on the host. Once again, I do not want to re-install the server OS as VMware says. Seriously, that’s not fun! Let’s look at something more interesting instead. Well, let’s say, what about changing the password right on the node itself?
Before I start, I’d like to mention that you won’t be able to trick ESXi security and change the root password on the node without shutting it down. This means that you, like it or not, do need to shut down each VM from the inside! If you screw things up, you won’t be able to start VMs without ESXi re-installation.
Also, you need the boot the CD image. I used Ubuntu GNOME in this article. Find out how to create a boot CD and download Ubuntu GNOME here. You also need Rufus to write the boot CD image on the flash drive.
So, you need to boot from the flash disk, mount the required ESXi datastore, unpack the archive, and edit the file with passwords. Next, you upload the file back into the initial directory, and, after rebooting the host, you can access the it without the password.
Editing the “shadow” file
What’s “shadow” is?
Here’s how the disk is formatted in ESXi 6.0 or higher:
Among of all those volumes, we need only the /bootbank one as it keeps the ESXi archive. In this way, “shadow” should be somewhere there.
Chasing the “shadow”
So, let’s boot the host from the flash disk first and start the terminal.
See through the disk names and find the one you need.
Well, it seems that we need that 250 MB /dev/sda5 directory. Create the mnt directory.
# mkdir /mnt/sda5
Create the directory for the temporary files now.
And, mount the /dev/sda5 directory using the cmdlet below.
# mount /dev/sda5 /mnt/sda5
Now, look for that state.tgz archive I was talking above.
# ls -l /mnt/sda5/state.tgz
Extract both state.tgz and local.tgz. Here are the commands you can use for that purpose:
# tar -xf /mnt/sda5/state.tgz –C /temp/
# tar -xf /temp/local.tgz –C /temp/
Once you are done with unpacking, get rid of those old archives with the cmdlet below:
Now, you are ready to do some magic with “shadow”. Open the file, edit it, and close it. As simple as it! To double-check the changes, open the file one more time.
To reset the password, just delete everything between the double colons. Remember, everything is encrypted? That’s why passwords look that weird.
Next, go to the work directory.
Now, add the “shadow” back to the archive.
# tar -czf local.tgz etc
# tar -czf state.tgz local.tgz
Move the new archive to the initial directory.
Unmount the /sda5 disk with the cmdlet below:
And, eventually reboot the host.
Well, to make the stuff I’ve just written above more reader-friendly, here’re all commands you need to deploy step-by-step.
Now, select Configure Password, and type a new password in the self-titled field.
Ok, this time, please write the root password, or just try no to forget it!
Replace one “shadow” with another
There’s another way to reset the ESXi root password using “shadow”. Actually, that’s nothing more than a variation of the method I described above.
So, another thing you can do to reset the ESXi password is just using another host “shadow” file! Yes, you can just copy the “shadow” file from another ESXi host with the known root password to the one more flash disk. To get the file with passwords from another host, you need WinSCP. The utility is available here. The nice thing is that you can retrieve that file from the host with the known ESXi root password without even shutting it down.
Next, call the terminal with the Ubuntu GNOME and reset the password.
Now, let’s see what you have on the disk.
Create two temporary volumes afterward.
# mount /dev/sda5 /mnt/sda5
# mount /dev/sdb1 /mnt/sdb1
Now, create the temporary volume for further work with archives.
Create the volume where you are going to keep the state.tgz copy just in case something goes wrong.
Find the necessary file in the archive.
# ls -l /mnt/sda5/state.tgz
Copy the archive.
# cp /mnt/sda5/state.tgz /mnt/sdb1/save
# ls -l /mnt/sdb1/save
Extract state.tgz using the cmdlet below:
# tar -xf /mnt/sda5/state.tgz –C /temp/
Find the temp file.
# ls –l /temp
# tar -xf /temp/local.tgz –C /temp/
Make sure that you extracted the /etc directory.
# ls –l /temp
Now, delete the local.tgz volume to ensure that it won’t be included into the new archive by accident.
Find “shadow” in the /etc directory.
# ls -l /temp/etc
# cp /mnt/sdb1/shadow /temp/etc
Check whether all changes have been applied.
Archive the /etc directory.
# tar -czf local.tgz etc
Check whether archiving has run smoothly.
# ls -l /temp/
Now, create the state.tgz volume.
# tar -czf state.tgz local.tgz
Again, check whether the volume has been created.
# ls -l /temp/
Move the archive to the working ESXi directory.
# mv state.tgz /mnt/sda5/
Check the result one more time.
# ls -l /mnt/sda5/
Unmount the sda5 directory.
Eventually, reboot the host.
Enjoy! If everything is done right, you can access the host with the known password. Well, to make everything more or less convenient here’s the entire set of commands I used for this method.
# cp /mnt/sdb1/save/state.tgz /mnt/sda5/
Conclusion
The GRUB Password
While carrying out research for this post, most of the info I came across stated that the GRUB password on VCSA is set to vmware by default unless the root password was changed via VAMI, in which case both the GRUB and root password are set to be the same. When I installed VCSA 6.0 U2 (version 6.0.0.20000-3634791) I found that this was not the case. The GRUB password was by default set the same as that for root. At no point during the vCSA installation do you get to set the GRUB password and you also cannot skip setting one for root. So, I don’t know how and when the GRUB password is set to vmware. And yes, I’m positive that I did not change the root password using VAMI or otherwise.
Figure 9 – Setting the root password while installing VCSA 6.0 U2
Note: On VCSA 6.5 you’ll find that access to GRUB is not password protected much to the horror of the security folk!
Summary
This article introduced how to reset VMware ESXi root password without reinstalling ESXi host, which saves a lot of time. When you are resetting ESXi root password, if your virtual machines do not have downtime, you should migrate your virtual machines, as well as backup VMware ESXi VMs.
How to reset VMware ESXi root password (2 ways)
- Upgrade VMware ESXi.
- vCenter goes haywire and is inaccessible and requires the local root account remains for authentication.
If you forget your password and don’t want to reinstall your ESXi hosts, what should you do? Remember to take a backup or snapshot before you start again to avoid data loss due to the risk of operation.
Way 1. Reset ESXi root password via Host Profile
1. Login to the vCenter Web client.
2. Navigate to Home, and then choose Host Profiles >> Extract Host Profile.
3. In the Extract Host Profile menu wizard, enter a name and description for the selected Host Profile and click Next and then Finish to complete the capture of the host profile template.
4. Right-click the new Host Profile and choose Edit Settings.
5. In the opened wizard, from Edit host profile, search for root and reset a new password and confirm it.
6. You have changed the password. Then right-click the Host Profile and select Attach/Detach Hosts and Clusters. Select the host you have changed the password, and click Attach.
Tips: It’s possible to apply the changes to multiple ESXi hosts by hitting Attach All.
7. From the Action Menu, select Maintenance Mode >> Enter Maintenance Mode. During this period, the virtual machine needs to be shut down, so please ensure if your task has downtime.
8. From the Action Menu, select Remediate, then select host to remediate.
9. Check Host Compliance.
10. After the host reboots, exit the maintenance mode.
Way 2. Reset VMware root password by editing the “shadow” file
If it’s not available for you to use vCenter to reset your password, you can try another method: use a Live Linux CD/DVD/USB to reset VMware root password. ESXi saves the root password encrypted in a password file located in /etc/shadow . I will remove the password hash in located in 2 partitions in order to create a new password in the DCUI console.
1. Download a live Linux CD/DVD, and I choose the Gparted LiveCD.
2. Burn a USB or CD/DVD with the Live CD/DVD and boot your host off it.
● Run these commands to get to the shadow password file.
mkdir /boot /temp
mount /dev/sda5 /boot
cp state.tgz /temp
tar -xf state.tgz
tar -xf local.tgz
● Then use vi to edit the shadow password file.
tar -cf local.tgz etc/
tar -cf state.tgz local.tgz
mv state.tgz /boot
Tips: Boot back into the Gparted Live media. We will be repeating steps 4 except we will be editing the /dev/sda6 partition rather than /dev/sda5. The only difference in this process is to change the command to mount the correct partition.
5. Remove the Gparted media and boot the ESXi host. Once the ESXi host has completed booting, log on as root from the DCUI console. You should be able to log in without typing in a password. Now you may reset a new password.
This method is not supported by VMware, but it works on various versions of ESXi. When resetting VMware root password, the most important thing is to make a VMware backup before performing this operation.
How to reset VMware ESXi 6. 7 root password
Is there a way to reset forgotten root password on ESXi host 6.7? Per VMware, the only way is to reinstall ESXi on the host, but I would hate to migrate my VM’s to another host.
— Question from Spiceworks Community
According to VMware, reinstalling an ESXi host is the only supported method for resetting VMware root password. However, Starting with ESXi 4.1, the host profile feature was introduced. If the host is managed by vCenter and is still connected, you can reset ESXi root password by taking advantage of the host profile feature.
Tips: For the host profile feature, you must have an Enterprise Plus license.
Protect VMware VM from data-loss
A reliable VM backup appliance is able to reduce operational errors and protect business from security threats. AOMEI Cyber Backup, a free backup software, provides you with the best VM backup practices and schedules virtual machine backup to secure your business continuously.
If your original virtual machine fails, you can achieve fast disaster recovery from any point. It restores the virtual machine to its previous state based on a few clicks without any complicated setup, which greatly reduces business downtime and financial losses.
Please hit the button below to download and use AOMEI Cyber Backup for free.
*You can choose to install this VM backup software on either Windows or Linux system.
Free VM backup solution with AOMEI Cyber Backup
1. Download AOMEI Cyber Backup and add your host. Click Source Device > VMware > + Add VMware Device, then you can choose to Add vCenter or Standalone ESXi.
2. Click Backup Task >> Create New Task to create an insurance for your VMs.
✦ In the opened wizard, enter a task name and choose VMware ESXi Backup.
✦ On Device Name pane, select the host and virtual machines you want to backup.
✦ On Target pane, select a destination to store virtual machine files. It offers local or network location. You can connect external hard drive to VM to store the backup files such as a flash drive or USB hard drive, or backup VM to NAS.
✦ On Schedule pane, enable backup schedule plan. It offers flexible backup strategies such as full / incremental / differential backup to safeguard VMware data comprehensively. You can specify the backup time as daily / weekly / monthly, which will keep tracking the changed data and offers continuous protection.
✦ Click Start Backup.
3. Recovery: click Restore, then choose the restore content and target. If the original VM corrupts, you can restore the entire VM to the previous state including OS, configuration, application, personal data and system state.
✍ While the Free Edition covers most of the VM backup needs, you can also upgrade to enjoy:
Batch VM backup: batch backup large numbers of VMs managed by vCenter Server or on standalone ESXi hosts.
Backup Cleanup: Configure retention policy to auto delete the old backup files and save storage space.
Restore to new location: Easily make a clone of a virtual machine in the same or another datastore/host, without reinstalling or configuring a new VM.
AOMEI Cyber Backup always protects your virtual machines and business security with its efficient VMware backup solution. It also reduces business downtime and extra cost.
How it all works
First off, SSH to your host and have a look at . You should see something like this.
This is from a test ESXi host I use, so be my guest and try to reverse hash the password. Good luck with that. The string boxed in red is what we’re after. Deleting it will reset the password to null. Of course, if you can’t root to your host, there’s no way you can do this, hence why we use a live CD. Booting off a Linux Live CD/DVD allows us to access and change the file. The trick is knowing which file to change. Changing the one that’s accessible when SSH’ed to the host is of no use since the changes are overwritten once you boot up the host.
As you probably know, ESXi uses several disk partitions. One, in particular, is called This partition contains the hypervisor core files and the host’s configuration which is what ends up being loaded into memory. The partition, by default, is called /dev/sda5.
file we’re after is found in a compressed archive called which is found under . So, here’s what we need to do.
- Download a Live Linux CD/DVD. Take your pick from this . I chose the Gparted LiveCD one.
- Burn a USB or CD/DVD with the Live CD/DVD and boot your host off it.
- to a temp folder.
- and edit the shadow file.
- Recompress the archive and overwrite
- Unmount and reboot the host.
It is of utmost importance to note that you will not be able to ‘deceive’ ESXi’s security and change the node’s root password without powering it off. Meaning you need to evacuate the VMs to other hosts in the cluster or shut them down to place the host in maintenance mode.
For this post, in order to reset the ESXi root password, I’m using a nested host for convenience’s sake alone. And, yes, I carried out this same procedure a number of times on physical ESXi hosts. Note also, that the host must be powered down for this to work so unless migrated, all hosted VMs will obviously stop working.
Booting off the GParted LiveCD
– Locate the 2 partitions sized 250MB. As mentioned, is what we’re after assuming you installed ESXi on the first available disk. This may differ if, for instance, you installed ESXi on a USB device.
“vSphere 6.x partitions layout.”
Note that the partition layout changed dramatically in vSphere 7 compared to vSphere 6.x. It is now consolidated in fewer partitions leveraging dynamic sizing and VMFS-L.
vSphere 6.x vs vSphere 7 partitions layout
mkdir /boot /temp
mount /dev/sda5 /boot
cp state.tgz /temp
tar -xf state.tgz
tar -xf local.tgz
The first batch of commands that need to be run to get to the shadow password file
Delete the encrypted root password to reset it to null i.e. the root account will not have a set password
tar -cf local.tgz etc/
tar -cf state.tgz local.tgz
mv state.tgz /boot
– Once the ESXi host is back online, try logging in as either from the DCUI (console) or via SSH using or similar. You should be able to log in without keying in a password although you will be reminded to set one which is what you should do.
How do I recover my root password?
Here’s a video demonstrating how to carry out the password recovery procedure from start to finish and reset the root password
Changing the root password and expiration settings
There will be times where you will not be able to log in as root despite being sure that you’re typing in the correct password. This will occur whenever the root password expires after the default password lifetime of 365 days. Additionally, it is very common to set the expiration period to 90 days or less to tighten up security. You can disable password expiry altogether but this is definitely not recommended.
The root password and expiry settings are easily managed using VAMI which you will access via this https://<VCSA FQDN or IP>:5480> link. Figures 10-11, show the root account management pages for VCSA 6.0 U2 and 6.5 respectively.
Figure 10 – VCSA 6.0 U2: Root password and expiration settings in VAMI
Figure 10 – VCSA 6.5: Root password and expiration settings in VAMI
Alternatively, use the chage command from the ESXi shell as shown in Figure 11 which consists of a screen grab of the root settings in VAMI next to a screen grab of the VCSA VM’s console while in shell. Here’s a step by step explanation of the commands used.
1. chage -l root : Displays the account details for root which include the account and password expiry dates, the date at which the password was last changed, etc.
3. chage -M 30 root : Here I’ve used the chage command to set the password expiration period to 30 days from when the password was last changed.
4. Same as (1). You can see that the “Maximum number of days between password change“value – which is a bit misleading if you ask me – is now set to 30. The change is also reflected in the VAMI settings screens when it is refreshed.
This concludes today’s post. As always, make sure to take a snapshot or a backup of the appliance when committing these type of changes. This allows you to quickly revert to a working vCSA instance should you hit a dead end.
VCSA 6. 0 Update 2
The process is very similar to the one for VCSA 6.5. First, shut down the VCSA and take a snapshot.
1. Press the space bar to freeze the GRUB menu.
2. Press p and type in the password to unlock the advanced features in GRUB (refer to The GRUB Password section further down).
Figure 5 – Accessing advanced features in GRUB
3. Press e to enable Edit mode
Figure 6 – Editing the boot up options in GRUB
5. Append init=/bin/bash to the kernel boot options
Figure 7 – Setting the VCSA to boot up as a root shell
7. Type in the passwd command. Type in the new password twice and press Enter to confirm.
Figure 8 – Changing the root password from a root shell
Here’s a second video illustrating the password change procedure on 6.0 U2.