Skip to main content

Reset lost root password on vSphere ESXi 6.7

VMware's solution to a lost or forgotten root password for ESXi is simple: go to https://kb.vmware.com/s/article/1317898?lang=en_US and you'll find that "Reinstalling the ESXi host is the only supported way to reset a password on ESXi".

If your host is still connected to vCenter, you may be able to use Host Profiles to reset the root password, or alternatively you can join ESXi in Active Directory via vCenter, and log in with a user in the "ESX Admins" AD group.

If your host is no longer connected to vCenter, those options are closed. Can you avoid reinstallation? Fortunately, you can. You will need to reset and reboot your ESXi though. If you're ready for an unsupported deep dive into the bowels of ESXi, follow these steps:

  1. Create a bootable Linux USB-drive (or something else you can boot your server with). I used a CentOS 7 installation USB-drive that I could use to boot into rescue mode.
  2. Reset your ESXi and boot from the Linux medium.
  3. Identify your ESXi boot device from the Linux prompt. Use "fdisk -l /dev/sda", "fdisk -l /dev/sdb", etc. until you find a device that has 9 (maybe 8 in some cases) partitions. Partitions 5 and 6 are 250 MB and type "Microsoft basic" (for more information on this partition type, see https://en.wikipedia.org/wiki/Microsoft_basic_data_partition ). These are the ESXi boot banks. My boot device was /dev/sda, so I'll be using /dev/sda5 and/or /dev/sda6 as partition devices.
  4. Create a temporary directory for the primary boot bank: mkdir /tmp/b
  5. Mount the first ESXi bootbank on that directory: mount /dev/sda5 /tmp/b
  6. The current root password hash is stored inside state.tgz . We'll unpack this first. Create a temp directory for the state.tgz contents: mkdir /tmp/state
  7. Unpack state.tgz: cd /tmp/state ; tar xzf /tmp/b/state.tgz
  8. Inside state.tgz is local.tgz. Create a tempfile for the local.tgz contents: mkdir /tmp/local
  9. Unpack local.tgz: cd /tmp/local ; tar xzf /tmp/state/local.tgz
  10. Generate a new password hash: on a Linux system with Perl installed, you can use this: perl -e 'print crypt("MySecretPassword@","\$6\$AbCdEfGh") . "\n";' . On a Linux system with Python installed (like the CentOS rescue mode), you can use this: python -c "import crypt; print crypt.crypt('MySecretPassword@')" . Both will print out a new password hash for the given password: $6$MeOt/VCSA4PoKyHl$yk5Q5qbDVussUjt/3QZdy4UROEmn5gaRgYG7ckYIn1NC2BXXCUnCARnvNkscL5PA5ErbTddoVQWPqBUYe.S7Y0  . Alternatively, you can use an online hash generator, or you can leave the password hash field empty.
  11. Edit the shadow file to change the root password: vi /tmp/local/etc/shadow . Replace the current password hash in the second field of the first line (the line that starts with root:) with the new hash. Esc : w q Enter saves the contents of the shadow file.
  12. Recreate the local.tgz file: cd /tmp/local ; tar czf /tmp/state/local.tgz etc
  13. Recreate the state.tgz file: cd /tmp/state ; tar czf /tmp/b/state.tgz local.tgz
  14. Detach the bootbank partition: umount /tmp/b
  15. Exit from the Linux rescue environment and boot ESXi.
  16. Do the same for the other boot bank (/dev/sda6 in my case) if your system doesn't boot from the first boot bank. NB logging in via SSH doesn't work with an empty hash field. The Host UI client via a web browser does let you in with an empty password, and allows you to change your password.


Comments

Popular posts from this blog

Volkswagen UHV bluetooth touch adapter & its problems

My Volkswagen car has the "universal cellphone preparation" UHV built-in. This is the main part of a car kit, but requires an additional adapter for connecting to a cellphone. At first, I was using an adapter for my good old Nokia 6310, even after I changed to the Nokia E71. Connecting was easy: pair the phone with the "VW UHV" bluetooth entity, and done. This has the phone connected to the car kit at all times, so even non-call-related functions use the car audio system (e.g. voice recognition).
But progress will have its way, no matter what happens. So in comes the "bluetooth touch adapter". Instead of a phone-specific adapter, this is a small touchscreen device that slots into the UHV dashboard mount. Connecting a phone is very different now:
the Bluetooth Touch Adapter connects to the "VW UHV" device via bluetooth
the phone connects to "Touch Adapter" device, also via bluetoothThe device doesn't allow step 2 if step 1 didn't s…

How to solve "user locked out due to failed logins" in vSphere vMA

In vSphere 6, if the vi-admin account get locked because of too many failed logins, and you don't have the root password of the appliance, you can reset the account(s) using these steps:

reboot the vMAfrom GRUB, "e"dit the entry"a"ppend init=/bin/bash"b"oot# pam_tally2 --user=vi-admin --reset# passwd vi-admin # Optional. Only if you want to change the password for vi-admin.# exitreset the vMAlog in with vi-admin These steps can be repeated for root or any other account that gets locked out.

If you do have root or vi-admin access, "sudo pam_tally2 --user=mylockeduser --reset" would do it, no reboot required.

Link aggregation and VLANs on QNAP with firmware 3.4.0

The new QNAP firmware (3.4.0) supports 802.1q VLAN tagging, but you can't create multiple interfaces in different VLANs on the same physical interface through the webinterface.In the case of link aggregation (LACP 802.3ad for example), that means only 1 VLAN and 1 IP address can be used. Fortunately, QNAP allows full access to the underlying Linux system. Adding a VLAN interface goes like this (the example uses VLAN 234)# /usr/local/bin/vconfig add bond0 234 # ifconfig bond0.234 192.168.2.30 broadcast 192.168.2.255 netmask 255.255.255.0
of course, this change is not permanent, a reboot will not automatically start this interface. I'll blog about making it permanent later.