Virtualization, VMware, vSphere

Changing a forgotten ESXi 5 root password

It shouldn’t happen, but most folks I’ve spoken to have run in to this at some point in time. You are trying to log on to your ESXi host, and for some reason your root password isn’t working anymore.

The official stance that VMware has taken on this can be found in knowledge base article 1317898, and at the time of writing, it states the following:

ESXi 3.5, ESXi 4.x, and ESXi 5.0

Reinstalling the ESXi host is the only supported way to reset a password on ESXi. Any other method may lead to a host failure or an unsupported configuration due to the complex nature of the ESXi architecture. ESXi does not have a service console and as such traditional Linux methods of resetting a password, such as single-user mode do not apply.

So, after searching a bit and combining infos from several folks, I’ve found a way to reset the password, but you should note that this is not officially supported by VMware!

First off, I would recommend you empty your host of any running virtual machines, and put it in to maintenance mode. Next up, inside your vSphere Client, go to the “Home” screen, and select “Host Profiles”, or just press “Ctrl + Shift + P”. Once you are there, create a new profile from an existing host, and select the host that has the unknown password, and give it a name that you can remember.

Next up, edit the newly created profile and open up the “Security Configuration” section. From there, select the “Administrator Password” option, and in the right hand drop down menu, select “Configure a fixed administrator password”.

Now, you can set a new password, but please be careful about one thing. You need to set the password with a certain complexity level. For the exact details, have a look at VMware knowledge base entry 1012033, which states that the default password complexity policy that is set with PAM has the following default:

password requisite /lib/security/$ISA/ retry=3 min=8,8,8,7,6which actually means the following:

  • retry=3: A user is allowed 3 attempts to enter a sufficient password.
  • N0=12: Passwords containing characters from one character class must be at least twelve characters long.
    example: chars1234567
  • N1=10: Passwords containing characters from two character classes must be at least ten characters long.
    example: CHars12345
  • N2=8: Passphrases must contain words that are each at least eight characters long.
    example: software
  • N3=8: Passwords containing characters from all four character classes must be at least eight characters long.
    example: CHars12!
  • N4=7: Passwords containing characters from all four character classes must be at least seven characters long.
    example: CHars1!
  • Example: password requisite /lib/security/$ISA/ retry=3 min= 12,10,8,8,7

If you don’t actually follow these rules, and try to apply the profile, you will get a pretty cryptic error message that in my case just stated the following:
Authentication token manipulation errorWhich isn’t that helpful.

Once you have set the new password, you just need to select the profile you have created, and you need to attach your host to this profile. Once that is done, go to the “Hosts and Clusters” view (again, click “Ctrl + Shift + H” to jump there immediately), and right click your host. Select “Host Profile” from the menu, and from there click “Apply profile”.

Now, if SSH was disabled by the applied profile, enable it again by going to the “Configuration” tab, selecting “Security Profile” and going to the properties of the “Services” part. You can start the SSH service from there. Now you can log on using the newly assigned password and that was that.

But…! There’s always a but, isn’t there? This change only works as long as you keep the host profile, or as long as the host stays withing your vCenter. So, what can you do to make the change permanent? Simple, you log on via SSH, change the password with the “passwd” command and then run the script from /sbin.

Also, if you would like to work around the password complexity policy, you can modify the following file:
/etc/pam.d/passwd to reflect your own policy. If you want to do this, create a backup of the file, modify it to reflect your own policy. After that, change the password and run the script.

Again, these last steps are not recommended by me or VMware, and this will impact the security of your system, so be extremely cautious of your changes! I’m just trying to document the steps so you might have it a bit easier should this situation occur.

6 thoughts on “Changing a forgotten ESXi 5 root password”

  1. Thanks for the helpful write up. My client ended up figuring out the pw so i didn’t get to try 😦 but definitely a handy work around.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s