Unlock Root Password Esxi

0 views

Skip to first unread message

Argelia Long

unread,

Aug 3, 2024, 4:45:26 PM8/3/24

to deohasmemac

There are several methods of resetting the ESXi root password. Some of them are supported, and some of them are not, but still valid. You can check this overview that outlines the most popular ones -esxi-root-password-no-problems-4-ways-reset/ .

Note: In some cases a defective keyboard can cause problems logging into an ESXi host. You might want to test with a different physical keyboard if you are having difficulties with known login credentials.

If you have forgotten or do not know the password for the root user on an ESXi host, you may be able to change it without reinstalling.

For more information on security best practices, see VMware Infrastructure 3 Security Hardening.

Note: The procedure(s) below performs a password reset. This blindly replaces the existing root password with a new one. This is not a password recovery mechanism. That is, it does not allow you to learn the original root password. VMware does not provide tools or methods to recover the original root password of an ESXi host.

If the host is managed by vCenter and is still connected, you can the reset by leveraging the host profile feature. For Host Profile feature you must have Enterprise Plus Licensing - For more information refer to KB : Reset ESXi Root Password with Host Profile

However when it comes to the web interface I get a Cannot complete login due to an incorrect user name or password. The host is freshly installed, and I try to login right after I change the IP information.

So I found out that you first need to enable the ESXI shell, and then press alt f1.So with pam_tally2 --user root I can see attempts I make in the Web Client fail. This makes no sense, as I am using the same password. I've tried copy-pasting it, typing it in on a virtual keyboard, and so on.

As an interesting note, I've tried changing the root password from the ESXI shell, with strong random 13 character passwords from Keepass and whatever recommended password given by the command. Both fail unless you meet additional criteria not listed in the console. Same thing happens on ESXI 6.7 update 3.

LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.

My team had a vCenter disaster and had to move all our ESXi hosts from downed vCenter A to reconstructed vCenter B. All was going well until we realized we had the root password for only about half of the ESXi hosts. Now what?

Previously I have seen the Hosts Profile method of resetting the ESXi hosts. This method was painful for us because half the hosts were already moved, plus many hosts did not have a redundant configuration to fail the VMs over to. On top of that it just plain takes a long time -- and I've almost never had a good experience with Host Profiles.

So I came up with a method to reset the passwords that I hadn't seem on the internet yet. I thought it was odd until I tried running this on an ESXi 5.x server and realized my method only works on ESXi 6 and newer. So maybe it is a new method and I'm the first to Publish it. Maybe not.

For this code snippet I'm going to use PowerShell (with PowerCLI). But you could use any number of scripting methods that vCenter supports to accomplish the same thing. How it works is it calls ESXCLI on the ESXi host via vCenter. Once you have access to the ESXCLI, run

Just unboxed a new UCS C220 M5SX and I was trying to log into the host and the passwords that are documented do not work. I have tried the following with the root account. Cisco, Cisco123, Cisco1234, Password (lower and upper on the first character) and nothing is working. I am really hoping I do not need to waste my time and reinstall ESXi to get this working. Anyone run into this and found the right password?

I manage a number of vCenter instances and a lot of ESXi hosts. Some of the hosts are production, some for test and development. Sometimes an ESXi host needs to be used by a different group or temporarily moved to a new cluster and then back again afterwards.

To automate the configuration of these systems and the VMs running on them I use Ansible. For a freshly-imaged, new installation of ESXi one of the first things I do it to run an Ansible playbook that sets up the ESXi host, and the first thing it does is to install the ssh keys of the people who need to log in as root, then it updates the root password.

I have ssh public keys for every user that needs root access. A short bash script combines those keys and my Ansible management public key into authorized_keys files for the ESXi hosts in each vCenter instance. In my Ansible group_vars/ directory is a file for each group of ESXi hosts, so all of the ESXi hosts in a group get the same root password and ssh keys. This also makes it easy to change root passwords and add and remove ssh keys of users as they are added to or leave different groups.

In my main.yml file I call the esxi_host role for all of the hosts in the esxi_hosts inventory group. Since I use a different user to manage non-ESXi hosts, the play that calls the role tells Ansible to use the root user only when logging into ESXi hosts.

This will prompt me for the current root ssh password. Once I enter that it logs into each ESXi host, installs the new authorized_keys file, uses the vault private key to decrypt the password, then updates the root password.

Under these circumstances, how can you log into the ESXi server? Reinstalling ESXi is not a good solution, because creating a new configuration from scratch as well as creating and configuring VMs needs a lot of efforts.

VMware Host Profiles is the enterprise grade feature that helps apply the uniform configuration for multiple ESXi hosts and simplifies the process of deploying a high number of ESXi hosts. Thus, you can avoid configuring each host manually. Create a host profile and apply the profile to all required ESXi hosts in vCenter. This feature can also help to reset the ESXi password for the root user.

Note: If you have extracted a host profile from an ESXi whose password has been forgotten, changing the password at this step is necessary. If you have extracted a host profile from an ESXi host whose password is known, you may leave the password unchanged.

VMware vSphere can be integrated with Active Directory that is usually used for the centralized management of users and computers. You can join each ESXi host into an Active Directory Domain and then use the account created on the Active Directory Domain Controller to log in to the ESXi host. The Active Directory authentication mechanism can be utilized in vSphere, thanks to the implementation of the PAM (Pluggable Authentication Module) framework for ESXi. This capability can be used to reset the ESXi password for the root user on a host. The ESXi host must be managed by vCenter in order to use this method and you should have an Active Directory Domain controller in your inventory.

Note: In VMware ESXi settings the IP address of the domain controller should be specified as a DNS server since the ESXi server must be able to resolve the domain and domain controller names. As you may recall, the IP address of the DNS server in the network settings of your ESXi server differs from the IP address of your existing domain controller, and you can deploy a temporary machine (physical or virtual) as Active Directory Domain Controller (set the DNS server IP address that is defined in network settings of the ESXi server as the IP address of the domain controller), connecting the ESXi server to that temporary domain controller, and joining the domain.

As an alternative, if you have a configured domain controller in your environment, you can open vSphere Client, select the ESXi host whose password must be reset, go to the Configure tab, select Networking > TCP/IP configuration and edit or add the IP address of the appropriate existing domain controller as the DNS server.

Create a new user whose name is, for example, esxi01 on the domain controller in Active Directory Users and Computers. In order to do this, open Server Manager, go to Roles > Active Directory Domain Services > Active Directory Users and Computers > [your domain name] > Users.

Passwords are not stored as plain text anywhere among ESXi system files. Basically, ESXi, similarly to Linux, stores password hashes in a special /etc/shadow system file that can be assessed only by the root user. Passwords appear encrypted in this case. Special mathematic algorithms such as MD5, Blowfish, SHA-256, SHA-512, etc. are used for transforming the source password to the check hash sum. Algorithms used for calculating a hash sum are not backward compatible (one-way encryption is used), hence it is not possible to do reverse calculations for getting the original password.

First, you should prepare a live DVD. In this example, the Ubuntu 18 installation disk that includes the Ubuntu Live DVD option will be used. Download the ISO image of the Ubuntu distribution from the official web site. You can also use other distributions you like, for example, Kali Linux, BackTrack, Debian, GParted Live CD etc.

If you have more than one ESXi host and you know the password of at least one ESXi host, you can just copy the /etc/shadow file from the ESXi host whose password you know to the ESXi host whose password you have forgotten. If you have only one ESXi host and you cannot remember its ESXi root password, you can also use this method. In this case, you should deploy a virtual machine running ESXi on any available hypervisor, for example, on VMware Player or VMware Workstation. If you have an unused physical computer that is ESXi-compatible, you can also use that. A VM running ESXi on VMware Workstation is used in the current example.