Introduction
We are all human (unfortunately for now) and on occasion, one might inadvertently lock themselves out of the “root” account of the VCSA. Although a seldom-used account under normal operations, access to it is critical, especially during technical emergencies.
The default wait time for the root account after three (3) failed attempts is five (5) minutes; however, resetting the root password will need a reboot for VCSA 7.
The following steps will walk through resetting the root account credentials and unlocking the account. Downtime for VCSA should be expected, so plan your change accordingly.
Disclaimer: Follow these instructions at your own risk, they are provided without warranty. Ferroque Systems nor its affiliates will be held liable for unanticipated impacts in your environment from running its commands. Strongly recommended taking a snapshot, clone, or VM backup of the VCSA prior to executing these commands.
Step 1
Take a snapshot of the VM and proceed with forcing a reboot. Once the photon OS splash screen is showing, quickly press “e” to reveal the Grub boot menu.
Move the cursor to the end of the line starting with “linux” and ending with “$systemd_cmdline”, a quick way to do that is move the cursor to the Linux line and press “Ctrl” + “e”.
Append “rw init=/bin/bash” to enter single user mode, and press “Ctrl” + “x” to boot the appliance.
Step 2
Now that you are dropped into the system, proceed with entering the ‘passwd’ command to reset the root user account.
passwd
Step 3
User accounts can be unlocked using the pam_tally2 command with switches –user and –reset.
pam_tally2 -–user=root --reset
Once completed, the user account will be unlocked and the account can be used again.
Step 3a (Optional)
The default login parameters can be changed for the pam_tally2.so module.
| Parameter | Explanation |
| file=/var/log/tallylog | Log file. |
| deny=3 | Deny counter until account is locked. |
| onerr=fail | If $file is unable to open, default action is to fail all attempts. |
| even_deny_root | Policy applies to root account also |
| unlock_time=86400 | Users are locked for 24 hours. |
| root_unlock_time=300 | Root is locked for five (5) minutes. |
Step 4
The system can now be rebooted to allow VCSA to load. The -f switch can be appended to force a reboot if the first option fails.
reboot
How to reset the lost or forgotten root password in vCenter Server Appliance 6.7 U1 and later (75174)
Symptoms
For versions prior to VCSA 6.7 Update 1, see Resetting root password in vCenter Server Appliance 6.5 to 6.7 U1.
- Logging in to the root account of vCenter Server Appliance (VCSA) fails.
- The root account of the vCenter Server Appliance 6.7 U1 and later is locked or account is expired.
- Forgot the root password.
Purpose
This article provides steps to reset the root password if you have lost or forgotten the existing root password for a VCSA 6.7U1 and later.
Cause
With the change within VCSA 6.7 U1, the SSO user who is part of SystemConfiguration.BashShellAdministrator group will be able to log in to Bash shell and can call any commands using sudo and without password. This aims at reducing the gap between the root and SSO administrator user. The user has to enable shell to log in to the bash shell. By default, the user will be logged into appliance shell.
Resolution
Process to Reset the Root Password in VCSA:
- Connect SSH to VCSA 6.7 and login using administrator@vsphere.local where vsphere.local is your default SSO Domain.
- If disabled, enable SSH using the VAMI ( https://<vcenter_fqdn>:5480 ).
- Can login as administrator@vphere.local or any other member of the SSO administrators group.
- Enable or Disable SSH and Bash Shell Access.
- If first time logging in, enable shell then enter shell.
- shell.set –enable true
- shell
- Once in shell as sso-user, run the below command to change to root shell.
- sudo -i
- Alternately, you could use the command: sudo passwd root
- Then once in root shell, run passwd to change the root password.
- passwd
- Now you can exit the session by running the exit or logout command and then log in through a new SSH session using your root account with updated password. Alternatively, you could run the su command in order to be prompted for the root password and get access as root.