Andy Fox | 24 July 2012
In previous vSphere versions it was relatively easy to reset the root password for an ESX host by booting the server in single user mode, this gave a root access command prompt from which you could change the password. In vSphere 5, we only have the ESXi hypervisor which does not have the ability to boot into single user mode, so in this blog we look at how to change the root password for an ESXi host.
Firstly, it is worth noting that the only supported way of resetting a forgotten ESXi root password is to reinstall ESXi!
In ESXi as with ESX and linux systems, there are 3 files that control local user accounts. Found in /etc, they are passwd, shadow and groups. The passwd historically stored the user accounts and passwords but was found to have security implications as all users could read the file. Although users could not see what other users passwords were (as they are encrypted in the file), they were able to change their password and compare the encrypted password with that of other users (and more importantly root), if the passwords were the same, they had guessed correctly! So as a consequence, passwords were removed from the passwd file, and were placed in a second shadow password file. This file could not be accessed by normal users and hence was far more secure. As its name suggests, the groups file contains groups.
So on ESXi, the trick to changing the password of the root user is to manipulate the shadow password file.
In order to reset the root password, you will need a bootable Linux cd (or iso if using a lights-out technology i.e. iLo or Drac), any "Live" (runs direct from CD) version should work (I use SuSE Linux Enterprise 11 and boot using the Rescue System option), plus you will follow the procedure better if you have some basic Linux/Unix experience.
First, boot your ESXi server with a Linux live CD or from a USB stick.
Mount the /dev/sda3 partition to /mnt by using the command:
mount /dev/sda3 /mnt
Unzip the state.tgz file to /tmp, it contains one file called local.tgz with the following commands:
tar zxvf /mnt/state.tgz
Unzip the local.tgz, and change to the etc folder using the following commands:
tar zxvf local.tgz
Using VI edit the file etc/shadow to change the password.
The shadow password file has each user entry per line, and the second parameter (after the 1st being the user name) is the encrypted password. The easiest thing to do is to delete the string of text between the first and second colon, thus removing a password altogether.
Recreate the zip files, and copy the modified state.tgz back to the original partition.
tar czvf local.tgz etc
tar czf state.tgz local.tgz
mv state.tgz /mnt/
Reboot your ESXi host, and you should now be able to log in with no password.