Updates from QA Training

How do I reset an ESXi 5.0 unknown root password?

In previous vSphere versions it was relatively easy to reset the root password for an ESX host by booting the server in single user mode, this gave a root access command prompt from which you could change the password. In vSphere 5, we only have the ESXi hypervisor which does not have the ability to boot into single user mode, so in this blog we look at how to change the root password for an ESXi host.


Andy Fox | 24 July 2012

In previous vSphere versions it was relatively easy to reset the root password for an ESX host by booting the server in single user mode, this gave a root access command prompt from which you could change the password. In vSphere 5, we only have the ESXi hypervisor which does not have the ability to boot into single user mode, so in this blog we look at how to change the root password for an ESXi host.

Firstly, it is worth noting that the only supported way of resetting a forgotten ESXi root password is to reinstall ESXi!

In ESXi as with ESX and linux systems, there are 3 files that control local user accounts. Found in /etc, they are passwd, shadow and groups. The passwd historically stored the user accounts and passwords but was found to have security implications as all users could read the file. Although users could not see what other users passwords were (as they are encrypted in the file), they were able to change their password and compare the encrypted password with that of other users (and more importantly root), if the passwords were the same, they had guessed correctly! So as a consequence, passwords were removed from the passwd file, and were placed in a second shadow password file. This file could not be accessed by normal users and hence was far more secure. As its name suggests, the groups file contains groups.

So on ESXi, the trick to changing the password of the root user is to manipulate the shadow password file.

In order to reset the root password, you will need a bootable Linux cd (or iso if using a lights-out technology i.e. iLo or Drac), any "Live" (runs direct from CD) version should work (I use SuSE Linux Enterprise 11 and boot using the Rescue System option), plus you will follow the procedure better if you have some basic Linux/Unix experience.

First, boot your ESXi server with a Linux live CD or from a USB stick.

Mount the /dev/sda3 partition to /mnt by using the command:
mount /dev/sda3 /mnt

Unzip the state.tgz file to /tmp, it contains one file called local.tgz with the following commands:
cd /tmp
tar zxvf /mnt/state.tgz

Unzip the local.tgz, and change to the etc folder using the following commands:
tar zxvf local.tgz
cd etc

Using VI edit the file etc/shadow to change the password.
vi etc/shadow

The shadow password file has each user entry per line, and the second parameter (after the 1st being the user name) is the encrypted password. The easiest thing to do is to delete the string of text between the first and second colon, thus removing a password altogether.

Recreate the zip files, and copy the modified state.tgz back to the original partition.
rm local.tgz
tar czvf local.tgz etc
tar czf state.tgz local.tgz
mv state.tgz /mnt/
Reboot your ESXi host, and you should now be able to log in with no password.


Andy-Fox

Andy Fox

Senior Learning Consultant

Andy has been a Consultant Instructor with QA for 10 years, and has 16 years IT Training experience. In his 25+ years in the IT industry he has gained experience working with Novell products and Microsoft from MS-DOS onwards. Since joining QA, his focus moved towards SuSE Linux where he gained CLP and CLE status. Over the past 4 years he has been engaged in the delivery of VMware vSphere training and has gained VCP, VCI and VCAP-DCA status.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.