Home > vSphere > How do I reset an ESXi 5.0 unknown root password?

How do I reset an ESXi 5.0 unknown root password?

In previous vSphere versions it was relatively easy to reset the root password for an ESX host by booting the server in single user mode, this gave a root access command prompt from which you could change the password.

In vSphere 5, we only have the ESXi hypervisor which does not have the ability to boot into single user mode, so in this blog we look at how to change the root password for an ESXi host.

Firstly, it is worth noting that the only supported way of resetting a forgotten ESXi root password is to reinstall ESXi!

In ESXi as with ESX and linux systems, there are 3 files that control local user accounts.  Found in /etc, they are passwd, shadow and groups.  The passwd historically stored the user accounts and passwords but was found to have security implications as all users could read the file.  Although users could not see what other users passwords were (as they are encrypted in the file), they were able to change their password and compare the encrypted password with that of other users (and more importantly root), if the passwords were the same, they had guessed correctly!  So as a consequence, passwords were removed from the passwd file, and were placed in a second shadow password file.  This file could not be accessed by normal users and hence was far more secure.  As its name suggests, the groups file contains groups.

So on ESXi, the trick to changing the password of the root user is to manipulate the shadow password file.

In order to reset the root password, you will need a bootable Linux cd (or iso if using a lights-out technology i.e. iLo or Drac), any “Live” (runs direct from CD) version should work (I use SuSE Linux Enterprise 11 and boot using the Rescue System option), plus you will follow the procedure better if you have some basic Linux/Unix experience.

First, boot your ESXi server with a Linux live CD or from a USB stick.

Mount the /dev/sda3 partition to /mnt by using the command:

mount /dev/sda3 /mnt

Unzip the state.tgz file to /tmp, it contains one file called local.tgz with the following commands:

cd /tmp
tar zxvf /mnt/state.tgz

Unzip the local.tgz, and change to the etc folder using the following commands:

tar zxvf local.tgz

cd etc

Using VI edit the file etc/shadow to change the password.

vi etc/shadow

The shadow password file has each user entry per line, and the second parameter (after the 1st being the user name) is the encrypted password.  The easiest thing to do is to delete the string of text between the first and second colon, thus removing a password altogether.

Recreate the zip files, and copy the modified state.tgz back to the original partition.

rm local.tgz
tar czvf local.tgz etc
tar czf state.tgz local.tgz
mv state.tgz /mnt/

Reboot your ESXi host, and you should now be able to log in with no password.

Categories: vSphere
  1. May 1, 2014 at 9:35 pm

    After checking out a number of the articles on your web page, I truly like your way of blogging.
    I saved it to my bookmark webpage list and will be checking back in the
    near future. Please visit my web site too and let me know what you think.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: