7

I've just inherited a very simple VM setup with a pair of ESXi servers clustered and everything is pretty much hooked up. Problem is I do not have the root passwords for the servers and no one has any idea what they are (password guessing has been tried).

From my understanding, ESXi does not have a single-user mode or anything equivalent. What are my options short of backing up the VMs and nuking the site?

Daniel Goldberg
  • 193
  • 1
  • 1
  • 10

4 Answers4

10

There are methods to reset an ESXi host's root password, provided you have physical or out-of-band access to the server.

  • I've done this with Host Profiles by reapplying the profile gleaned from another host to the affected server. But you likely don't have the licensing to support this.
  • I've also have to use the boot CD/Live CD approach (also here), which assumes some Linux knowledge and involves setting an empty password or a known encrypted password in the shadow file.

As to how this can happen... Poor documentation, evil terminated administrators, a data center technician who left CAPS-LOCK on when building the servers, my bad memory, etc, :)

ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • 1
    I never said there wasn't other methods - only that the only officially supported method for ESXi is to reinstall. :) I haven't seen the BootCD approach before but have seen the host profiles method before. I also added an additional method in my answer below that I have used before. The licensing with host profiles can be worked around as well - grab a trial license key and apply it for the duration as needed and then reapply your full key after you are done. – Rex Mar 06 '14 at 20:38
  • I added the other answer as the "official" one but this is actually going to help me out if the bosses sign off on this. Thank you. – Daniel Goldberg Mar 09 '14 at 19:15
  • @DanielGoldberg You're welcome. – ewwhite Mar 09 '14 at 19:36
9

For ESXi, the only supported method to change the password is to reinstall.

Reinstalling the ESXi host is the only supported way to reset a password on ESXi. Any other method may lead to a host failure or an unsupported configuration due to the complex nature of the ESXi architecture. ESXi does not have a service console and as such traditional Linux methods of resetting a password, such as single-user mode do not apply.

If you have two hosts and they have the resources to support it, you could vMotion (and/or storage vMotion) the servers all onto a single host, remove and rebuild the empty host, add it back into the cluster. Then move all the guests onto the rebuilt host and remove/rebuild the remaining host. This would allow you to rebuild without incurring any downtime on the guests. Depending on your infrastructure and depending on the number of virtual machines to move, the two hosts should take less than a day to rebuild unless you have extraordinarily large or complex host configuration.

Also, if you are on an older version of ESXi, this would also be a good time to check your current hardware against the HCL and move up to the latest version if supported (After upgrading your vCenter server first of course).

Regarding non-supported methods that I will mention but don't necessarily advise.

  • Use vCenter to join each host to an AD Domain and setup and configure an AD user as an admin to the host and allow AD authentication. Use the vSphere client to connect directly to the host using AD credentials to login. Once connected this way, you should be able to change the password for the root account through the vSphere client connected directly to the host. I've used this in a pinch and it does work.
  • Generate a host profile that specifies the password and attach it to the host. This can be done but still requires the host to be put into maintenance mode. Haven't used this method myself personally.
Rex
  • 7,815
  • 3
  • 28
  • 44
1

The ESXi root password is encrypted and stored in a file named /ect/shadow. Just as this article explains you can remove the root password with the following steps:

  1. Boot your server from Ubuntu Live CD.
  2. Unpack the state.tgz and then local.tgz, delete the password hash inside the shadow file, and re-pack the archive.
  3. After that you can log on ESXi host as the root account without a password.
Maria Carillo
  • 27
  • 1
  • 1
    -1 This adds nothing that isn't already covered by the two 8-month old answers already here. – Rob Moir Nov 30 '14 at 07:39
  • 1
    @RobM strongly disagree, and so does Google. None of the existing answers provide explicit instructions and this does. Google' own machine learning algorithm has chosen this answer above the others to address the question posed by the query "reset esxi root password" (no quotes) – tacos_tacos_tacos Aug 16 '15 at 03:08
-3

For ESXi 6 work for me:

# https://www.linkedin.com/pulse/reset-esxi-root-password-through-vcenter-esxcli-method-buschhaus
#First, setup $vmhosts. You can do this many ways.$vmhosts = Get-Cluster -Name ClusterWithUnknownPassword | Get-VMHost

# Just so it contains one or more VMHost objects.
# To reset all ESXi host passwords use
# $vmhosts = Get-VMHost

$NewCredential = Get-Credential -UserName "root" -Message "Enter an existing ESXi username (not vCenter), and what you want their password to be reset to."

Foreach ($vmhost in $vmhosts) {
    $esxcli = get-esxcli -vmhost $vmhost -v2 #Gain access to ESXCLI on the host.
    $esxcliargs = $esxcli.system.account.set.CreateArgs() #Get Parameter list (Arguments)
    $esxcliargs.id = $NewCredential.UserName #Specify the user to reset
    $esxcliargs.password = $NewCredential.GetNetworkCredential().Password #Specify the new password
    $esxcliargs.passwordconfirmation = $NewCredential.GetNetworkCredential().Password
    Write-Host ("Resetting password for: " + $vmhost) #Debug line so admin can see what's happening.
    $esxcli.system.account.set.Invoke($esxcliargs) #Run command, if returns "true" it was successful.
}
bukowski
  • 11
  • 3