Managing the root account on a vCenter Server Appliance (VCSA) is a common administrative task. Whether the password needs to be changed, has expired, or has been completely lost, VMware provides supported recovery methods.
This quick tip covers the most common scenarios for VCSA 7.x, 8.x and 9.x.
Scenario 1: You Know the Current Root Password
If you know the current root password, simply connect to the VCSA and change it:
passwdEnter the new password twice when prompted.
Scenario 2: The Root Password Has Expired
A common issue in VCSA environments is that the root password expires after the configured password lifetime has been reached. If you still have access to an SSO administrator account such as administrator@vsphere.local, you can reset the password without rebooting the appliance.
Connect Using an SSO Administrator
If SSH is disabled, enable it through the VAMI:
https://<vcenter_fqdn>:5480Connect via SSH using your SSO administrator account and enable the shell:
shell.set --enable true
shellSwitch to the root shell:
sudo -iUnlock the Root Account (if required)
For VCSA versions prior to 8.0 U2:
pam_tally2 --user=root --resetFor VCSA 8.0 U2 and later:
/usr/sbin/faillock --user root --resetChange the Password
passwdEnter the new password twice.
Clear Password History (if necessary)
If the appliance rejects the new password because it was used previously:
echo "" > /etc/security/opasswdThen run the password change again:
passwdVerify Password Aging Settings
chage -l rootScenario 3: The Root Password Is Lost
If the password is unknown and no root login is possible, you can recover access through the GRUB bootloader.
Important: Create a backup and a snapshot of the VCSA before proceeding. If the appliance is part of an Enhanced Linked Mode (ELM) environment, snapshot all linked nodes.
Reboot the VCSA
Restart the appliance and wait for the Photon OS boot screen.
Enter the GRUB Edit Menu
Press e when the GRUB boot menu appears.
Locate the line beginning with:
linuxAppend the following parameters to the end of the line:
init=/bin/bashBoot into the Recovery Shell
Press F10 to continue booting.
Remount the Filesystem
mount -o remount,rw /Unlock the Root Account (if required)
For VCSA versions prior to 8.0 U2:
pam_tally2 --user=root --resetFor VCSA 8.0 U2 and later:
/ usr/sbin/faillock --user root --resetReset the Password
passwdEnter the new password twice.
Clear Password History (if necessary)
If password reuse restrictions prevent setting the desired password:
echo "" > /etc/security/opasswdRun the password change again:
passwdReboot the Appliance
umount /
reboot -fVerify that you can log in using the new root password.
Optional: Disable Password Expiration
The following command disables password expiration for the root account:
chage -I -1 -m 0 -M 99999 -E -1 rootWarning: Disabling password expiration is generally not recommended for production environments. Regular password rotation is an important security control and is often required by corporate security policies, compliance frameworks, and industry best practices.
While disabling expiration may be acceptable in lab environments, home labs, proof-of-concept deployments, or temporary troubleshooting situations, production environments should typically maintain a password rotation policy and use secure credential management practices.
To view the current password aging configuration:
chage -l rootReferences
- Change or Reset the Root Account Password in vCenter Appliance
https://knowledge.broadcom.com/external/article/322247/change-or-reset-the-root-account-passwor.html - vCenter Server Appliance Root Password Reset Without Reboot
https://knowledge.broadcom.com/external/article/321369/vcenter-server-appliance-root-password-r.html
Whether the password is expired, forgotten, or simply needs to be rotated, these procedures provide a safe and supported way to regain administrative access to your VCSA.
Schreibe einen Kommentar