Since VMware released vSphere 6.0 earlier this year, many customers who have deployed the vCenter Server Appliance...
have encountered the issue of an authentication failure when logging in using root credentials. Few users were aware that vCSA's default policy stipulates password expiration after a 90-day period.
Many users are just coming across this problem while upgrading their vCSA from 6.0 to the 6.0 Update 1, released in September using Full Patch. This upgrade process requires users to log into their vCSA and run a software package install command from the ESXi Shell. Unless you really need to do something with the vCSA shell you will hardly ever log in as root.
In fact, since the Virtual Appliance Management Interface (VAMI) was removed from 6.0, there has been no easy way of changing the expiry password unless users log into the shell and change it using command-line interface (CLI) commands.
So, how do you unlock the vCSA root password? It's actually quite simple.
Begin by rebooting vCSA. Once the Grand Unified Bootloader (GRUB) appears, press the spacebar to disable the autoboot.
Next, type "p" to access the boot options to vCSA. Enter the GRUB password and hit "Enter."
Note: If the vCSA was deployed without editing the root password, then the default GRUB password is "vmware".
If the vCSA root password was changed, then the GRUB password should be the password last set for the root account. A menu should now appear; depending on which version of the vCSA is installed, highlight "SLES 11 for VMware" or "VMware vCenter Server Appliance," and type "e" to edit the boot parameters. Now scroll to the second line displaying the kernel boot parameters.
Type "e" to edit the boot parameters, and add "init=/bin/bash" to the kernel boot options.
Now press "Enter" to redisplay the GRUB menu. To start the boot process, type "b" and then the system should boot directly to a shell.
To reset the vCSA root password, run the "passwd root" command.
Next, restart the appliance by running the "reboot" command. Once the vCenter Server Appliance is back online, log on as the root user. The "chage" command manages user account expiry. To view the default settings for the root account, run the following command:
chage -l root
This shows that the maximum day count for the password is 90 days, with a warning sent after seven days, depending on whether an email address has been configured along with Simple Mail Transfer Protocol (SMTP) settings. From the CLI, the password expiry policy can be disabled completely by running the following command to set "Maximum" to -1 and "Expiry Date" to -1:
chage –M -1 -E -1 root
Reboot the vCenter Server Appliance again. Your root account password is now set to never expire.
In lieu of this, if users want to replace the forced lockout with a forced password change, from the CLI open the "/etc/cron.daily/pass-expiration" script using a text editor like vi.
Delete these commands:
# disable the password if it's time and not already done.
# don't rely on the pam account facility. prepend an x in the shadow file.
if [ $TODAY -ge $DEADLINE ] && ! grep -q ‘root:x' $SHADOW; then
sed -e ‘s/^root:\(.*\)/root:x\1/' $SHADOW -i
Enter these commands to replace the forced lockout with a forced password change:
# force a password change for root if we've reached the password expiration date.
if [ $TODAY -ge $DEADLINE ]; then
chage –d 0 root
Save and close the file, then reboot vCSA.
Fortunately, with the vCSA 6.0 Update 1, VMware reintroduced the VAMI they removed for 6.0. The password expiry policy can now be set from within the VAMI.
Access the VAMI in a browser at the following IP address: (https://vCSA_IP_address:5480) or (https://vCSA_FQDN:5480).
Navigate to the "Administration" tab, and from the main window edit the password expiry settings.
Alternatively if apassword expiry setting is required then the password validity can be increased and an email is sent as a warning prior to password expiry.
A staggering number of VMware customers have been tripped up by the default password policy, and given that they will only access root when installing vSphere Installation Bundles or doing upgrades, most will only realize their passwords have expired after they have been locked out. It also doesn't help that during the deployment process of vCSA, you're not prompted to enter an email address and SMTP settings, meaning users won't receive notification of password expiry because the appliance is not configured to send out emails.
It's good that there's a backdoor into resetting the vCSA root password, but could this backdoor be used maliciously if the GRUB password is still set at the default?
Thankfully, VMware has reintroduced VAMI with the vCSA 6.0 Update 1, allowing most customers to access VAMI after deploying the vCSA to continue the configuration. Of course, this can all easily be avoided so long as users remember to turn off the root password expiry
VMware's vSphere 6 fails to impress
Good things in store for storage admins with vSphere 6
VSphere 6 pop quiz