WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Security / How to recover VCSA 5.5 from an expired administrator account?

How to recover VCSA 5.5 from an expired administrator account?

09.10.2013 by William Lam // 9 Comments

Last week I wrote about a new security feature in the new VCSA 5.5 where the administrator account (root) password will now expire automatically after 90 days of powering on the VCSA if the password is not changed before then. This new enhancement is to ensures that administrative passwords are rotated routinely for good security practices. However, in the event that you forget to change the password before the expiration, you can still recover the VCSA and this article will walk you through that process.

As a lab exercise, I have configured my root password to expire in one day and purposely let it expire. If you try to login to the VAMI UI, you will get an "Unable to authenticate user" error and you will see something similar if you login to the SSH console. Ideally, this message should be a bit more descriptive to say something like the password has expired (which I have filed an internal bug for).

Requirements:

  • You will need console access to your VCSA
  • You will also need a Linux LiveCD, I personally like using KNOPPIX

Step 1 - Mount the Linux LiveCD to your VCSA and boot into the image. You will need to bring up a terminal shell. The version I am using has a menu and I just select the "shell" option.

Step 2 - Once you are in the terminal, you will need to switch to the root user by running the following command:

su -

Step 3 - Next, we need to mount the VCSA root partition which will be /dev/sda3 to /mnt directory by running the following command:

mount /dev/sda3 /mnt

Step 4 - We now need to edit /etc/shadow file on our VCSA which is located in /mnt/etc/shadow to disable the account lock. You will need to use an editor such as vi to open up the file.

You need to delete "x" in the 2nd field and the numeric value on the 5th field (if it exists, this should be the number of days for expiration, default is 90) for the root user account. The screenshot above shows what values needs to be deleted. Once you have made the changes, go ahead and save the file.

Step 5 - Reboot the VCSA and now you can login to both the VAMI UI interface as well as the SSH console.

Note: If you had the password expiration feature enabled, it has now been disabled for you to login. If you wish to re-enable it, you will need to configure it in the VAMI UI or through the CLI. Please refer to this article here for more details.

More from my site

  • Administrator password expiration in new VCSA 5.5
  • Updates to VMDK partitions & disk resizing in VCSA 6.5
  • Will I get Photon OS when I upgrade my VCSA 5.5/6.0 to VCSA 6.5?
  • Automating post-configurations for both PSC & VCSA 6.0u1 using appliancesh
  • How to upgrade from VCSA 5.x & 6.x to VCSA 6.0 Update 1?

Categories // Security, VCSA, vSphere Tags // chage, lockout, password, security, vami, VCSA, vcva, vSphere 5.5

Comments

  1. *protectedJim Millard says

    09/11/2013 at 1:07 am

    There had better be another bug submission for this thing: there has GOT to be a better way to recover/reset this password, or the support team will be fighting a rearguard action starting 90 days after this thing goes GA.
    This post is certainly helpful, and I'm sure it'll end up getting reproduced as a KB article, but this is practically 180 degrees from the supposed ease & simplicity of using the VCSA over the Windows vCenter Server.

    Reply
    • *protectedWilliam Lam says

      09/11/2013 at 1:56 am

      Jim,

      Thanks for your feedback, I hear an official KB will be created 🙂 I'll pass along your feedback to the engineering team. Though the recovery may not be ideal, I think this should also motivate folks on putting processes in place for password rotation in general. We've done a lot on the virtual appliances to ensure they're more secure OOTB. Definitely something new, but that's one of the reason I shared this article was to educate customers about the change and you have the ability to extend the expiry or completely disable it.

      Reply
  2. *protectedUnknown says

    09/11/2013 at 8:05 am

    I haven't got a VCSA to hand but can't you just boot into single-user mode by interrupting Grub and appending 'single' to the kernel boot line, then update the password using 'passwd'?

    Will.

    Reply
    • *protectedWilliam Lam says

      09/11/2013 at 2:45 pm

      no, that will not work. Though there is a GRUB password which you can provide and boot into single user mode. It still requires you to login with the root account and since that password has expired, it will not allow you in which is what I found from quickly testing it

      Reply
  3. *protectedVirgil says

    11/26/2013 at 4:15 pm

    I've just run into this issue with a VCSA 5.5 Beta2 installation.... I thought it had been upgraded, but it seems not.

    Instead of booting a rescue CD, edit the GRUB boot and add the following to the kernel line.

    init=/bin/sh

    So that's:
    p (for password)
    vmware
    [down arrow]
    e (for edit)
    init=/bin/sh
    [enter]
    b (for boot)

    at the # prompt, edit shadow to remove the x and set account to non-expiring.

    vi /etc/shadow
    chage -M -1 -E -1 root

    Reply
  4. *protectedAnand says

    11/04/2014 at 11:01 pm

    You guys are just Awesome

    Reply
  5. *protectedNik says

    09/03/2015 at 3:49 pm

    is there a way to disable "complex" password requirements?

    Reply

Trackbacks

  1. VMWARE Vcenter Cant login - forgot root password - root password recovery and remove expiration | kossboss says:
    07/05/2014 at 5:20 am

    […] http://www.cyberciti.biz/tips/setting-off-password-aging-expiration.html http://www.virtuallyghetto.com/2013/09/how-to-recover-vcsa-55-from-expired.html http://www.cyberciti.biz/faq/understanding-etcshadow-file/ […]

    Reply
  2. vSphere Upgrade Saga: Update Order • AstroArch Consulting, Inc says:
    03/09/2015 at 4:35 am

    […] using the vCSA as VUM, and other tools must run within Windows with v5.x of vSphere. Referencing How to recover VCSA 5.5 from an expired administrator account, by William Lam, I was able to recover my password to perform an appropriate upgrade. In my case, I […]

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • VMUG Connect 2025 - Minimal VMware Cloud Foundation (VCF) 5.x in a Box  05/15/2025
  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025