WilliamLam.com

Recovering ESXi 7.x & 8.x host after forgetting or losing root password

by // 14 Comments

The general guidance and quickest way to recover an ESXi host if you have forgotten or lost the root password is to reset using vSphere Host Profiles if it was managed by vCenter Server or simply reinstall ESXi which would allow you to preserve the existing VMFS volumes along with any workloads that may reside on them.

In the past, it was also possible to reset the ESXi root password by booting the system into Linux and then manually updating the /etc/shadow file, which is simliar to how you could reset the password on a Linux-base system and you can find a number of blog articles outlining the details. With the introduction of the ESXi Configuration Store, the previous methodology no longer works for modern ESXi releases starting from ESXi 7.0 Update 1 and later.

Having said that, I know this is still a topic that comes up frequently, especially in the context of administrators joining a brand new company where the ESXi root password has not been properly documented or an admin being asked to support a random set of standalone ESXi hosts that have no owners. Regardless of the scenario, while a reinstallation is the quickest way to recover, it certainly would be nice to be able to maintain the original configuration, especially if there is no documentation to begin with.

While there has been various snippets of information shared online (here, here and here), which includes information from myself, I figured it might be good to figure out the latest process for recovering an ESXi 7.x or 8.x host without requiring a reinstallation.

[Read more...]

Quick Tip - API for Broadcom Security Advisories

by // 7 Comments

Broadcom publishes all security advisories within the Broadcom Support Portal (BSP), under Security Advisories on left hand navigation, which will take you to https://support.broadcom.com/group/ecx/security-advisory page.


You can also view specific Broadcom Division security advisories, by providing the specific Broadcom Division Segment ID, which also does not require a login to view.

Here is a table of all Broadcom Software Divisions that currently publishes security advisories:

[Read more...]

How to check the number of days before ESXi password expires?

by // 4 Comments

Local user accounts created in ESXi including the root user has a default password expiration of 99999 days before administrators need to change the password. Users can control the password expiry by modifying the following ESXi Advanced Setting called Security.PasswordMaxDays which is also referenced in the ESXi Security Documentation along with other advanced configurations.

Password rotation or updates are typically managed by an organizations password management solution which is responsible keeping track and notifying when local passwords are about to expire. With that said, not everyone has a password management solution and how do you quickly check how many days left before an account password expires on an ESXi host? I initially thought this should be pretty simple to figure out, especially with utilities like chage but the version that ESXi ships is a stripped down version via Busybox and it did not provide any expiry details like the typical chage version might.

This meant, that the password expiry would need to be calculated manually and luckily, this is not a new concept. The answer lies in the /etc/shadow file which contains a number of fields that can then be used to figure out the number of days left before an account expires or if has already expired. I will not bore you with the details, but you can create the following shell script which can run in the ESXi Shell to provide you with the answer.

[Read more...]