ESXi

How to check the number of days before ESXi password expires?

08.08.2023 by William Lam // 3 Comments

Local user accounts created in ESXi including the root user has a default password expiration of 99999 days before administrators need to change the password. Users can control the password expiry by modifying the following ESXi Advanced Setting called Security.PasswordMaxDays which is also referenced in the ESXi Security Documentation along with other advanced configurations.

Password rotation or updates are typically managed by an organizations password management solution which is responsible keeping track and notifying when local passwords are about to expire. With that said, not everyone has a password management solution and how do you quickly check how many days left before an account password expires on an ESXi host? I initially thought this should be pretty simple to figure out, especially with utilities like chage but the version that ESXi ships is a stripped down version via Busybox and it did not provide any expiry details like the typical chage version might.

This meant, that the password expiry would need to be calculated manually and luckily, this is not a new concept. The answer lies in the /etc/shadow file which contains a number of fields that can then be used to figure out the number of days left before an account expires or if has already expired. I will not bore you with the details, but you can create the following shell script which can run in the ESXi Shell to provide you with the answer.

[Read more...]

Clearing TPM alarms after replacing TPM chip or resetting TPM keys for ESXi

06.07.2023 by William Lam // 10 Comments

If you have a supported Trusted Platform Module (TPM) device that has been installed in your ESXi host after the initial installation and you either replace the TPM chip and/or you reset the TPM keys within the system BIOS, you may find several TPM alarms that is raised within your vCenter Server including:

Host TPM attestation alarm
TPM Encryption Recovery Key Backup Alarm
The new host TPM endorsement key doesn't match the one stored in the DB

I recently had to resolve this in my lab after clearing the TPM keys within the system BIOS, this was for some testing I was doing, but I could not figure out how to get vCenter Server to clear the previous endorsement keys associated with the ESXi host.

After a bit of searching, I came across this VMware KB 81446 which outlines a solution to one the scenarios I mentioned above where you would see these TPM alarms, which is replacing the TPM chip, but I came to find out that the workflow is also applicable if you had cleared the TPM keys and new ones were generated prior to re-installing ESXi. The KB was missing a some details, which I have already shared in the feedback and I think there is a more streamline method which I have shared below.

[Read more...]

Quick Tip - How to monitor when ESXi filesystem and partitions are filling up?

05.30.2023 by William Lam // 3 Comments

Here is another tidbit on how you can leverage the power of vSphere Events, which now includes over 2K+ as of vSphere 8.0 Update 1 to help monitor when an ESXi filesystem and/or partition is low on disk space.

With vSphere 6.7 or later, we have two events that you can use to help alert when either an ESXi ramdisk (e.g. /var) or VFAT partition (e.g. bootbanks) has filled up.

Ramdisk: esx.problem.visorfs.ramdisk.full
VFAT: esx.problem.vfat.filesystem.full.other

When either of these occur, you can easily find them under the Monitor->Events section for an ESXi host as shown in the screenshot below.

[Read more...]