WilliamLam.com

Recovering ESXi 7.x & 8.x host after forgetting or losing root password

by // 14 Comments

The general guidance and quickest way to recover an ESXi host if you have forgotten or lost the root password is to reset using vSphere Host Profiles if it was managed by vCenter Server or simply reinstall ESXi which would allow you to preserve the existing VMFS volumes along with any workloads that may reside on them.

In the past, it was also possible to reset the ESXi root password by booting the system into Linux and then manually updating the /etc/shadow file, which is simliar to how you could reset the password on a Linux-base system and you can find a number of blog articles outlining the details. With the introduction of the ESXi Configuration Store, the previous methodology no longer works for modern ESXi releases starting from ESXi 7.0 Update 1 and later.

Having said that, I know this is still a topic that comes up frequently, especially in the context of administrators joining a brand new company where the ESXi root password has not been properly documented or an admin being asked to support a random set of standalone ESXi hosts that have no owners. Regardless of the scenario, while a reinstallation is the quickest way to recover, it certainly would be nice to be able to maintain the original configuration, especially if there is no documentation to begin with.

While there has been various snippets of information shared online (here, here and here), which includes information from myself, I figured it might be good to figure out the latest process for recovering an ESXi 7.x or 8.x host without requiring a reinstallation.

[Read more...]

How to check the number of days before ESXi password expires?

by // 4 Comments

Local user accounts created in ESXi including the root user has a default password expiration of 99999 days before administrators need to change the password. Users can control the password expiry by modifying the following ESXi Advanced Setting called Security.PasswordMaxDays which is also referenced in the ESXi Security Documentation along with other advanced configurations.

Password rotation or updates are typically managed by an organizations password management solution which is responsible keeping track and notifying when local passwords are about to expire. With that said, not everyone has a password management solution and how do you quickly check how many days left before an account password expires on an ESXi host? I initially thought this should be pretty simple to figure out, especially with utilities like chage but the version that ESXi ships is a stripped down version via Busybox and it did not provide any expiry details like the typical chage version might.

This meant, that the password expiry would need to be calculated manually and luckily, this is not a new concept. The answer lies in the /etc/shadow file which contains a number of fields that can then be used to figure out the number of days left before an account expires or if has already expired. I will not bore you with the details, but you can create the following shell script which can run in the ESXi Shell to provide you with the answer.

[Read more...]

Monitoring vSphere account password & permission changes 

by // Leave a Comment

If it is not clear by now, I REALLY love the power of vSphere Events and all the use cases it can enable, especially when used with our VMware Event Broker Appliance (VEBA) solution to enable easy Event-Driven Automation.

Over the past month or so, I have noticed a series of questions from our field and customers across a number of topics pertaining to vSphere accounts including vSphere Single Sign-On (SSO) users. My response to each of these questions all point back to a leveraging specific vSphere Events and I thought I share some of use cases in which vSphere Events can help

  • When was the last time a vSphere SSO user (e.g. *protected email*) password was changed?
  • How much time left (expiry) before the vSphere SSO user password must be changed?
  • Audit of all password changes for an vSphere SSO user (e.g. *protected email*)?
  • Who recently updated the password for a vSphere SSO user (e.g. *protected email*)?
  • When was the last time a vSphere SSO user (e.g. *protected email*) password was reseted?
  • Who recently added new permission to a vSphere user?
  • Who recently removed a permission from a vSphere user?
  • Who recently updated vSphere Role with additional permissions?
  • Who recently updated vSphere Role and removed permissions?

[Read more...]