password – Page 2

How to recover VCSA 5.5 from an expired administrator account?

09.10.2013 by William Lam // 9 Comments

Last week I wrote about a new security feature in the new VCSA 5.5 where the administrator account (root) password will now expire automatically after 90 days of powering on the VCSA if the password is not changed before then. This new enhancement is to ensures that administrative passwords are rotated routinely for good security practices. However, in the event that you forget to change the password before the expiration, you can still recover the VCSA and this article will walk you through that process.

As a lab exercise, I have configured my root password to expire in one day and purposely let it expire. If you try to login to the VAMI UI, you will get an "Unable to authenticate user" error and you will see something similar if you login to the SSH console. Ideally, this message should be a bit more descriptive to say something like the password has expired (which I have filed an internal bug for).

Requirements:

You will need console access to your VCSA
You will also need a Linux LiveCD, I personally like using KNOPPIX

Step 1 - Mount the Linux LiveCD to your VCSA and boot into the image. You will need to bring up a terminal shell. The version I am using has a menu and I just select the "shell" option.

Step 2 - Once you are in the terminal, you will need to switch to the root user by running the following command:

su -

Step 3 - Next, we need to mount the VCSA root partition which will be /dev/sda3 to /mnt directory by running the following command:

mount /dev/sda3 /mnt

Step 4 - We now need to edit /etc/shadow file on our VCSA which is located in /mnt/etc/shadow to disable the account lock. You will need to use an editor such as vi to open up the file.

You need to delete "x" in the 2nd field and the numeric value on the 5th field (if it exists, this should be the number of days for expiration, default is 90) for the root user account. The screenshot above shows what values needs to be deleted. Once you have made the changes, go ahead and save the file.

Step 5 - Reboot the VCSA and now you can login to both the VAMI UI interface as well as the SSH console.

Note: If you had the password expiration feature enabled, it has now been disabled for you to login. If you wish to re-enable it, you will need to configure it in the VAMI UI or through the CLI. Please refer to this article here for more details.

Administrator password expiration in new VCSA 5.5

09.05.2013 by William Lam // 4 Comments

A new security enhancement that you should be aware of when deploying the new vCenter Server Appliance (VCSA) 5.5 is that there is now a password expiration that is enabled for the administrator account (root) after powering on the VCSA. By default, the password will expire 90 days after and if the password is not changed before the expiration, the account will be locked out of the VAMI interface and the SSH console. From a security point of view, this is a nice feature to have to ensure administrative passwords are automatically rotated, however this can also be an administrative challenge if you are not aware of this new change and you suddenly notice you can no longer login after 90 days.

You can find the password expiration settings under the Admin tab of the VAMI interface. You have the ability to enable or disable the feature as well as change the number of days the password is valid for. If you decide to change the default number of days, you will be required to enter an email address which will be used to email you 7 days prior to expiration which is the default.

In addition to using the VAMI interface to configure these settings, I was also interested to see if these settings can be automated through the command-line and with a bit of digging, these options can be completely controlled through the CLI!

We will be using the chage utility which manages user account expiry. To view the default settings for the root account or any other account, run the following command:

chage -l root

We can see from the screenshot above, the maximum days before expiration is 90 and the number of days to warn before expiration is 7 which matches the VAMI UI.

Lets say we want to change the maximum days before expiration to 120 and instead of warning 7 days before expiration, we want to change it to 12, you can do so by running the following command:

chage -M 120 -W 12 root

If you wish to completely disable account password expiry, you can do so by running the following command:

chage -M -1 -E -1 root

You can also configure the email address through the command-line which is used to warn X days before password expiry. To add or update the email address, you will need to create a file called /etc/vmware-vpx/root.email that contains the email address.

From an operational perspective, you will want to ensure you configure an SMTP server in your vCenter Server after deploying the VCSA and ensure you add an email address so you can be notified before the root account password expires. You should also configure the maximum number of days before the password expire and the number of days to warn to match your internal security policies.

In the event that you lock yourself out, how do you go about recovering from this since you will not be able to login to the VAMI interface nor the SSH console? I have purposely configured one of my VCSA to expire the password in 1 day, so stay tune for a future article on how to recover from this.

Here is How to recover VCSA 5.5 from an expired administrator account article.

vCloud Suite Virtual Appliances: Passwords, Databases, URLs, etc

01.07.2013 by William Lam // 11 Comments

I recently re-organized my home lab and I got rid of a bunch of VMs for random projects that I have been working on last year. Part of this re-organization was to re-deploy a few of the virtual appliances found within the vCloud Suite. As part of the deployment, I often find myself scouring various documents looking for default credentials to the OS, VAMI interface or the application. It is not always easy to find and I often end up going to Google or the VMTN forums for the answer.

As a fun little exercise, I thought why not deploy all of the latest virtual appliance that are available in the vCloud Suite and just document the latest usernames/passwords for the application, OS, VAMI interface, database configurations, URLs, etc.? This would primarily be a reference for myself, but thought it might also benefit others as well. Duncan Epping had done this awhile back for vCloud Director and few other virtual appliance and funny enough, his site was one of the first ones I found for the default vCloud Director password.

Not only have I deployed all the virtual appliances from the vCloud Suite, which can be seen from the screenshot below, but I also went through each appliance and validated the credentials for the application, OS or VAMI interface if applicable as well as identify all database credentials and configurations which are not all publicly documented (this took a bit of digging in the appliances, but was not too difficult if you know where to look).

Note: All credentials and configurations were identified by going through public documentation and exploring the virtual appliances, internal VMware documentation and Wikis were not used (that would have been too easy)

Below is a quick summary of the credentials for the each of the application, OS, VAMI interface as well as applicable database configurations for the 15 virtual appliances within the vCloud Suite. To view the full report on all the virtual appliances in the vCloud Suite, you can refer to either the Spreadsheet or HTML report.

vCenter Infrastructure Navigator 2.0.0

Default App Username: N/A
Default App Password: N/A
Default OS Username: root
Default OS Password: SET DURING DEPLOYMENT
Default VAMI Username: root
Default VAMI Password: SAME AS OS PASSWORD
Database Type: N/A
Database Name: N/A
Default Database Port: N/A
Default DB Username: N/A
Default DB Password: N/A

vCenter Operations Manager (UI) 5.6.0

Default App Username: admin
Default App Password: admin
Default OS Username: root
Default OS Password: vmware
Default VAMI Username: N/A
Default VAMI Password: N/A
Database Type: vPostgres
Database Name: cmapp
Default Database Port: 5432
Default DB Username: cm
Default DB Password: RANDOMLY-GENERATED (refer to spreadsheet/HTML report below for more details)

vCenter Operations Manager (Analytics) 5.6.0

Default App Username: N/A
Default App Password: N/A
Default OS Username: root
Default OS Password: vmware
Default VAMI Username: N/A
Default VAMI Password: N/A
Database Type: vPostgres
Database Name: alivevm
Default Database Port: 5432
Default DB Username: alive
Default DB Password: RANDOMLY-GENERATED (refer to spreadsheet/HTML report below for more details)

vCenter Orchestrator 5.1.0

Default App Username: vmware
Default App Password: vmware
Default OS Username: root
Default OS Password: vmware
Default VAMI Username: root
Default VAMI Password: vmware
Database Type: postgres
Database Name: vmware
Default Database Port: 5432
Default DB Username: vmware
Default DB Password: vmware

vCenter Server Appliance 5.1.0b

Default App Username: N/A
Default App Password: N/A
Default OS Username: root
Default OS Password: vmware
Default VAMI Username: root
Default VAMI Password: vmware
Database Type: vPostgres
Database Name: VCDB
Default Database Port: 5432
Default DB Username: vc
Default DB Password: RANDOMLY-GENERATED (refer to spreadsheet/HTML report below for more details)

vCloud Connector (Server) 2.0.0

Default App Username: N/A
Default App Password: N/A
Default OS Username: root
Default OS Password: vmware
Default VAMI Username: admin
Default VAMI Password: vmware
Database Type: vPostgres
Database Name: hcs1
Default Database Port: 5432
Default DB Username: postgres
Default DB Password: postgres

vCloud Connector (Node) 2.0.0

Default App Username: N/A
Default App Password: N/A
Default OS Username: root
Default OS Password: vmware
Default VAMI Username: admin
Default VAMI Password: vmware
Database Type: vPostgres
Database Name: hcs
Default Database Port: 5432
Default DB Username: postgres
Default DB Password: N/A

vCloud Director 5.1.1

Default App Username: N/A
Default App Password: N/A
Default OS Username: root
Default OS Password: Default0
Default VAMI Username: root
Default VAMI Password: vmware
Database Type: Oracle
Database Name: XE
Default Database Port: 1521
Default DB Username: vcloud
Default DB Password: VCloud

vCloud Networking and Security 5.1.2

Default App Username: admin
Default App Password: default
Default OS Username: admin
Default OS Password: default
Default VAMI Username: N/A
Default VAMI Password: N/A
Database Type: N/A
Database Name: N/A
Default Database Port: N/A
Default DB Username: N/A
Default DB Password: N/A

vFabric Application Director 5.0.0

Default App Username: admin
Default App Password: SET DURING DEPLOYMENT
Default OS Username: root or darwin_user
Default OS Password: SET DURING DEPLOYMENT
Default VAMI Username: root
Default VAMI Password: SAME AS OS PASSWORD
Database Type: postgres
Database Name: darwin
Default Database Port: 5432
Default DB Username: darwin
Default DB Password: N/A

vFabric Hyperic Server (Server) 5.0.0

Default App Username: hqadmin
Default App Password: SET DURING DEPLOYMENT
Default OS Username: root
Default OS Password: SET DURING DEPLOYMENT
Default VAMI Username: root
Default VAMI Password: SET DURING DEPLOYMENT
Database Type: N/A
Database Name: N/A
Default Database Port: N/A
Default DB Username: N/A
Default DB Password: N/A

vFabric Hyperic Server (DB) 5.0.0

Default App Username: N/A
Default App Password: SET DURING DEPLOYMENT
Default OS Username: root
Default OS Password: SET DURING DEPLOYMENT
Default VAMI Username: root
Default VAMI Password: SAME AS OS PASSWORD
Database Type: vPostgres
Database Name: HQ
Default Database Port: 5432
Default DB Username: hqadmin
Default DB Password: SET DURING DEPLOYMENT

vMA 5.1.0

Default App Username: N/A
Default App Password: N/A
Default OS Username: vi-admin
Default OS Password: SET DURING DEPLOYMENT
Default VAMI Username: vi-admin
Default VAMI Password: SAME AS OS PASSWORD
Database Type: N/A
Database Name: N/A
Default Database Port: N/A
Default DB Username: N/A
Default DB Password: N/A

vSphere Data Protection 5.1.1

Default App Username: root
Default App Password: changeme
Default OS Username: root
Default OS Password: SET DURING DEPLOYMENT
Default VAMI Username: N/A
Default VAMI Password: N/A
Database Type: postgres
Database Name: vdrdb
Default Database Port: 5555
Default DB Username: admin
Default DB Password: N/A

vSphere Replication 5.1.0.1

Default App Username: N/A
Default App Password: N/A
Default OS Username: root
Default OS Password: SET DURING DEPLOYMENT
Default VAMI Username: root
Default VAMI Password: SAME AS OS PASSWORD
Database Type: vPostgres
Database Name: vrmsdb
Default Database Port: 5432
Default DB Username: vrmsdb
Default DB Password: N/A