WilliamLam.com

Administrator password expiration in new VCSA 5.5

by // 4 Comments

A new security enhancement that you should be aware of when deploying the new vCenter Server Appliance (VCSA) 5.5 is that there is now a password expiration that is enabled for the administrator account (root) after powering on the VCSA. By default, the password will expire 90 days after and if the password is not changed before the expiration, the account will be locked out of the VAMI interface and the SSH console. From a security point of view, this is a nice feature to have to ensure administrative passwords are automatically rotated, however this can also be an administrative challenge if you are not aware of this new change and you suddenly notice you can no longer login after 90 days.

You can find the password expiration settings under the Admin tab of the VAMI interface. You have the ability to enable or disable the feature as well as change the number of days the password is valid for. If you decide to change the default number of days, you will be required to enter an email address which will be used to email you 7 days prior to expiration which is the default.

In addition to using the VAMI interface to configure these settings, I was also interested to see if these settings can be automated through the command-line and with a bit of digging, these options can be completely controlled through the CLI!

We will be using the chage utility which manages user account expiry. To view the default settings for the root account or any other account, run the following command:

chage -l root

We can see from the screenshot above, the maximum days before expiration is 90 and the number of days to warn before expiration is 7 which matches the VAMI UI.

Lets say we want to change the maximum days before expiration to 120 and instead of warning 7 days before expiration, we want to change it to 12, you can do so by running the following command:

chage -M 120 -W 12 root

If you wish to completely disable account password expiry, you can do so by running the following command:

chage -M -1 -E -1 root

You can also configure the email address through the command-line which is used to warn X days before password expiry. To add or update the email address, you will need to create a file called /etc/vmware-vpx/root.email that contains the email address.

From an operational perspective, you will want to ensure you configure an SMTP server in your vCenter Server after deploying the VCSA and ensure you add an email address so you can be notified before the root account password expires. You should also configure the maximum number of days before the password expire and the number of days to warn to match your internal security policies.

In the event that you lock yourself out, how do you go about recovering from this since you will not be able to login to the VAMI interface nor the SSH console? I have purposely configured one of my VCSA to expire the password in 1 day, so stay tune for a future article on how to recover from this.

Here is How to recover VCSA 5.5 from an expired administrator account article.

vCloud Suite Virtual Appliances: Passwords, Databases, URLs, etc

by // 11 Comments

I recently re-organized my home lab and I got rid of a bunch of VMs for random projects that I have been working on last year. Part of this re-organization was to re-deploy a few of the virtual appliances found within the vCloud Suite. As part of the deployment, I often find myself scouring various documents looking for default credentials to the OS, VAMI interface or the application. It is not always easy to find and I often end up going to Google or the VMTN forums for the answer.

As a fun little exercise, I thought why not deploy all of the latest virtual appliance that are available in the vCloud Suite and just document the latest usernames/passwords for the application, OS, VAMI interface, database configurations, URLs, etc.? This would primarily be a reference for myself, but thought it might also benefit others as well. Duncan Epping had done this awhile back for vCloud Director and few other virtual appliance and funny enough, his site was one of the first ones I found for the default vCloud Director password.

Not only have I deployed all the virtual appliances from the vCloud Suite, which can be seen from the screenshot below,  but I also went through each appliance and validated the credentials for the application, OS or VAMI interface if applicable as well as identify all database credentials and configurations which are not all publicly documented (this took a bit of digging in the appliances, but was not too difficult if you know where to look).

[Read more...]

Default Password for vCenter SSO Admin Account on VCSA

by // 14 Comments

I thought I share this quick tidbit about the VCSA (vCenter Server Appliance) default password for the vCenter SSO Administrator account as I was just asked about it today and this was something I had research just earlier in the week. In the Windows version of vCenter SSO installation, users are prompted during the install to select a password for this account, you might have seen it show up as admin@System-Domain. For the VCSA, vCenter SSO is already installed and you might be wondering what the default password is?

Well, the answer is ... there is no default password. During the installation process, there is a random password that is generated and once the installation is complete, the password is then immediately removed. This is a good thing from a security perspective, by not having a default password set. This account is not only a vCenter SSO Administrator but it also the only account that has access to the internal RSA IMS system. You should definitely go in and set a password for this account after setting up your VCSA which can only be done through the vSphere Web Client.

Here are the steps:

1. Click on the Administration tab on the left hand side of the vSphere Web Client navigation bar.

2. Next click on "SSO Users ad Groups" and you should see the admin user account.

3. Lastly, you just need to right click and edit the user or select the pencil icon and set a password for the admin user account. Be sure to use a strong password, as there is a password validation before the system accepts the change.

Big thanks goes out to Michael Haines for helping me track down this answer about the default (or not so default) password for the admin account on the VCSA.