How to reset the lost or forgotten root password in vCenter Server Appliance 6.7 U1 and later

search cancel

How to reset the lost or forgotten root password in vCenter Server Appliance 6.7 U1 and later

book

Article ID: 321369

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides steps to reset the root password if you have lost or forgotten the existing root password for a VCSA 6.7U1 and later.

Symptoms:

For versions prior to VCSA 6.7 Update 1, see Resetting root password in vCenter Server Appliance 6.5 to 6.7 U1.

Logging in to the root account of vCenter Server Appliance (VCSA) fails.
The root account of the vCenter Server Appliance 6.7 U1 and later is locked or account is expired.
Forgot the root password.

Environment

VMware vCenter Server 7.0.x
VMware vCenter Server Appliance 6.7.x

Cause

With the change within VCSA 6.7 U1, the SSO user who is part of SystemConfiguration.BashShellAdministrator group will be able to log in to Bash shell and can call any commands using sudo and without password. This aims at reducing the gap between the root and SSO administrator user. The user has to enable shell to log in to the bash shell. By default, the user will be logged into appliance shell.

Resolution

Process to Reset the Root Password in VCSA:

Connect SSH to VCSA 6.7 and login using [email protected] where vsphere.local is your default SSO Domain.

If disabled, enable SSH using the VAMI ( https://<vcenter_fqdn>:5480 ).
Can login as [email protected] or any other member of the SSO administrators group.
Enable or Disable SSH and Bash Shell Access.

If first time logging in, enable shell then enter shell.

shell.set --enable true
shell

Use the commands to enable the shell. shell shell.set --enable true shell

Once in shell as sso-user, run the below command to change to root shell.

sudo -i
Alternately, you could use the command: sudo passwd root

Then once in root shell, run passwd to change the root password.

passwd

Use the passwd command to reset the root password

Now you can exit the session by running the exit or logout command and then log in through a new SSH session using your root account with updated password. Alternatively, you could run the su command in order to be prompted for the root password and get access as root.

Note: If the [email protected] password is not available, please refer to Resetting root password in vCenter Server Appliance 6.5 and later.

Additional Information

For 7.0U1 and 6.7P03 there are a few changes:

The root user will be prompted for resetting the password when they try to SSH to the machine if expired or expiring.
You can also log in to VAMI using SSO administrator and reset the root password from there.
Email notification is sent earlier to prevent from having the root password expired.
An alarm will be triggered in vsphere-ui to notify the user about the password expiry.

Feedback

thumb_up Yes

thumb_down No