ESXi root password reset

Forgot your ESXi root password? Don’t panic, here are 4 ways to reset it.

Passwords are something that everyone forgets easily, and ESXi's root password is no exception. Without the root password, you lose control of the host, so it's important to know how to reset the ESXi root password. This article will focus on how to reset the ESXi root password.The article originates fromSinsTu NI-https://www.sinstu.com/archives/76.html

When this happens, there are some official KBs to look to first, and unfortunately, VMware recommends that the only way to reset your password is to reinstall the operating system. What should I do if I don’t want to reinstall the system? This article tells you!The article originates fromSinsTu NI-https://www.sinstu.com/archives/76.html

This article uses ESXi 6.7.0 (8169922), but it is also applicable to ESXi 6.X and ESXi 5.X. The method of resetting the password is very dangerous, so use it with caution.The article originates fromSinsTu NI-https://www.sinstu.com/archives/76.html

• theoretical discovery

After considering some scenarios for forgotten passwords, I found that these two scenarios are the most common:The article originates fromSinsTu NI-https://www.sinstu.com/archives/76.html

A. Forgot ESXi root password, but can access the host through vCenterThe article originates fromSinsTu NI-https://www.sinstu.com/archives/76.html

B. Forgot the ESXi root password, but cannot access it.The article originates fromSinsTu NI-https://www.sinstu.com/archives/76.html

The second one looks worse, and this article will tell you how to reset your password in both cases.The article originates fromSinsTu NI-https://www.sinstu.com/archives/76.html

• Change password via vCenter

There is a scenario: Forgot the ESXi root password, but vCenter is installed. This is a very common problem. The administrator manages the host through vCenter, but one day they forget the host password. In this case, it is not difficult to recover the password.The article originates fromSinsTu NI-https://www.sinstu.com/archives/76.html

First, look at how to change password via flash vCenter Webclient, here, html mode is not suitable.The article originates fromSinsTu NI-https://www.sinstu.com/archives/76.html

Note: ESXi cannot be lower than Enterprise Plus.The article originates fromSinsTu NI-https://www.sinstu.com/archives/76.html

In order to reset the password, the host configuration file needs to be extracted, edited, and uploaded.

Jump to vCenter and extract the host configuration file as shown below

While extracting, specify the hostname and enter some necessary description.

Check the entered information and click Finish.

In vCenter, navigate to the "Home" tab and then go to "Host Profiles".

Right-click "Host Profiles" and edit settings.

If necessary, specify a new name and description.

After changing the name and host description, go to the "Edit host profiles" tab. There are actually a lot of settings you can change here, but we're only going to change the host password.

Now that the password has been changed, the host has been added to the cluster and the settings have been applied.

In the Attach/Detach Hosts and Clusters menu, select the host whose password you want to change. It is important to mention here that changes can be applied to multiple hosts.

After adding the host, you can change the network settings if needed and just click "Finish" to apply the settings.

The node needs to be put into maintenance mode, otherwise no settings can be applied.

Confirm to put the selected hosts into maintenance mode. Note that unless the virtual machine can be temporarily shut down, the virtual machine needs to be migrated. In my case, I didn't have mission-critical VMs on the host, so I just powered them off beforehand.

Now, go back to the "Object" tab, right-click on "Host Profiles" and select "Remediate"

Select the desired host.

Verify all settings and check if the changes can be fully applied. Click "Finish".

After restarting the host, exit maintenance mode.

Now, you can check whether the password has been reset successfully and use the new password to log in to the ESXi host through the Web Client.

• Reset password by using Active Directory and vCenter

Passwords can be changed in vCenter using Active Directory. If you add ESXi to a domain, you can reset the password by logging into the node as a domain user.

Jump to "AD Users andComputers" on the domain controller and create a new workgroup "ESXi Admins". Make sure to use the same name for the workgroup and add a new user that you will use to reset the password later. It can be any user, such as TestUser.

Add the forgotten password host to the domain.

Try to use TestUser to log in to the ESXi host, the format is User@Domain or Domain\User.

After logging in to the host, jump to the "Security & users" tab and reset the password.

From now on, the new password can be used. If the host is not required to be in the domain, the host can be kicked out of the domain.

Apply the changes and reboot the host.

Note: It is very easy to change the password using vCenter, but VMware does not recommend it for some reasons.

• Reset password on standalone ESXi host

Now that you know how to reset ESXi password under vCenter, let's look at some tricky situations. Assume that vCenter is not installed on the host and you do not want to reinstall the operating system. So, how to reset the password on this node?

Without shutting down the host, there is no way to circumvent ESXi security to reset the password. This means that each virtual machine must be shut down.

You need to boot from the CD image, using Ubuntu GNOME in this article.

Therefore, you need to boot from the flash drive, mount the required ESXi datastore, unzip the file, and then edit the password file. Upload the file to the initial directory and after restarting the host you can access it without using a password.

• Edit "shadow" file
• What is a "shadow" file?

For security reasons, ESXi encrypts passwords in certain files... Regardless, you can still reset the password in the following way. According to some unofficial sources, this file is called a "shadow". It can be found on one of the boot volumes in the /etc directory. /etc is in local.tgz before starting the host. Here is the path: /etc => local.tgz =>state.tgz.

Here's how to format a disk in ESXi 6.0 or later:

Volume name	What is it for?	Volume size in my case
/dev/sda1	Starts the system	4MB
/dev/sda2: /scratch:	System volume that is created while installing ESXi on the over-5 GB disk.	4GB
/dev/sda3: VMFS datastore:	Represents all the remaining disk space
/dev/sda5: /bootbank:	The ESXi image	250 MB
/dev/sda6: /altrbootbank:	The older system version image. You'll see it as an empty volume if you have never updated the system	250 MB
/dev/sda7: vmkDiagnostic (the first volume)	Keeps the core dump	110 MB
/dev/sda8: /store	VMware Tools image	286 MB
/dev/sda9: vmkDiagnostic (the second volume)	Keeps all the information connected with vSAN diagnostics. You can observe this volume only in over-8 GB datastores	2.5 GB

Out of all these volumes we only need the /bootbank one, the "shadow" should be here.

Start the host from the flash drive, then launch the terminal.

Run the following command to gain root privileges:

# sudo su

Look at the disk names to find the one you want.

# fdisk –l | grep/dev/sda

It appears that 250 MB of /dev/sda5 directory is required. Create mnt directory.

# mkdir /mnt/sda5

Now create a directory for temporary files.

# mkdir /temp

Use the command below to mount the /dev/sda5 directory.

# mount /dev/sda5/mnt/sda5

Find the state.tgz mentioned above

# ls -l /mnt/sda5/state.tgz

Extract state.tgz and local.tgz.

# tar -xf/mnt/sda5/state.tgz –C /temp/

# tar -xf /temp/local.tgz –C/temp/

Once you've finished decompressing, delete the old one:

# rm /temp/*.tgz

Open the file, edit it, and close it. It's that simple! To check for changes again, open the file again.

# vi /temp/etc/shadow

This is the content of the "shadow", which contains the passwords of all users

To reset your password, just delete everything between the double colons. Remember, everything is encrypted, which is why the password looks weird.

# vi /temp/etc/shadow

# cd /temp

Add the "shadow" file back

# tar -czf local.tgz etc

# tar -czf state.tgzlocal.tgz

Move the new archive to the initial directory.

# mv state.tgz/mnt/sda5/

Unmount the /sda5 disk:

# umount /mnt/sda5

Restart the host

# reboot

All commands required are listed here.

Restart the server now and try to access the host without using any password.

Select Configure Password and type the new password.

• Replace "shadow"

There is another way to reset the ESXi root password using "shadow". In fact, this is just a variation of the above method. So another thing to do to reset your ESXi password is to use another host "shadow" file! Just copy the "shadow" file from another ESXi host with a known root password to the flash drive. To get files with passwords from other hosts, WinSCP is required. The file can be retrieved from the host using the known ESXi root password, no shutdown required.

Next, use Ubuntu GNOME to call the terminal and reset your password.

Change user permissions to root permissions:

# sudo su

Take a look at what's on the disk.

# fdisk –l | grepsd 

Create two temporary folders

# mkdir /mnt/sda5

# mkdir /mnt/sdb1

Mount the ESXi disk and flash disk where "shadow" is located.

# mount /dev/sda5 /mnt/sda5

# mount /dev/sdb1 /mnt/sdb1

Create temporary files

# mkdir /temp

Create folder to save copy of state.tgz

# mkdir /mnt/sdb1/save

Find the necessary files.

# ls -l/mnt/sda5/state.tgz

Copy files

# cp/mnt/sda5/state.tgz /mnt/sdb1/save

Run the following command to check if the file has been copied

# ls -l /mnt/sdb1/save

Extract state.tgz using command

# tar -xf/mnt/sda5/state.tgz –C /temp/

find temp file

# ls -l /temp

Extract local.tgz.

# tar -xf/temp/local.tgz –C /temp/

Make sure you extract the /etc file

# ls -l /temp

Delete the local.tgz volume to ensure it is not included in the new archive.

# rm /temp/local.tgz

Find the "shadow" file in /etc

# ls -l /temp/etc

Replace the current "shadow" file with a "shadow" file with a known password

# cp /mnt/sdb1/shadow/temp/etc

# vi /temp/etc/shadow

If you don't want certain users to have access to the host, you can remove them from the inventory. Here I have removed Test from the users who can access the host. Why only delete Test? At this point, I would like to remind you not to delete any users you are not familiar with. In my case, all users except Test are system users. If you remove any of them, you may make your operating system unstable!

Check if all changes have been applied.

# vi /temp/etc/shadow

Jump to /temp

# cd /temp

# tar -czf local.tgzetc

Check if archiving is running smoothly.

# ls -l /temp/

Create state.tgz

# tar -czf state.tgzlocal.tgz

Check if it has been created

# ls -l /temp/

movestate.tgz

# mv state.tgz/mnt/sda5/

Check the results again.

# ls -l /mnt/sda5/

Uninstall sda5

# umount /mnt/sda5

Restart the host

# reboot

If everything is correct, you can access the host using a known password.

If the host starts behaving strangely after a reboot, there will still be a copy of the initial files. It is possible to mount both /sda5 and /sdb1 and retrieve the original state.tgz using the following command and try again!

# cp/mnt/sdb1/save/state.tgz /mnt/sda5/

• Summarize

Four methods to reset the root password of an ESXi host are discussed. The first method is the simplest and will work very well if vCenter is installed. If you don't have vCenter, you can still reset your password, but the latter two methods are a bit risky. In particular, use the last method with caution, it will be more annoying if you delete any system users.