Symptoms
For versions prior to VCSA 6.7 Update 1, see Resetting root password in vCenter Server Appliance 6.5 to 6.7 U1.
- Logging in to the root account of vCenter Server Appliance (VCSA) fails.
- The root account of the vCenter Server Appliance 6.7 U1 and later is locked or account is expired.
- Forgot the root password.
Purpose
This article provides steps to reset the root password if you have lost or forgotten the existing root password for a VCSA 6.7U1 and later.
Cause
With the change within VCSA 6.7 U1, the SSO user who is part of SystemConfiguration.BashShellAdministrator group will be able to log in to Bash shell and can call any commands using sudo and without password. This aims at reducing the gap between the root and SSO administrator user. The user has to enable shell to log in to the bash shell. By default, the user will be logged into appliance shell.
Resolution
- Connect SSH to VCSA 6.7 and login using administrator@vsphere.local where vsphere.local is your default SSO Domain.
- If disabled, enable SSH using the VAMI ( https://<vcenter_fqdn>:5480 ).
- Can login as administrator@vphere.local or any other member of the SSO administrators group.
- Enable or Disable SSH and Bash Shell Access.
- If first time logging in, enable shell then enter shell.
- shell.set –enable true
- shell
- Once in shell as sso-user, run the below command to change to root shell.
- sudo -i
- Alternately, you could use the command: sudo passwd root
- Then once in root shell, run passwd to change the root password.
- passwd
- Now you can exit the session by running the exit or logout command and then log in through a new SSH session using your root account with updated password. Alternatively, you could run the su command in order to be prompted for the root password and get access as root.
Related Information
For 7.0U1 and 6.7P03 there are a few changes:
- The root user will be prompted for resetting the password when they try to SSH to the machine if expired or expiring.
- You can also log in to VAMI using SSO administrator and reset the root password from there.
- Email notification is sent earlier to prevent from having the root password expired.
- An alarm will be triggered in vsphere-ui to notify the user about the password expiry.