VCENTER – HOW TO RESET PASSWORD IF LOST
########################################
I show you how to reset the root password which is used to connect to the vcenter web gui (the one you access like this https://vcenter:5480/). Also its used to access the console (notice the login button, that will bring up a user prompt, where one would put “root” for username and whatever for the password). The default password is “vmware”. If your password or “vmware” doesnt work chances are you forgot the password and/or its expired. I will show you how to recover the password and also how to set the expiration to NEVER!
LINKS
######
I present you some links in no particular order
http://www.thegeekstuff.com/2009/04/chage-linux-password-expiration-and-aging/
http://www.cyberciti.biz/tips/setting-off-password-aging-expiration.html
http://www.virtuallyghetto.com/2013/09/how-to-recover-vcsa-55-from-expired.html
http://www.cyberciti.biz/faq/understanding-etcshadow-file/
http://pubs.vmware.com/vsphere-55/index.jsp?topic=%2Fcom.vmware.vsphere.vcenterhost.doc%2FGUID-A8071210-2F1C-447F-AFCD-A585D318F264.html
http://en.opensuse.org/SDB:Recover_root_password
https://communities.vmware.com/message/2263902
To download OpenSuse:
http://software.opensuse.org/131/en
Click on Rescue and select the 64 bit (or 32bit it doesnt matter)
INSTRUCTIONS
##############
1. Download Rescue CD for any Linux (it can be Knoppix, or Suse Linux)
NOTE: I downloaded the OpenSuse linux Recovery CD (64bit)
32 bit or 64 bit doesnt matter as we are just going to be editing files and not launching any programs
2. Launch vCenter with the CD (if your using a VM to launch your vCenter then you will need to edit the VM settings to connect the CD with the Recovery ISO)
3. Once your in open up a Terminal or Xterm and make sure to get root access
# sudo -i or # sudo su
Either one works
4. Once in, check out your partitions. VMWARE puts its stuff usually on /dev/sda3
# cat /proc/partitions
I see two items with 3rd partition, usually its sda3
sda3
sdb3
# mount /dev/sda3 /mnt
# cat /mnt/etc/shadow
You should see root user and plenty of vmware type of user names
If you dont try the other 3rd partition disks (this should never happen though, im pretty positive vmware center main boot data is always on sda3)
5. Backup the shadow file
# cp /mnt/etc/shadow /mnt/etc/shadow-backup1
6. Lets make a test user with our current setup, so that we can copy the new users password in place of the vmware root password
# useradd test123 # passwd test123
Set the password to “vmware” (thats the default password for vcenter). We can change it later through the webgui of vcenter. (the webgui being https://vcenter:5480)
This user test123 didnt get created into the vmware environment (so dont worry), it was made into the recovery environment and it will disappear once we reboot (since recovery environments never save settings – unless persistent storage is given)
# cat /etc/shadow | grep test123
Imagine it looks like this:
test123:$6$hajksdfhklajsdhfkljasdf:16255:0:90:::
NOTE: For you it will not say $6$hajksdfhklajsdhfkljasdf even if you use the same password as vmware (first off its always different, second of all I just made up that above password by smashing keys)
The format of every line in the shadow file is like this.
1username:2passwordencryptedornot:3lastpwchange:4minimum:5maximum(passexpire):6warning:7inactive:8accountexpire
We just need the password part.
Anyhow Lets append that to the vmware shadow file
# cat /etc/shadow | grep test123 >> /mnt/etc/shadow
7. Lets edit the vmware shadow file
I will assume general knowledge of vim (like visual mode – with v key, navigation with arrow keys or with the hjkl keys, deleting a character with the x key)
vi /mnt/etc/shadow
Locate the line for username root and username test123 (test123 should be at the bottom)
Find the root user and delete its password so that it looks like this (maybe leave extra spaces in between there so that you can easily paste):
root: :16255:0:90:::
Notice the password is missing and we just put extra spaces
NOTE: with vi you can character at a time with the “x” key (when in vi normal, and not in insert mode)
Now locate the test123 string and lets copy its password portion out and put it in the spaces where the root users password should be:
test123:$6$hajksdfhklajsdhfkljasdf:16255:0:90:::
Copy the password part, so in this case its:
$6$hajksdfhklajsdhfkljasdf
The way I would copy it in vim/vi is like this:
In normal mode put the cursor on the first $ sign which is the first character of the password field, and click “v” (for visual mode), then press the right arrow key (or “l” key, thats a lower case L) a few times until your blinking cursor is sitting on the f (the last character of the password field). So you should see a big selection box (thats what visual mode is for, its for selecting stuff), so now copy it with the “y” key (which means yank).
Now using the arrow keys (or the hjkl keys of vim) scroll up to the root usernames password field (and put the cursor right where all of the spaces are – right in the middle of the spaces)
root: . :16255:0:90:::
I put a dot where to put the cursor
Now press “p” to paste
The root line should now look like this
root: $6$hajksdfhklajsdhfkljasdf :16255:0:90:::
Now delete any of the extra spaces with “x” key so that it looks like this:
root:$6$hajksdfhklajsdhfkljasdf:16255:0:90:::
Now scroll down to the line that says test123, and press “d” twice so that the line is deleted. Now save and exit with “:wq!”
8. Now get out of the recovery rescue environment
cd / sync umount /mnt/ shutdown -h now
That last command will power off the machine
9. Take out the recovery/rescue cd
10. Boot up to normal mode. Now you should be able to get in to the console and the webgui (if cant get to webgui but can to console follow step 11)
11. Setting up none expiring password (fixing WebGUI not accessible)
If you still cant get in via WebGUI (but you can login to the console), you should be able to get in via the console. So press Login on the console and login via your (Just press ENTER when your at this screen):
Then log in with these credentials (remember at this point console login should work if it doesnt repeat all of the above steps, it the webgui that shouldnt work)
username: root password: vmware
Most likely you werent able to login because of your expiration values being off (maybe you waited so long that the expiration date is before todays date). Lets fix this by removing expiration.
The program chage can be used for that, luckily vcenter has it.
First see what chage says about your user:
# chage -l root
What we want is something like this:
# chage -l root minimum: 0 maximum 99999 warning: 7 inactive: -1 last change: jul 4th 2014 password expires: never password inactive: never account expires: never
Option1 – manually edit with vi
That or you can edit the last fields to say this:
root:encryptedpassword:16255:0:99999:7:::
16255 means that last password change was on July 4th 2014, it doesnt matter though it will never expire.
Option2 – use chage command line
# chage -I -1 -m 0 -M 99999 -E -1 root
Option3 – use chage interactive mode:
# chage root min password age [0]: enter or put 0 max passowrd age [90] : 99999 enter pass exp warning [7]: enter or put 7 enter pass inactive [-1]: enter or put -1 enter lass password change yyyy-mm-dd: 2014-07-04 put todays date in that format yyyy-mm-dd and press enter account expiration datea (yyyy-mm-dd) [1969-12-31]: just press enter
Without rebooting you should now be able to log in via webgui as well. After confirming, Reboot the box to confirm all is good and persists via reboot
Another Way to get none-expiring password
If you log in to the webgui and change the admin password to your choosing (from vmware), you can now set the password to expire in 99999 days or to never expire (it got the 99999 from our above steps)
So if we set it to not expire ever (not even in 99999 days, but in forever ever it wont expire).
It will then look like this after you set the root user (which is gracefulyl called admin user in the gui – even though we log in to the webgui with “root”)
vcenter1:/etc # chage -l root Minimum: 0 Maximum: -1 Warning: 7 Inactive: -1 Last Change: Jul 05, 2014 Password Expires: Never Password Inactive: Never Account Expires: Never
So you can just set the Maximum password instead of 99999 to -1
Option1: “with vi”
So if you do it manually with vi, it will look like this:
root:someencryptedpassword:16256:0::7:
Notice the 5tyh field is just empty
Option2: “with chage interactive more”
chage root
When asked for Max Password just set it to -1 and hit enter
Option3: “with chage none interactive (commandline)”
Or you can use the command line to set it like this
# chage -I -1 -m 0 -M -1 -E -1 root
This worked PERFECTLY for me. I deployed vCenter 6 using a password generated from KeePass, and then my machine crashed, KeePass didn’t save my password. But this walk through was spot on and now I’m back into my vCenter install. You probably saved me several hours worth of work so thank you!