Friday, September 4, 2015

vCenter Server Appliance (vCSA) 5.5 SSL certificate replacement and root password reset the hard and/or easy way. (or The vCSA is Dead, Long Live the vCSA)








It all started because my SSL certificate was expired and with recent updates to Chrome and Firefox we could not login. I found this perfect article (http://www.virtuallyghetto.com/2013/04/automating-ssl-certificate-regeneration.html) to regenerate the certificate via commandline, but i was locked out of the root account. I thought, as many do, that i had forgotten the root password, but it turns out that with v5.5, root passwords expire in 90 days and if you don't set an SMTP server and email address, you will never be notified. Furthermore after some time the account will be locked.

On the vCSA console you have an option to Login. I don't really know why, but somehow after failing some logins or semi-resetting the account, i found that if i mistyped the password 3 times, i would actually get the root prompt. Now if you cannot get the root prompt, luckily you can use this excellent method (http://www.virtuallyghetto.com/2013/09/how-to-recover-vcsa-55-from-expired.html) to get to the files also. If you do use the link's method, please note that you will need to mount/remount with read-write access which is not mentioned. hint: mount -o remount,rw /mnt

So in the following commands, you will see [/mnt]. What i mean by this is that if you use the link's method, then you need /mnt/path ; however, if were able to get the vCSA's root prompt, then simply use the /path (excluding /mnt)

Of course you should bakup any files you plan to change!

We will use vi because it's the editor built into the vCSA. Remember in vi you can i or a to insert or append to get into typing mode. Afterward, <esc>wq! to force save & quit or <esc>q! to abort and quit.

Firstly, i found that the password policy required a new, previously unused, password that had to meet complexity requirements. This sucked tremendously considering i really really wanted to re-use the password. If you wish to do the same try this, if not skip it.

change root password policy with vi [/mnt]/etc/pam.d/common-password

change
password        requisite       pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 difok=4 retry=3
password        required        pam_pwhistory.so enforce_for_root remember=4 retry=3
to
password        requisite       pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 difok=0 retry=0
password        required        pam_pwhistory.so enforce_for_root remember=0 retry=3
The above should set that the password does not need to have to be significantly different from prior passwords and not to spam the prompt requesting retries.

An alternative way might be to purge the password history file with rm [/mnt]/etc/security/opasswd which of course i did.

If you can get to the vCSA's root prompt, then you can change the root password with passwd

However, if you cannot, then potentially you can reuse your old password by reinstantiating the password hash from a backup shadow.* file. Revisit the above mentioned article (http://www.virtuallyghetto.com/2013/09/how-to-recover-vcsa-55-from-expired.html) as it explains the shadowfile.

Thusly, I was successful with restoring the default password of vmware by finding that [/mnt]/etc/shadow.UPDATE contained its hash. I copied the hash (installation specific i'm sure) into the existing [/mnt]/etc/shadow's root line and made sure the 5th field was nothing (::). it looked like such:
root:$2y$10$Gye6636Oxy/2yK01.7MW0ud8pSE90cEYr92kLSwDvJmULjmTPnu0O:16581:0:90:7:::

Once I had accomplished all this, i rebooted and was able to login with vmware. I reset my password with passwd at the root prompt. It complained it was too simple a password, but accepted it none-the-less.

Note: Through all this, I found that the actual client login Administrator@vSphere.local had never changed changed, so don't expect it to be the new one you just changed.

Futhermore, I followed this very fitting article (http://www.virtuallyghetto.com/2013/09/administrator-password-expiration-in.html) to completely disable root password expiration with chage -M -1 -E -1 root.

If you use VMWare Update manager (VUM), you may need to remmediate it's connection with http://kb.vmware.com/kb/2048210.

In addition to the resources linked above, the following were referenced during my adventure-less adventure.
My other recent posts also relate to this issue due to Mozilla, Google and Microsoft weak SSL deprecation policies.



---
As Always, Good Luck! You can thank me with bitcoin.    


No comments:

Post a Comment

Comments, Suggestions or "Thank you's" Invited!