On the vCSA console you have an option to Login. I don't really know why, but somehow after failing some logins or semi-resetting the account, i found that if i mistyped the password 3 times, i would actually get the root prompt. Now if you cannot get the root prompt, luckily you can use this excellent method (http://www.virtuallyghetto.com/2013/09/how-to-recover-vcsa-55-from-expired.html) to get to the files also. If you do use the link's method, please note that you will need to mount/remount with read-write access which is not mentioned. hint:
mount -o remount,rw /mnt
So in the following commands, you will see
[/mnt]. What i mean by this is that if you use the link's method, then you need
/mnt/path; however, if were able to get the vCSA's root prompt, then simply use the
Of course you should bakup any files you plan to change!
We will use
vibecause it's the editor built into the vCSA. Remember in vi you can
ato insert or append to get into typing mode. Afterward,
<esc>wq!to force save & quit or
<esc>q!to abort and quit.
Firstly, i found that the password policy required a new, previously unused, password that had to meet complexity requirements. This sucked tremendously considering i really really wanted to re-use the password. If you wish to do the same try this, if not skip it.
change root password policy with
password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 difok=4 retry=3 password required pam_pwhistory.so enforce_for_root remember=4 retry=3
The above should set that the password does not need to have to be significantly different from prior passwords and not to spam the prompt requesting retries.
password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 difok=0 retry=0 password required pam_pwhistory.so enforce_for_root remember=0 retry=3
An alternative way might be to purge the password history file with
rm [/mnt]/etc/security/opasswdwhich of course i did.
If you can get to the vCSA's root prompt, then you can change the root password with
However, if you cannot, then potentially you can reuse your old password by reinstantiating the password hash from a backup
shadow.* file. Revisit the above mentioned article (http://www.virtuallyghetto.com/2013/09/how-to-recover-vcsa-55-from-expired.html) as it explains the shadowfile.
Thusly, I was successful with restoring the default password of
vmwareby finding that
[/mnt]/etc/shadow.UPDATEcontained its hash. I copied the hash (installation specific i'm sure) into the existing
rootline and made sure the 5th field was nothing (
::). it looked like such:
Once I had accomplished all this, i rebooted and was able to login with
vmware. I reset my password with
passwdat the root prompt. It complained it was too simple a password, but accepted it none-the-less.
Note: Through all this, I found that the actual client login
Administrator@vSphere.localhad never changed changed, so don't expect it to be the new one you just changed.
Futhermore, I followed this very fitting article (http://www.virtuallyghetto.com/2013/09/administrator-password-expiration-in.html) to completely disable root password expiration with
chage -M -1 -E -1 root.
If you use VMWare Update manager (VUM), you may need to remmediate it's connection with http://kb.vmware.com/kb/2048210.
In addition to the resources linked above, the following were referenced during my adventure-less adventure.
As Always, Good Luck!