On the vCSA console you have an option to Login. I don't really know why, but somehow after failing some logins or semi-resetting the account, i found that if i mistyped the password 3 times, i would actually get the root prompt. Now if you cannot get the root prompt, luckily you can use this excellent method (http://www.virtuallyghetto.com/2013/09/how-to-recover-vcsa-55-from-expired.html) to get to the files also. If you do use the link's method, please note that you will need to mount/remount with read-write access which is not mentioned. hint:
mount -o remount,rw /mnt
So in the following commands, you will see
[/mnt]
. What i mean by this is that if you use the link's method, then you need /mnt/path
; however, if were able to get the vCSA's root prompt, then simply use the /path
(excluding /mnt
)Of course you should bakup any files you plan to change!
We will use
vi
because it's the editor built into the vCSA. Remember in vi you can i
or a
to insert or append to get into typing mode. Afterward, <esc>wq!
to force save & quit or <esc>q!
to abort and quit.Firstly, i found that the password policy required a new, previously unused, password that had to meet complexity requirements. This sucked tremendously considering i really really wanted to re-use the password. If you wish to do the same try this, if not skip it.
change root password policy with
vi [/mnt]/etc/pam.d/common-password
change
password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 difok=4 retry=3
password required pam_pwhistory.so enforce_for_root remember=4 retry=3
topassword requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 difok=0 retry=0
password required pam_pwhistory.so enforce_for_root remember=0 retry=3
The above should set that the password does not need to have to be
significantly different from prior passwords and not to spam the prompt
requesting retries.An alternative way might be to purge the password history file with
rm [/mnt]/etc/security/opasswd
which of course i did.If you can get to the vCSA's root prompt, then you can change the root password with
passwd
However, if you cannot, then potentially you can reuse your old password by reinstantiating the password hash from a backup
shadow.* file
. Revisit the above mentioned article (http://www.virtuallyghetto.com/2013/09/how-to-recover-vcsa-55-from-expired.html) as it explains the shadowfile.Thusly, I was successful with restoring the default password of
vmware
by finding that [/mnt]/etc/shadow.UPDATE
contained its hash. I copied the hash (installation specific i'm sure) into the existing [/mnt]/etc/shadow
's root
line and made sure the 5th field was nothing (::
). it looked like such:root:$2y$10$Gye6636Oxy/2yK01.7MW0ud8pSE90cEYr92kLSwDvJmULjmTPnu0O:16581:0:90:7:::
Once I had accomplished all this, i rebooted and was able to login with
vmware
. I reset my password with passwd
at the root prompt. It complained it was too simple a password, but accepted it none-the-less.Note: Through all this, I found that the actual client login
Administrator@vSphere.local
had never changed changed, so don't expect it to be the new one you just changed.Futhermore, I followed this very fitting article (http://www.virtuallyghetto.com/2013/09/administrator-password-expiration-in.html) to completely disable root password expiration with
chage -M -1 -E -1 root
.If you use VMWare Update manager (VUM), you may need to remmediate it's connection with http://kb.vmware.com/kb/2048210.
In addition to the resources linked above, the following were referenced during my adventure-less adventure.
- (http://www.cyberciti.biz/faq/rhel-fedora-centos-linux-password-quality-control/)
- (http://www.vladan.fr/how-to-change-the-default-password-policies-in-vsphere-5-5/)
- (http://www.vladan.fr/how-to-unlock-the-vmware-vcsa-root-password/)
- (http://www.itworld.com/article/2726217/endpoint-protection/how-to-enforce-password-complexity-on-linux.html)
- http://steronius.blogspot.com/2015/09/vcenter-chrome-45-errsslweakserverephem.html
- http://steronius.blogspot.com/2015/08/https-ssl-cipher-remediation-for.html
---
As Always, Good Luck!