Reset root user password in ESXi 7.x

Reset root user password in ESXi 7.x

Sometimes, for various reasons, you may be unable to log in to the ESXi management console because you don’t have a valid password. This can happen due to a system breach, a system failure, a lost password, or if you’ve inherited an ESXi setup without documentation or proper administrative control. This is an inconvenient situation, and you’ll need to address it. Perhaps not immediately, but when something goes wrong and you need to intervene in a system that has been functioning normally until now. This guide is written specifically for such cases.

Backup

Before performing any actions, you must create backups of the configuration, virtual machines, network settings, and license.

  1. Host Configuration:

    vim-cmd hostsvc/firmware/backup_config
    • The command creates a backup of the host configuration. After execution, the output will include a URL (e.g., http:///downloads/.tgz).
    • Download the file from this URL using a web browser or a utility like wget or curl, and save it to an external storage device:

      wget http:///downloads/.tgz -O /path/to/backup/.tgz
    • For restoring the configuration, use the vSphere Client web interface:

      1. Navigate to "Host" → "Configure" → "System" → "Backup/Restore".
      2. Select "Restore" and upload the previously saved .tgz file.

      Alternatively, to synchronize the current configuration with the one stored on disk, use:

      vim-cmd hostsvc/firmware/sync_config
    • A valid root password is required. If unavailable, use access via vCenter or SSH keys.
  2. Virtual Machines:

    ovftool vi://root@[ESXI_IP]/[VM_NAME] /path/to/backup/[VM_NAME].ova
    • The ovftool utility is required, installed on an administrative machine (Windows, macOS, or Linux). The utility can be downloaded from VMware Customer Connect.
    • Ensure the administrative machine has access to the ESXi host and use a valid root password to execute the command.
    • Save the .ova file to an external storage device.
  3. Network Settings:

    esxcli network ip interface list > network_config.txt

    Save the output to a file.

  4. ESXi License:

    vim-cmd vimsvc/license --show

Store backups on an external storage device not connected to the host.

Determining Infrastructure Type

To choose the optimal reset method, determine the type of host:

  • Managed by vCenter: The ESXi web interface’s "Summary" section indicates a vCenter Server.
  • Standalone: Management is performed directly, without vCenter.

Method 1: vCenter-Managed Host (Host Profiles)

This method uses Host Profiles for hosts connected to vCenter. It does not require a reboot and is supported by VMware.

Requirements

  • VMware vSphere Enterprise Plus license.
  • Access to vCenter Server.
  • Another ESXi host with a known root password and an identical ESXi version (e.g., 7.0 Update 3c).
  • If using a Standard license or lower, use Method 2 (reinstallation) or Method 3 (Nested ESXi).

Steps

  1. Log in to vSphere Client (HTML5).
  2. Navigate to the "Host Profiles" section:

    • Select "Menu" → "Host Profiles" or navigate via "Inventory" → "Hosts and Clusters" → "Host Profiles" (depending on the vSphere version).
  3. Extract a profile:

    • Select a host with a known password.
    • Click "Extract Profile from Host".
    • Assign a profile name, e.g., Password_Reset_Profile.
    • Wait for completion.
  4. Edit the profile:

    • Select the profile and click "Edit Settings".
    • Navigate to "Security Configuration" → "Authentication Configuration".
    • In the "Local User Accounts" section, select the root account.
    • Set a new password (at least 8 characters, including uppercase letters, numbers, and special characters).
    • Save the changes.
  5. Prepare the target host:

    • Select the host with the forgotten password.
    • Enter Maintenance Mode: right-click → "Enter Maintenance Mode".
    • Select "Move powered off and suspended virtual machines to other hosts" if applicable.
    • If DRS or vMotion is unavailable, power off virtual machines.
    • Wait for completion.
  6. Apply the profile:

    • In the "Host Profiles" section, select the profile.
    • Click "Attach/Detach Hosts and Clusters", select the host.
    • Click "Attach", then "Remediate".
    • Confirm changes and wait for completion (approximately ten minutes).
  7. Verify:

    • Exit Maintenance Mode: right-click → "Exit Maintenance Mode".
    • Log in with the new password via the web interface or SSH.
    • Check virtual machines:

      vim-cmd vmsvc/getallvms

Notes

  • The ESXi version of the reference host must match the target host.
  • Configuration mismatches may cause errors. Check vCenter logs.

Risks

  • Minimal if the instructions are followed.
  • Possible failures due to configuration mismatches.

Method 2: Standalone Host — Reinstallation

For standalone hosts, ESXi reinstallation is used. This method results in configuration loss without backups.

Steps

  1. Preparation:

    • Download ESXi from VMware Customer Connect.
    • Create a bootable USB using Rufus, Ventoy, or:

      sudo dd if=/path/to/esxi.iso of=/dev/sdX bs=4M status=progress && sync

      Ensure /dev/sdX is the correct USB device (check with lsblk or fdisk -l).

    • Perform a backup (see the "Backup" section).
  2. Reinstallation:

    • Boot from the installation media.
    • Select the disk and confirm the overwrite.
    • Set a new root password (at least 8 characters recommended).
    • Wait for the installation to complete (approximately 15 minutes).
  3. Restoration:

    • Configure the network:

      esxcli network ip interface ipv4 set -i vmk0 -I [IP] -N [NETMASK] -t static
      esxcli network ip route ipv4 add -g [GATEWAY] -n default
      esxcli network ip interface set -e false -i vmk0; esxcli network ip interface set -e true -i vmk0

      If the host used a vSphere Distributed Switch (vDS), restore vDS via vCenter or configure a vSphere Standard Switch (vSS).

    • Connect storage:

      esxcli storage core adapter rescan --all

      To mount all available VMFS volumes, use:

      esxcli storage filesystem automount

      If automatic mounting fails, check available volumes and mount manually:

      esxcli storage filesystem list
      esxcli storage filesystem mount --volume-label=[VOLUME_LABEL]

      Replace [VOLUME_LABEL] with the volume name obtained from the list command.

    • Import virtual machines:

      ovftool /path/to/backup/[VM_NAME].ova vi://root@[ESXI_IP]/

      Ensure ovftool runs on an administrative machine with access to the host.

    • Restore the license:

      vim-cmd vimsvc/license --set [LICENSE_KEY] --label="ESXi License"

      The --label parameter is optional but recommended for identifying the license in the vSphere interface.

Risks

  • Loss of configuration and virtual machines without backups.
  • Requires reconfiguring network and storage.

Method 3: Standalone Host — Alternative Method

For standalone hosts where reinstallation is not possible, this method uses Nested ESXi and a Linux VM to modify configuration files. It is complex, not supported by VMware, and intended for experienced administrators.

Requirements

  • Nested ESXi VM matching the host’s version and build (e.g., 7.0 Update 3c). Available on VMware Flings.
  • Linux VM (e.g., Ubuntu 20.04+).
  • Physical access to the server.
  • Experience with Linux.

Steps

  1. Deploy Nested ESXi and Linux VM.
  2. Boot from a Linux LiveCD, mount ESXi partitions, and copy the state.tgz and local.tgz files.
  3. Transfer the files to Nested ESXi, decrypt them using /usr/lib/vmware/crypto-util, and modify the password hash in the SQLite database.
  4. Repackage and encrypt the files, return them to the host, and reboot.

Risks

  • If the host uses a Trusted Platform Module (TPM), configuration files are tied to TPM keys. Replacing files without keys may render the system inoperable. Check:

    esxcli system settings encryption get

    If Encryption Mode indicates TPM, this method may not be applicable.

  • Incorrect changes may reset network settings, storage, or virtual machines.
  • Nested ESXi must exactly match the host’s version.
  • <ли>In ESXi 8.x, the method may not work due to changes in encryption.

Alternative

If SSH is enabled, add an SSH key:

  • Generate a key:

    ssh-keygen -t rsa -b 4096
  • Add the key to /etc/ssh/keys-root/authorized_keys.

Preventive Measures

  1. Documentation:

    • Store passwords in a password manager, such as HashiCorp Vault.
    • Keep documentation up to date.
  2. SSH Access:

    • Enable SSH for the current session:

      esxcli system services enable --id=TSM-SSH
      esxcli system services start --id=TSM-SSH
    • For automatic SSH startup on boot:

      esxcli system services set --policy=on --id=TSM-SSH
    • Disable ESXi Shell timeout:

      esxcli system settings advanced set -o /UserVars/ESXiShellTimeOut -i 0
    • Alternatively, configure via vSphere Client:

      1. Select the host → "Configure" → "Services".
      2. Find "TSM-SSH", select "Options" → "Start and stop with host".
    • Configure SSH keys:

      1. Generate a key on the client machine:

        ssh-keygen -t rsa -b 4096
      2. Copy the public key (e.g., ~/.ssh/id_rsa.pub) to the host:

        scp ~/.ssh/id_rsa.pub root@[ESXI_IP]:/etc/ssh/keys-root/authorized_keys
      3. Set permissions:

        ssh root@[ESXI_IP] "chmod 644 /etc/ssh/keys-root/authorized_keys"
    • Store keys in /etc/ssh/keys-root/authorized_keys.
  3. Active Directory:

    • Join the host to a domain via CLI:

      esxcli system authentication activedirectory join -d [DOMAIN] -u [USERNAME] -p [PASSWORD]

      Specify [DOMAIN] (e.g., example.com), [USERNAME] (user with join permissions), and [PASSWORD].

    • Alternatively, use vSphere Client:

      1. Select the host → "Configure" → "Authentication Services".
      2. Click "Join Domain", specify the domain and credentials.
    • Assign permissions to a domain group via vSphere Client:

      1. Select the host or vCenter.
      2. Navigate to "Permissions".
      3. Click "Add", select the group (e.g., DOMAIN\GroupName), and assign a role (e.g., "Administrator").
    • For automation, use PowerCLI:

      New-VIPermission -Entity (Get-VMHost) -Principal "DOMAIN\GroupName" -Role Admin
  4. Monitoring:

    • Use vRealize Operations or Zabbix.
    • Configure notifications for failures.
  5. Backup:

    • Automate:

      vim-cmd hostsvc/firmware/backup_config

      Download the file via the URL and store it on an external device.