Content
Reset root user password in ESXi 7.x
Sometimes, for various reasons, you may be unable to log in to the ESXi management console because you don’t have a valid password. This can happen due to a system breach, a system failure, a lost password, or if you’ve inherited an ESXi setup without documentation or proper administrative control. This is an inconvenient situation, and you’ll need to address it. Perhaps not immediately, but when something goes wrong and you need to intervene in a system that has been functioning normally until now. This guide is written specifically for such cases.
Backup
Before performing any actions, you must create backups of the configuration, virtual machines, network settings, and license.
- Host Configuration:
vim-cmd hostsvc/firmware/backup_config
- The command creates a backup of the host configuration. After execution, the output will include a URL (e.g.,
http://
)./downloads/ .tgz - Download the file from this URL using a web browser or a utility like
wget
orcurl
, and save it to an external storage device:wget http://
/downloads/ .tgz -O /path/to/backup/ .tgz - For restoring the configuration, use the vSphere Client web interface:
- Navigate to "Host" → "Configure" → "System" → "Backup/Restore".
- Select "Restore" and upload the previously saved
.tgz
file.
Alternatively, to synchronize the current configuration with the one stored on disk, use:
vim-cmd hostsvc/firmware/sync_config
- A valid root password is required. If unavailable, use access via vCenter or SSH keys.
- The command creates a backup of the host configuration. After execution, the output will include a URL (e.g.,
- Virtual Machines:
ovftool vi://root@[ESXI_IP]/[VM_NAME] /path/to/backup/[VM_NAME].ova
- The
ovftool
utility is required, installed on an administrative machine (Windows, macOS, or Linux). The utility can be downloaded from VMware Customer Connect. - Ensure the administrative machine has access to the ESXi host and use a valid root password to execute the command.
- Save the
.ova
file to an external storage device.
- The
- Network Settings:
esxcli network ip interface list > network_config.txt
Save the output to a file.
- ESXi License:
vim-cmd vimsvc/license --show
Store backups on an external storage device not connected to the host.
Determining Infrastructure Type
To choose the optimal reset method, determine the type of host:
- Managed by vCenter: The ESXi web interface’s "Summary" section indicates a vCenter Server.
- Standalone: Management is performed directly, without vCenter.
Method 1: vCenter-Managed Host (Host Profiles)
This method uses Host Profiles for hosts connected to vCenter. It does not require a reboot and is supported by VMware.
Requirements
- VMware vSphere Enterprise Plus license.
- Access to vCenter Server.
- Another ESXi host with a known root password and an identical ESXi version (e.g., 7.0 Update 3c).
- If using a Standard license or lower, use Method 2 (reinstallation) or Method 3 (Nested ESXi).
Steps
- Log in to vSphere Client (HTML5).
- Navigate to the "Host Profiles" section:
- Select "Menu" → "Host Profiles" or navigate via "Inventory" → "Hosts and Clusters" → "Host Profiles" (depending on the vSphere version).
- Extract a profile:
- Select a host with a known password.
- Click "Extract Profile from Host".
- Assign a profile name, e.g.,
Password_Reset_Profile
. - Wait for completion.
- Edit the profile:
- Select the profile and click "Edit Settings".
- Navigate to "Security Configuration" → "Authentication Configuration".
- In the "Local User Accounts" section, select the
root
account. - Set a new password (at least 8 characters, including uppercase letters, numbers, and special characters).
- Save the changes.
- Prepare the target host:
- Select the host with the forgotten password.
- Enter Maintenance Mode: right-click → "Enter Maintenance Mode".
- Select "Move powered off and suspended virtual machines to other hosts" if applicable.
- If DRS or vMotion is unavailable, power off virtual machines.
- Wait for completion.
- Apply the profile:
- In the "Host Profiles" section, select the profile.
- Click "Attach/Detach Hosts and Clusters", select the host.
- Click "Attach", then "Remediate".
- Confirm changes and wait for completion (approximately ten minutes).
- Verify:
- Exit Maintenance Mode: right-click → "Exit Maintenance Mode".
- Log in with the new password via the web interface or SSH.
- Check virtual machines:
vim-cmd vmsvc/getallvms
Notes
- The ESXi version of the reference host must match the target host.
- Configuration mismatches may cause errors. Check vCenter logs.
Risks
- Minimal if the instructions are followed.
- Possible failures due to configuration mismatches.
Method 2: Standalone Host — Reinstallation
For standalone hosts, ESXi reinstallation is used. This method results in configuration loss without backups.
Steps
- Preparation:
- Download ESXi from VMware Customer Connect.
- Create a bootable USB using Rufus, Ventoy, or:
sudo dd if=/path/to/esxi.iso of=/dev/sdX bs=4M status=progress && sync
Ensure
/dev/sdX
is the correct USB device (check withlsblk
orfdisk -l
). - Perform a backup (see the "Backup" section).
- Reinstallation:
- Boot from the installation media.
- Select the disk and confirm the overwrite.
- Set a new root password (at least 8 characters recommended).
- Wait for the installation to complete (approximately 15 minutes).
- Restoration:
- Configure the network:
esxcli network ip interface ipv4 set -i vmk0 -I [IP] -N [NETMASK] -t static esxcli network ip route ipv4 add -g [GATEWAY] -n default esxcli network ip interface set -e false -i vmk0; esxcli network ip interface set -e true -i vmk0
If the host used a vSphere Distributed Switch (vDS), restore vDS via vCenter or configure a vSphere Standard Switch (vSS).
- Connect storage:
esxcli storage core adapter rescan --all
To mount all available VMFS volumes, use:
esxcli storage filesystem automount
If automatic mounting fails, check available volumes and mount manually:
esxcli storage filesystem list esxcli storage filesystem mount --volume-label=[VOLUME_LABEL]
Replace
[VOLUME_LABEL]
with the volume name obtained from thelist
command. - Import virtual machines:
ovftool /path/to/backup/[VM_NAME].ova vi://root@[ESXI_IP]/
Ensure
ovftool
runs on an administrative machine with access to the host. - Restore the license:
vim-cmd vimsvc/license --set [LICENSE_KEY] --label="ESXi License"
The
--label
parameter is optional but recommended for identifying the license in the vSphere interface.
- Configure the network:
Risks
- Loss of configuration and virtual machines without backups.
- Requires reconfiguring network and storage.
Method 3: Standalone Host — Alternative Method
For standalone hosts where reinstallation is not possible, this method uses Nested ESXi and a Linux VM to modify configuration files. It is complex, not supported by VMware, and intended for experienced administrators.
Requirements
- Nested ESXi VM matching the host’s version and build (e.g., 7.0 Update 3c). Available on VMware Flings.
- Linux VM (e.g., Ubuntu 20.04+).
- Physical access to the server.
- Experience with Linux.
Steps
- Deploy Nested ESXi and Linux VM.
- Boot from a Linux LiveCD, mount ESXi partitions, and copy the
state.tgz
andlocal.tgz
files. - Transfer the files to Nested ESXi, decrypt them using
/usr/lib/vmware/crypto-util
, and modify the password hash in the SQLite database. - Repackage and encrypt the files, return them to the host, and reboot.
Risks
- If the host uses a Trusted Platform Module (TPM), configuration files are tied to TPM keys. Replacing files without keys may render the system inoperable. Check:
esxcli system settings encryption get
If
Encryption Mode
indicates TPM, this method may not be applicable. - Incorrect changes may reset network settings, storage, or virtual machines.
- Nested ESXi must exactly match the host’s version. <ли>In ESXi 8.x, the method may not work due to changes in encryption.
Alternative
If SSH is enabled, add an SSH key:
- Generate a key:
ssh-keygen -t rsa -b 4096
- Add the key to
/etc/ssh/keys-root/authorized_keys
.
Preventive Measures
- Documentation:
- Store passwords in a password manager, such as HashiCorp Vault.
- Keep documentation up to date.
- SSH Access:
- Enable SSH for the current session:
esxcli system services enable --id=TSM-SSH esxcli system services start --id=TSM-SSH
- For automatic SSH startup on boot:
esxcli system services set --policy=on --id=TSM-SSH
- Disable ESXi Shell timeout:
esxcli system settings advanced set -o /UserVars/ESXiShellTimeOut -i 0
- Alternatively, configure via vSphere Client:
- Select the host → "Configure" → "Services".
- Find "TSM-SSH", select "Options" → "Start and stop with host".
- Configure SSH keys:
- Generate a key on the client machine:
ssh-keygen -t rsa -b 4096
- Copy the public key (e.g.,
~/.ssh/id_rsa.pub
) to the host:scp ~/.ssh/id_rsa.pub root@[ESXI_IP]:/etc/ssh/keys-root/authorized_keys
- Set permissions:
ssh root@[ESXI_IP] "chmod 644 /etc/ssh/keys-root/authorized_keys"
- Generate a key on the client machine:
- Store keys in
/etc/ssh/keys-root/authorized_keys
.
- Enable SSH for the current session:
- Active Directory:
- Join the host to a domain via CLI:
esxcli system authentication activedirectory join -d [DOMAIN] -u [USERNAME] -p [PASSWORD]
Specify [DOMAIN] (e.g., example.com), [USERNAME] (user with join permissions), and [PASSWORD].
- Alternatively, use vSphere Client:
- Select the host → "Configure" → "Authentication Services".
- Click "Join Domain", specify the domain and credentials.
- Assign permissions to a domain group via vSphere Client:
- Select the host or vCenter.
- Navigate to "Permissions".
- Click "Add", select the group (e.g.,
DOMAIN\GroupName
), and assign a role (e.g., "Administrator").
- For automation, use PowerCLI:
New-VIPermission -Entity (Get-VMHost) -Principal "DOMAIN\GroupName" -Role Admin
- Join the host to a domain via CLI:
- Monitoring:
- Use vRealize Operations or Zabbix.
- Configure notifications for failures.
- Backup:
- Automate:
vim-cmd hostsvc/firmware/backup_config
Download the file via the URL and store it on an external device.
- Automate: