Reset the root password in vCenter Server Appliance without reboot / 6.7u1 / 7.x / 8.x

Products

VMware vCenter Server

Issue/Introduction

This article provides steps to reset the root password if you have lost or forgotten the existing root password without reboot / 6.7u1 / 7.x / 8.x

For versions prior to VCSA 6.7 Update 1, see Resetting root password in vCenter Server Appliance 6.5 to 6.7 U1.
For previous versions, see: Resetting root account password of vCenter Server Appliance 6.0.

Symptoms:

Logging in to the root account of vCenter Server Appliance (VCSA) fails.
The root account of the vCenter Server Appliance 6.7 U1 and later is locked or account is expired.
Forgot the root password.
The root account password has been lost or forgotten
You are unable to login to vCenter

Note: The above symptoms can also occur on an external Platform Services Controller (PSC) running on vSphere 6.5 and 6.7.

Environment

VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x
VMware vCenter Server Appliance 6.7.x

Cause

With the change within VCSA 6.7 U1, the SSO user who is part of SystemConfiguration.BashShellAdministrator group will be able to log in to Bash shell and can call any commands using sudo and without password. This aims at reducing the gap between the root and SSO administrator user. The user has to enable shell to log in to the bash shell. By default, the user will be logged into appliance shell.
For passwords that have expired, the default vCenter Server Appliance password expires after 90 days. For more information, see Change the Password and Password Expiration Settings of the Root User.

Resolution

Process to Reset the Root Password in VCSA:

Connect SSH to VCSA and login using [email protected] where vsphere.local is your default SSO Domain.

If disabled, enable SSH using the VAMI ( https://<vcenter_fqdn>:5480 ).
Can login as [email protected] or any other member of the SSO administrators group.
Enable or Disable SSH and Bash Shell Access.

If first time logging in, enable shell then enter shell.

shell.set --enable true
shell

Once in shell as sso-user, run the below command to change to root shell.
- sudo -i
Unlock the 'root' account using below command if it is already locked due to multiple logins with incorrect password.
pam_tally2 --user=root --reset

For 8.0 U2 onwards:
/usr/sbin/faillock --user root --reset

Note: pam_tally2 is deprecated in Photon 4, use faillock instead
Then once in root shell, run passwd to change the root password.
- passwd
- Alternately, you could use the command: sudo passwd root
Confirm that you can access the vCenter Server Appliance using the new root password.
You could set the Root password to never expire in order to prevent this issue by running command:
# chage -I -1 -m 0 -M 99999 -E -1 root or at the VAMI ( https://<vcenter_fqdn>:5480)

Note: If you continue to have issues, see Unable to log in to the vCenter Server Appliance shell using root account even after password reset

Additional Information

For 7.0U1 and 6.7U3j there are a few changes:

The Root user will be prompted for resetting the password when they try to SSH to the machine if expired or expiring.
You can also login to VAMI using the SSO administrator and reset the root password from there.
Email notification is sent earlier to prevent from having the Root password expired.
An alarm will be triggered in vsphere-ui to notify the user about the password expiry.

Changes in 8.0 U2 and above versions:
You will get below error while executing pam_tally2 in 8.0 U2 or above versions, as this utility was deprecated in Photon 4 and 8.0 U2 is using Photon 4 version. The alternate utility on Photon 4 is "/usr/sbin/faillock" to unlock the accounts.

"-bash: pam_tally2: command not found"

For more information, see:

You can update the password of the root user in the vCenter Server via appliance shell if account is not locked

Procedure

Access the appliance shell and log in as a user who has a super administrator role.
The default user with a super administrator role is root.
login using [email protected] where vsphere.local is your default SSO Domain.
Run the localaccounts.user.password.update --username user name --password command.

localaccounts.user.password.update --username root --password
Enter and confirm the new password when prompted.

More information: Update the Password of a Local User in vCenter Server.