How to Reset the Root Password
search cancel

How to Reset the Root Password

book

Article ID: 325005

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

It may be necessary to run the steps from this KB on your Aria Operations appliances if you experience the following issues:

  • Login attempts with an incorrect password will result in a "Login Incorrect" on the console or "Access Denied" via SSH.
  • Login attempts with the correct password when the root account is locked will result in "Login Incorrect" on the console or "Access Denied" via SSH.
  • The root account will be locked after 3 login attempts using an incorrect password.
  • The root account will automatically unlock 10 minutes after the last failed login attempt, but the failed login attempt counter will not reset until the next successful login as root.
  • If the root password is forgotten, it can be reset.

Environment

VMware Aria Operations 8.x (formerly vRealize Operations)

Resolution

The following video shows the process for Aria Operations 8.0 to 8.12.
In versions 8.14 and newer, the configuration file to edit is /etc/security/faillock.conf and the line to comment out is even_deny_root (see Step 11 below)

 

Process to reset the root password:

  1. Log into the Aria Operations admin UI as the local admin user. 
  2. Click Take Offline under Cluster Status.

    Note: Wait for Cluster Status to change to Offline. (While only the target node needs to be taken offline, to avoid cluster issues it is recommended to take the entire cluster offline.)
  3. In the vSphere Client, open the console of the desired node.
  4. With the console open, restart or power on the virtual machine.
  5. Click the cursor into the VM console and when the Photon splash screen appears, immediately press the e key to enter edit mode.

    Note: If you cannot reach the boot menu before the Photon splash screen disappears, enable Force BIOS setup in the Virtual Machine's Settings > VM Options > Boot Options and reboot to gain additional time.
  6. Place the cursor as the end of the line that ends with "elevator=noop audit=1"
  7. Add a space to the end of the line and type rw init=/bin/bash
  8. Press Ctrl-x or F10 to boot to single-user mode.
  9. Remount the root file system
    mount -o remount,rw /
  10. Reset the root password
    passwd
  11. (OPTIONAL) If the root user is locked, modify the configuration to always allow the root user to log in
    1. Open the configuration file in the vi editor
      vi /etc/security/faillock.conf

      Note: In versions 8.0 through 8.12, the file to edit is /etc/pam.d/system-auth

    2. Comment out the even_deny_root directive by placing a # character at the beginning of the line

      Example: #even_deny_root

      Note: In version 8.0 - 8.12 the line to comment out with the # character is:
      #pam_tally2.so onerr=fail deny=3 unlock_time=900 root_unlock_time=900 file=/var/log/tallylog
    3. Save and close the file
      :wq
  12. Flush all new data to disk
    sync
  13. Reboot the virtual machine
    reboot -f

    Note: If the reboot command fails, restart the Virtual Machine through vCenter.

  14. (CONDITIONAL) If the configuration was modified in Step 11, revert the change
    1. Open the configuration file in the vi editor
      vi /etc/security/faillock

      Note: In versions 8.0 through 8.12, the file to edit is /etc/pam.d/system-auth

    2. Restore the even_deny_root directive by uncommenting it (removing the # character at the beginning of the line)

      Example: even_deny_root

      Note: In version 8.0 - 8.12 the line to uncomment is:
      pam_tally2.so onerr=fail deny=3 unlock_time=900 root_unlock_time=900 file=/var/log/tallylog
    3. Save and close the file
      :wq
  15. Repeat steps 3 through 14 on all additional target nodes
  16. Log in to the Aria Operations admin UI as the local admin user
  17. Click Bring Cluster Online under Cluster Status

NOTE: If the Aria Operations nodes are managed by Aria Suite Lifecycle or part of VMware Cloud Foundation, see the Additional Information section for additional steps necessary to update the root password stored in the Aria Suite Lifecycle locker.

Additional Information

Default root Password

  • The default root password after the appliance is deployed is blank.
  • The root password must be set the first time by logging in via the vSphere console.
  • SSH logins as root will fail until the password is set to a non-blank value.

root Password Requirements

  • Minimum of 8 characters
  • Minimum of 1 uppercase letter
  • Minimum of 1 lowercase letter
  • Minimum of 1 number
  • Minimum of 1 Special character from this list:    !@#$%^&*+=

Additional Steps Required for Clusters Managed by Aria Suite Lifecycle or part of VMware Cloud Foundation

  1. Log in to Aria Suite Lifecycle as a user with administrative privileges
  2. Click the Locker tile
  3. Click Passwords
  4. Click Add
  5. Type the desired password alias in the Password Alias field
  6. Type the Aria Operations node root password (from step 10 of the Resolution section) in the Password and the Confirm Password fields
  7. Click ADD
  8. (CONDITIONAL) If the root password was changed on multiple Aria Operations nodes and unique passwords were used for each node, repeat steps 4-7 to add a new password to the Aria Suite Lifecycle locker for each unique Aria Operations root password used.
  9. Click the VMware Aria Suite Lifecycle logo in the top left corner of the screen
  10. Click the Lifecycle Operations tile
  11. Click Environments
  12. Click VIEW DETAILS for the environment that contains Aria Operations
  13. Click the Operations tab
  14. Click the horizontal three dots button
  15. Select Trigger Inventory Sync and click SUBMIT

    Note: The request will fail with the error LCMVROPSYSTEM25050 or LCMCOMMON80063
  16. Click RETRY
  17. Click the circled x button next to the password linked under Root Password
  18. Click the Select Root Password link
  19. Select the Password Alias from the Locker that was created in step 4-7 and click SUBMIT
  20. (CONDITIONAL) If the root password was changed on multiple Aria Operations nodes, the Inventory Sync request will fail again for each node that the root password was changed on.
    1. Click the FAILED button next to the Aria Operations Product Inventory Sync request
    2. Click the LCMXXXXXXX error number to expand the error details
    3. Note the FQDN or IP address of the Aria Operations node that was tested during this iteration.
    4. Repeat steps 15 through 19 for all nodes that the root password was changed for 
  21. Verify the Inventory Sync completes successfully

Considerations for admin password

  • The Aria Operations console root password can be different than the admin account password that you set when configuring the Aria Operations Primary node.
  • For information on resetting the admin password, see How to Reset the Admin Password.

SSH Connection Refused After Changing root Password

  • After rebooting the node to change the root password, SSH may be disabled for security.
  • To re-enable SSH access, use the steps in Enabling SSH access
Powered by Wolken Software