Reset root password using vSphere Configuration Profiles
search cancel

Reset root password using vSphere Configuration Profiles

book

Article ID: 404104

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Bulk ESXi root password reset utilizing a JSON file and password_hash
  • Resetting the root password locally on an ESXi host creates configuration "drift" when using vSphere Configuration Profiles in vSphere 8.0. This occurs because the cluster-level profile tracks the password_hash property. If the password is rotated outside of this Profile, vCenter reports the cluster as out of compliance.

 

Environment

  • vSphere 8.0
  • vSphere Configuration Profiles

Cause

The password_hash property is a tracked element of the vSphere Configuration Profile. When a password is changed locally (via UI, API, or 3rd-party tools), it triggers a non-compliance status because it no longer matches the hash stored in the cluster configuration.

Resolution

Change Root Password via vSphere Configuration Profiles:

  1. Export the Current Desired Configuration In vSphere Client:

    1. Go to the Cluster > Updates > Configuration tab.

    2. Click EXPORT > Reference host configuration

      Note: This will give you a JSON file representing the current config of the reference host of your choosing. 

  2. Edit the JSON File:

    1. Open the exported JSON file.

    2. Look for the following section:

                  "authentication": {
                      "user_accounts": [
                          {
                              "name": "root",
                              "password_hash": "########",
                              "description": "Administrator"
                          }
                      ]
                  }

    3. Update the "password_hash" field with the new root password hash. 

      Note: You can create a password_hash using openssl as shown below. 

      openssl passwd -6

      Example: 
      openssl passwd -6
      Password:
      Verifying - Password:
      ########

    4. Save the JSON file. 

  3. Import the Updated Desired Configuration In vSphere Client:

    1. Create a Draft.

      Select the Cluster > Configure > Desired State > Configuration > Draft.

    2. Import your JSON file.

      Click Import from file in the ... dropdown on the far right. 
      In the Import Configuration File Pop-up, click on BROWSE button > Select your JSON file > then IMPORT

    3. PRE-CHECK. 

      Click on RUN PRE-CHECK in the right pane under Configuration tab and you will see Running draft pre-check.

      Note: You should see Draft pre-check completed and found no errors message if successful. 

    4. Apply Changes.

      Next, click on APPLY CHANGES which will open a Remediate Pop-Up window. 

  4. Review the Remediation. 

    Review the Pre-Check and Review Impact tabs in the Remediate Pop-Up window before applying the configuration changes. 

    Under SUMMARY it shows high level details like if host will be put into maintenance more or if reboot is required. 

    Under HOST-LEVEL DETAILS you can review all the impact or changes that will be made on each of the hosts within cluster.

    If impact is acceptible, click on REMEDIATE.

  5. Verify the password has been updated successfully. 

    Your hosts in this cluster should now all have the same password hash configured under Cluster > Configure > Desired State > Settings > Authentication > User Accounts. 

Additional Information

  • If you require further assistance with automated password rotation systems, please see . Scroll to the bottom of the page and click on your respective region.
Powered by Wolken Software