^{In certain environments, administrators may encounter difficulties logging in to guest cluster nodes using the vmware-system-user account. Attempts to authenticate with the SSH password result in a “permission denied” error.}

^{This issue typically arises when the SSH password for the vmware-system-user has expired, preventing successful login. Since the vmware-system-user account is commonly used for system-level access to Tanzu Kubernetes Grid Service (TKGS) clusters, this condition can disrupt administrative workflows and cluster management tasks.}

^{Tanzu Kubernetes Grid Service (TKGS)}

^{vSphere with Tanzu}

^{The vmware-system-user SSH password is configured to expire by default after 60 days. This behavior is part of STIG (Security Technical Implementation Guide) Hardening policies, which enforce password expiration to enhance security compliance. Once the password expires, login attempts using the SSH password fail with a permission denied error, even though the account itself remains valid.}

^{Administrators can restore access by using the SSH private key to log in to the guest cluster nodes and then resetting the expired password. For detailed instructions, refer to Broadcom documentation: 🔗 https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere-supervisor/8-0/using-tkg-service-with-vsphere-supervisor/configuring-identity-and-access-for-tkg-service-clusters/connecting-to-tkg-service-clusters-as-a-system-administrator/ssh-to-tkg-cluster-nodes-as-the-system-user-with-a-password.html}

^{Steps to Execute:}

   ^{1. List the user account details:}

       ^{chage -l vmware-system-user}

   ^{2. Reset the user account password expiration settings:}

       ^{chage -m 0 -M -1 vmware-system-user}

   ^{3. Verify the updated settings:}

       ^{chage -l vmware-system-user}

^{For detailed instructions, refer to Broadcom documentation: 🔗 https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere-supervisor/8-0/using-tkg-service-with-vsphere-supervisor/configuring-identity-and-access-for-tkg-service-clusters/connecting-to-tkg-service-clusters-as-a-system-administrator/ssh-to-tkg-cluster-nodes-as-the-system-user-with-a-password.html}