How to reset the root password of VMware ESXi 4.1 and 5.0

According to VMware knowledge base article 1317898 it is not possible to reset the root password of an ESXi installation. Well, maybe it's not easy for non-Unix guys, but it certainly is possible.

The files containing the password hashes is called "shadow". It is contained in  a nested structure of archives:

diagram of the archive structure

You cannot read the password of the root account, as it is one-way-hashed, but you can replace it with a known one or remove it altogether.

Here's a step-by-step guide how change the password file:

  1. First of all, you need to boot your ESXi server with a Linux live CD. I prefer GRML, but any live CD will do. Of course, you can also boot from a USB stick.
     
  2. Find the partition containing a file named "state.tgz". For my installation, it was on a VFAT filesystem labelled "Hypervisor3", which is accessible in GRML at "/mnt/Hypervisor3". You might need to mount it manually with the command

    mount /mnt/Hypervisor3
     

  3. Unpack the "state.tgz" file somewhere. It contains exactly one file, which is another archive named "local.tgz".

    cd /tmp
    tar xzf /mnt/Hypervisor3/state.tgz

     

  4. Unpack the "local.tgz", and find an "etc" directory containing several configuration files.

    tar xzf local.tgz

  5. Edit the file etc/shadow to change the password.

    vi etc/shadow

    Probably the easiest way is to replace the line starting with "root" with the line of another user account of which you know the password. You only need to change the name at the beginning of the line (before the first colon) to "root". You've then set the root password to a password you know.
    Alternatively, you can just remove the hash altogether (everything between the first and the second colon) and login to the service console as root with no password at all.
     

  6. Re-pack the files and move the modified state.tgz back to the VFAT partition. Probably it is a good idea to make a backup copy of the original state.tgz in case something goes wrong:

    mv /mnt/Hypervisor3/state.tgz /mnt/Hypervisor3/state.tgz.bak
    rm local.tgz
    tar czf local.tgz etc
    tar czf state.tgz local.tgz
    mv state.tgz /mnt/Hypervisor3/

     

  7. Reboot back into ESXi and you're done.

 

Thanks Rob for testing it with ESXi 5.0 and letting me know.

so will this method work on

so will this method work on esx server 3i 3.5?

Did not work on ESXi 4.1.0 Build 348481

I tried this out with Ubuntu on one of the servers in my cluster, ESXi 4.1.0 Build 348481. The State.tgz file was not found in any of the partitions. I also took a look at http://www.youtube.com/watch?v=CoL43UBpVyI&feature=youtu.be, which also claimed a similar workaround that would work for 3.5 - 5. Same deal.
Hunted around everywhere to find out what other file could be holding the Shadow file. Does anyone think they know what the difference is here and what a potential solution might be? Thanks in advance for any advice.

ESX 4.1 - a different solution

hey guys, great advice. I have managed to get into my esxi 4.1 because it was active directory joined. I added my domain admin account to a group called ESX Admins (create it if you need to) and then logged in using vSphere client. I could then use the Local Users and Groups tab to reset the root account. I have not tested any other version of ESXi but thought we all needed to know! i hope this helps and thanks again.

Sad but true

Hi All, maybe I have done something wrong, I have followed the instructions exactly to the letter but after booting I get an error that says the boot image is corrupted. Any advise please.

corrupted boot image

 Eugene,
I guess if you have a corrupted image it's easiest to reinstall the ESXi. If you want to try to fix the exising installation, you'll have to get more verbose logs in order to find out what's wrong.
-Bernhard

Thanks!

This worked very well, thanks a ton for posting it!   I  just wanted to add a couple notes in case it helps anyone. 
I built up a test ESXi VM to practiced on a few times first.  I think that's a good idea if you are going to be doing this on a production server.   Note that you won't have a state.tgz until the root password is changed and the machine rebooted at least once. 
I tried a couple other boot CDs I had, but GRML worked the best.  Just download it if you can so you don't have to hunt for which partitions are which and the commands above work as is.
  What I found is that you always have to mount the /mnt/Hypervisor folders to see anything.  So I'd first mount all four by doing:
mount  /mnt/Hypervisor0
mount  /mnt/Hypervisor1
mount  /mnt/Hypervisor2
mount  /mnt/Hypervisor3
And then search for which one(s) have the state.tgz by using the find command:
cd /mnt
find -name state.tgz
My servers had state.tgz in two directories.   I was pretty sure it was the one with the most recent modified date, but I modified both because I only wanted to do this once.   If you modify two, just make sure you make extra directories under the /tmp folder and add that path to the commands above so you don't risk mixing files from two directories.  
 
Thanks again Bernhard, you saved my bacon big time.  This was a production cluster and the only person with the passwords left the company on poor terms.  It had been removed from Vcenter and we were totally stranded.   If you are ever in Salt Lake, let me know and we'll buy you lunch. 

Easier way if you have admin account

There is an easier way that I discovered on ESXi 4.1.0 build 260247
There is a root user, and a root group.  Members of the root group have the ability to reset passwords from the vSphere client for other local users.  So if you have an account with administrator role, you can do the following:
1) Create a new user, just to make sure you don't mess up existing account, we'll call it admin2.
2) Give admin2 Administrator role
3) add admin2 to the root group.  Do this from the Local Users and Groups tab, Click group button.  Double click root group and on that screen add admin2 to the root group.
4) Log out and log in as admin2.
5) Go back to local users and groups, Users button.  Right click root (User not group) and select change password.  Enter new password twice.
6) Click OK
After this, I was able to log in as root with the new password

 Thanks! It's working with

 Thanks!
It's working with ESXi5 U1 :) Saved my life !

works

Ubuntu live CD recognized the partitions and mounted them mountable under /media. Changed both tarballs under /media/Hypervisor1 and /media/Hypervisor2 ( was not sure which one would be used )
Thanks !

HD Video tutorial on how to do this

Thanks a million

You tutorial same me ! thanks a million, it work like a charm on ESXI 5 

Works on ESXi 5.0.0 with CentOS 5.6 LiveCD

I realize this thread hasn't been active in awhile, but I stumbled across it while trying to solve the same issue for a lost root password to an inherited ESXi 5.0.0 server. I only had to make slight changes to the instructions above. I used a CentOS 5.6 x86_64 LiveCD to boot the ESXi server into, then to find state.tgz, I had to mount the following:
 
# mount /dev/sda3 /mnt
 
At that point, the file was located at /mnt/state.tgz, and I could continue the rest of the instructions above. To figure out which device to mount, I looked in '/dev/disk/by-label' and saw a link called 'ESXi' that pointed to /dev/sda. From there, I mounted the partitions (sda1, sda2, sda3, etc) and checked the contents until I found the partition with state.tgz in it (in my case it was /dev/sda3 as indicated above).
 
Thanks for posting the solution! This is going to save me a lot of time.

Cannot find shadow file....

I was able to find the state.tgz file but after untaring the local.tgz file there is no shadow file inside the etc directory.... what gives? I searched every other partition as well...

Thanks!

This saved me a ton of time.  I was able to use the Ubuntu 11 Live CD.  I am not very proficient in Linux and was able to complete using GUI methods. 

Great Tip

Thanks for sharing this !! It works.. Not with GRML but i used an opensuse 12.1 JeOS ..
Thx again

Used with Ubuntu live cd

Hi Bernhard,
Thanks very much for taking the time to document this.  I successfully performed the procedure using an ubuntu live cd with the only differences being:
The live cd didn't generate the mount points, instead I had to perform: mount /dev/disk/by-label/Hypervisor3 /mnt and then used just /mnt as the path for the remainder steps.
After I did so, the state.tgz file wasn't there.  Thanks to the other commentors, I discovered it on the Hypervisor1 partition.  Which I mounted using mount /dev/disk/by-label/Hypervisor1
Thanks again,
Nathan
 

Root Retrieval

Within the file I have
root:*::0:99999:7:::
Isnt the * in this line nulling the login of the root password?
Would I need to change this to something else.
 

Great article...

Worked flawlessly and saved my day...Thank you!!! 

Problem when move state.tgz

Hello evebody,
When I try to move the packed state.tgz from /tmp to /mnt/Hypervisor1 (in my case)... i get the following message:
Failed to preserve ownership: Operation not permitted 
Any solution?
Thanks!

I guess this only indicates

I guess this only indicates that ownership (and access rights) are not supported by the VFAT filesystem, which is mounted on /mnt/Hypervisor1. They are supported in /tmp, though, so they are created first and cannot be preserved when moving the file.
You can safely ignore this error message, the file is moved anyway and the ownership and permissions of the state.tgz are irrelevant.

determine the location of the most recent state.tgz file

our esxi 4.0.0 | 181792  host suddenly did not allow login for root and the only other user. pwds were known, were not changed. nobody knows why this happened: no login via vsphere, no login via console and via unsupported console, neither via ssh (we enabled ssh some months ago)

very strange...

*thanks to your description* we could manage to get rid of the pwd-hashes and now login is again possible

one hint:

we had to determine the location of the most *recent* state.tgz. first we changed the false one (/mnt/Hypervisor1), then thanks to http://www.vm-help.com/esx/esx3i/Reset_root_password.php we saw, that we had to change the "most recent state.tgz", which is located in /mnt/Hypervisor2) on our machine

 

Saved

This procedure saved my scheduled maintenance. Thanks!
On my ESXi host, state.tgz was located in /mnt/Hypervisor1.

Not working on vsphere esxi4.1

Hi, Bernhard,
On vsphere esxi4.1, the state.tgz will be replaced by the backup files whenever you changed the it. I did the same as you did and it didn't work, then I mount the partition again to check the shadow file, it changed back again somehow.  Those backup files were store on the vmfs partition so I couldn't mount it to delete the backup files.
Any idea?
Cheers,
Tomasa

works for me

Tomasa,
I cannot reproduce the problem you describe with vsphere esxi 4.1. Editiing the state.tgz works perfectly fine for me. Maybe your state.tgz got corrupted during the editing, so that esxi replaced the file with a backup?
regards, Bernhard

Thank You !

Hi Bernard,
Just wanted to say a huge thanks. Have an ESXi 4.0 box here which another administrator setup and didn't provide the password.  Your workaround saved the day for us ! 
Regards,
HKN