How to reset the root password of VMware ESXi 4.1 and 5.0
According to VMware knowledge base article 1317898 it is not possible to reset the root password of an ESXi installation. Well, maybe it's not easy for non-Unix guys, but it certainly is possible.
The files containing the password hashes is called "shadow". It is contained in a nested structure of archives:
You cannot read the password of the root account, as it is one-way-hashed, but you can replace it with a known one or remove it altogether.
Here's a step-by-step guide how change the password file:
- First of all, you need to boot your ESXi server with a Linux live CD. I prefer GRML, but any live CD will do. Of course, you can also boot from a USB stick.
- Find the partition containing a file named "state.tgz". For my installation, it was on a VFAT filesystem labelled "Hypervisor3", which is accessible in GRML at "/mnt/Hypervisor3". You might need to mount it manually with the command
mount /mnt/Hypervisor3
- Unpack the "state.tgz" file somewhere. It contains exactly one file, which is another archive named "local.tgz".
cd /tmp
tar xzf /mnt/Hypervisor3/state.tgz
- Unpack the "local.tgz", and find an "etc" directory containing several configuration files.
tar xzf local.tgz - Edit the file etc/shadow to change the password.
vi etc/shadowProbably the easiest way is to replace the line starting with "root" with the line of another user account of which you know the password. You only need to change the name at the beginning of the line (before the first colon) to "root". You've then set the root password to a password you know.
Alternatively, you can just remove the hash altogether (everything between the first and the second colon) and login to the service console as root with no password at all.
- Re-pack the files and move the modified state.tgz back to the VFAT partition. Probably it is a good idea to make a backup copy of the original state.tgz in case something goes wrong:
mv /mnt/Hypervisor3/state.tgz /mnt/Hypervisor3/state.tgz.bak
rm local.tgz
tar czf local.tgz etc
tar czf state.tgz local.tgz
mv state.tgz /mnt/Hypervisor3/
- Reboot back into ESXi and you're done.
Thanks Rob for testing it with ESXi 5.0 and letting me know.
Thanks a million
You tutorial same me ! thanks a million, it work like a charm on ESXI 5
Works on ESXi 5.0.0 with CentOS 5.6 LiveCD
I realize this thread hasn't been active in awhile, but I stumbled across it while trying to solve the same issue for a lost root password to an inherited ESXi 5.0.0 server. I only had to make slight changes to the instructions above. I used a CentOS 5.6 x86_64 LiveCD to boot the ESXi server into, then to find state.tgz, I had to mount the following:
# mount /dev/sda3 /mnt
At that point, the file was located at /mnt/state.tgz, and I could continue the rest of the instructions above. To figure out which device to mount, I looked in '/dev/disk/by-label' and saw a link called 'ESXi' that pointed to /dev/sda. From there, I mounted the partitions (sda1, sda2, sda3, etc) and checked the contents until I found the partition with state.tgz in it (in my case it was /dev/sda3 as indicated above).
Thanks for posting the solution! This is going to save me a lot of time.
Thanks!
This saved me a ton of time. I was able to use the Ubuntu 11 Live CD. I am not very proficient in Linux and was able to complete using GUI methods.
Great Tip
Thanks for sharing this !! It works.. Not with GRML but i used an opensuse 12.1 JeOS ..
Thx again
Used with Ubuntu live cd
Hi Bernhard,
Thanks very much for taking the time to document this. I successfully performed the procedure using an ubuntu live cd with the only differences being:
The live cd didn't generate the mount points, instead I had to perform: mount /dev/disk/by-label/Hypervisor3 /mnt and then used just /mnt as the path for the remainder steps.
After I did so, the state.tgz file wasn't there. Thanks to the other commentors, I discovered it on the Hypervisor1 partition. Which I mounted using mount /dev/disk/by-label/Hypervisor1
Thanks again,
Nathan
Root Retrieval
Within the file I have
root:*::0:99999:7:::
Isnt the * in this line nulling the login of the root password?
Would I need to change this to something else.
Great article...
Worked flawlessly and saved my day...Thank you!!!
Problem when move state.tgz
Hello evebody,
When I try to move the packed state.tgz from /tmp to /mnt/Hypervisor1 (in my case)... i get the following message:
Failed to preserve ownership: Operation not permitted
Any solution?
Thanks!
I guess this only indicates
I guess this only indicates that ownership (and access rights) are not supported by the VFAT filesystem, which is mounted on /mnt/Hypervisor1. They are supported in /tmp, though, so they are created first and cannot be preserved when moving the file.
You can safely ignore this error message, the file is moved anyway and the ownership and permissions of the state.tgz are irrelevant.
determine the location of the most recent state.tgz file
our esxi 4.0.0 | 181792 host suddenly did not allow login for root and the only other user. pwds were known, were not changed. nobody knows why this happened: no login via vsphere, no login via console and via unsupported console, neither via ssh (we enabled ssh some months ago)
very strange...
*thanks to your description* we could manage to get rid of the pwd-hashes and now login is again possible
one hint:
we had to determine the location of the most *recent* state.tgz. first we changed the false one (/mnt/Hypervisor1), then thanks to http://www.vm-help.com/esx/esx3i/Reset_root_password.php we saw, that we had to change the "most recent state.tgz", which is located in /mnt/Hypervisor2) on our machine
Saved
This procedure saved my scheduled maintenance. Thanks!
On my ESXi host, state.tgz was located in /mnt/Hypervisor1.
Not working on vsphere esxi4.1
Hi, Bernhard,
On vsphere esxi4.1, the state.tgz will be replaced by the backup files whenever you changed the it. I did the same as you did and it didn't work, then I mount the partition again to check the shadow file, it changed back again somehow. Those backup files were store on the vmfs partition so I couldn't mount it to delete the backup files.
Any idea?
Cheers,
Tomasa
works for me
Tomasa,
I cannot reproduce the problem you describe with vsphere esxi 4.1. Editiing the state.tgz works perfectly fine for me. Maybe your state.tgz got corrupted during the editing, so that esxi replaced the file with a backup?
regards, Bernhard
Thank You !
Hi Bernard,
Just wanted to say a huge thanks. Have an ESXi 4.0 box here which another administrator setup and didn't provide the password. Your workaround saved the day for us !
Regards,
HKN