Forgetting passwords is something that unfortunately happens to everyone. And that’s why password managers exist. No, it’s not ok to write them down on yellow sticky notes stuck to your monitor unless you want to give your security guys a heart attack. I guess, given this post’s title, you know where I’m going with this.

It’s 10 in the evening. You get a call and start troubleshooting right-away. You figure that a management services restart will fix the issue. Your host is connected to a remote KVM switch, so you press F2 and type in the password. No dice. Maybe, it’s a typo maybe not. You try again, and again and end up locking yourself out. You did save the password but along the way, you changed it and forgot to update it in your password manager. According to VMware, the only supported fix is to re-install ESXi unless you’re still running ESX which is highly unlikely.

In pre-ESXi era, the hypervisor had a service console which enabled you to boot in single-user mode. This allowed you to change the password from bash. Incidentally, this method can still be used nowadays to change the root password of a vCenter Server appliance. No such thing for ESXi.

In today’s post, I’ll show you how you can use a Live Linux CD/DVD, to change the root password on your ESXi host. VMware does not support this method citing complexity, but I don’t buy this – there is nothing really complex about it. ESXi saves the root password encrypted in /etc/shadow as is standard with Linux.

How it all works



First off, SSH to your host and have a look at /etc/shadow. You should see something like this.

This is from a test ESXi host I use, so be my guest and try to reverse hash the password. Good luck with that. The string boxed in red is what we’re after. Deleting it will reset the password to null. Of course, if you can’t root to your host, there’s no way you can do this, hence why we use a live CD. Booting off a Linux Live CD/DVD allows us to access and change the file. The trick is knowing which file to change. Changing the one that’s accessible when SSH’ed to the host is of no use since the changes are overwritten once you boot up the host.

As you probably know, ESXi uses several disk partitions. One, in particular, is called bootbank. This partition contains the hypervisor core files and the host’s configuration which is what ends up being loaded into memory. The partition, by default, is called /dev/sda5.

The /etc/shadow file we’re after is found in a compressed archive called state.tgz which is found under /dev/sda5. So, here’s what we need to do.

Download a Live Linux CD/DVD. Take your pick from this list. I chose the Gparted LiveCD one.

Burn a USB or CD/DVD with the Live CD/DVD and boot your host off it.

Mount /dev/sda5 and copy state.tgz to a temp folder.

Uncompress state.tgz and edit the shadow file.

Recompress the archive and overwrite state.tgz with it

Unmount and reboot the host.

Resetting the root password



The following procedure documents how one would go about resetting the password for root on ESXi 6.5 host. This should work on earlier version of ESXi though I only tested it on 6.x. It also makes no difference whatsoever if the host if physical or nested.

For this post, I’m using a nested host for convenience sake alone. And, yes, I carried out this same procedure a number of time on physical ESXi hosts. Note also, that the host must be powered down for this to work so unless migrated, all hosted VMs will obviously stop working.

Step 1 – Insert the bootable Live CD, make sure your server can boot off CD/DVD or USB and power it up. If you’re using the Gparted LiveCD, just follow the on-screen instructions as it is loading.

Step 2 – Locate the 2 partitions sized 250MB. As mentioned, /dev/sda5 is what we’re after assuming you installed ESXi on the first available disk. This may differ if, for instance, you installed ESXi on a USB device.

Step 3 – Open a terminal window and run the following commands in the exact order as listed.

sudo su mkdir /boot /temp mount /dev/sda5 /boot cd /boot cp state.tgz /temp cd /temp tar -xf state.tgz tar -xf local.tgz rm *.tgz cd etc 1 2 3 4 5 6 7 8 9 10 sudo su mkdir / boot / temp mount / dev / sda5 / boot cd / boot cp state .tgz / temp cd / temp tar - xf state .tgz tar - xf local .tgz rm * .tgz cd etc

We’re going to use vi to edit the shadow password file. Just move to the line starting with the root and delete the string between the first 2 colons. Use the [Delete] key. When done press [:] and type wq followed by [Enter].

Continue by running the following batch of commands.

cd .. tar -cf local.tgz etc/ tar -cf state.tgz local.tgz mv state.tgz /boot umount /boot reboot 1 2 3 4 5 6 cd . . tar - cf local .tgz etc / tar - cf state .tgz local .tgz mv state .tgz / boot umount / boot reboot

Step 4 – Once the ESXi host is back online, try logging in as root either from the DCUI (console) or via SSH using putty or similar. You should be able to log in without keying in a password although you will be reminded to set one which is what you should do.

Here’s a video demonstrating how to carry out this procedure from start to finish.

Conclusion



There isn’t really much more to add other than to urge you to get into a habit of saving your passwords using a reliable password manager. While unsupported by VMware, the procedure outlined today works every time, at least on ESXi 6.x but it should also work with older releases. I have not come across any side-effects when using this hack, understandably so, considering we’re simply zeroing out a hash value from a password file. Ever lost your password and was frozen out of ESXi? What did you do? Let me know in the comments below. And and always if you need any help with the above information, I’m happy to help out.