Save to My DOJO
Table of contents
Forgetting passwords is something that unfortunately happens to everyone, and resetting the ESXi root password requires a bit of attention from your side. And that’s why password managers exist. No, it’s not ok to write them down on yellow sticky notes stuck to your monitor unless you want to give your security guys a heart attack. I guess, given this post’s title, you know where I’m going with this if you forgot your ESXi root password.
It’s 10 in the evening. You get a call and start troubleshooting right away. You figure that a management services restart will fix the issue. Your host is connected to a remote KVM switch, so you press F2 and type in the password. No dice. Maybe, it’s a typo maybe not. You try again, and again and end up locking yourself out because of a forgotten root password. You did save the ESXi password but along the way, you changed it and forgot to update it in your password manager. According to VMware, the only supported fix is to re-install ESXi unless you’re still running ESX which is highly unlikely.
In pre-ESXi era, the hypervisor had a service console that enabled you to boot in single-user mode. This allowed you to change the password from bash. Incidentally, this method can still be used nowadays to change the root password of a vCenter Server appliance. No such thing for ESXi.
In today’s post, I’ll show you how you can use a Live Linux CD/DVD, to change the root password on your ESXi host. VMware does not support this method citing complexity, but I don’t buy this – there is nothing really complex about it. ESXi saves the root password encrypted in /etc/shadow as is standard with Linux.
An invalid password typed in at the console
How it all works
First off, SSH to your host and have a look at /etc/shadow. You should see something like this.
This is from a test ESXi host I use, so be my guest and try to reverse hash the password. Good luck with that. The string boxed in red is what we’re after. Deleting it will reset the password to null. Of course, if you can’t root to your host, there’s no way you can do this, hence why we use a live CD. Booting off a Linux Live CD/DVD allows us to access and change the file. The trick is knowing which file to change. Changing the one that’s accessible when SSH’ed to the host is of no use since the changes are overwritten once you boot up the host.
As you probably know, ESXi uses several disk partitions. One, in particular, is called bootbank. This partition contains the hypervisor core files and the host’s configuration which is what ends up being loaded into memory. The partition, by default, is called /dev/sda5.
The /etc/shadow file we’re after is found in a compressed archive called state.tgz which is found under /dev/sda5. So, here’s what we need to do.
-
- Download a Live Linux CD/DVD. Take your pick from this list. I chose the Gparted LiveCD one.
-
- Burn a USB or CD/DVD with the Live CD/DVD and boot your host off it.
-
- Mount /dev/sda5 and copy state.tgz to a temp folder.
-
- Uncompress state.tgz and edit the shadow file.
-
- Recompress the archive and overwrite state.tgz with it
-
- Unmount and reboot the host.
How to reset ESXi root password
The following procedure documents how one would go about resetting the password for root on ESXi 6.5 host. This should work on earlier versions of ESXi though I only tested it on 6.x. It also makes no difference whatsoever if the host is physical or nested.
It is of utmost importance to note that you will not be able to ‘deceive’ ESXi’s security and change the node’s root password without powering it off. Meaning you need to evacuate the VMs to other hosts in the cluster or shut them down to place the host in maintenance mode.
For this post, in order to reset the ESXi root password, I’m using a nested host for convenience’s sake alone. And, yes, I carried out this same procedure a number of times on physical ESXi hosts. Note also, that the host must be powered down for this to work so unless migrated, all hosted VMs will obviously stop working.
Step 1 – Insert the bootable Live CD, make sure your server can boot off CD/DVD or USB and power it up. If you’re using the Gparted LiveCD, just follow the on-screen instructions as it is loading.
Booting off the GParted LiveCD
Step 2 – Locate the 2 partitions sized 250MB. As mentioned, /dev/sda5 is what we’re after assuming you installed ESXi on the first available disk. This may differ if, for instance, you installed ESXi on a USB device.
GParted listing the ESXi partitions found on the primary disk. Your mileage may vary according to the size of the boot drive and the medium (SD, USB, drive…).
|
ID |
Name |
Description |
Size |
|
1 |
System boot |
Used to boot the OS. |
4MB |
|
2 |
Scratch |
Persistent storage of VMware support bundles. Created if media is larger than 8.5GB. |
4GB (Dynamic) |
|
3 |
VMFS datastore |
Any remaining unallocated space is used to create a local datastore. Created if media is larger than 8.5GB. |
Remaining space. (Dynamic) |
|
5 |
Bootbank (bootbank 0) |
Store the current ESXi image. |
250MB |
|
6 |
Altbootbank (bootbank 1) |
Stores the previous ESXi image after an upgrade. Used for rollback operations. |
250MB |
|
7 |
vmkDiagnostic (small core-dump) |
Capture the output of a purple diagnostic screen in case of ESXi crash. |
110MB |
|
8 |
Store (locker) |
Storage of ISOs for VMware tools. |
286MB |
|
9 |
2nd diagnostic partition (large core-dump) |
Additional space for coredumps to avoid logs truncation. Created if media is larger than 3.4GB. |
2.5GB |
“vSphere 6.x partitions layout.”
Note that the partition layout changed dramatically in vSphere 7 compared to vSphere 6.x. It is now consolidated in fewer partitions leveraging dynamic sizing and VMFS-L.
vSphere 6.x vs vSphere 7 partitions layout
Step 3 – Open a terminal window and run the following commands in the exact order as listed.
sudo su
mkdir /boot /temp
mount /dev/sda5 /boot
cd /boot
cp state.tgz /temp
cd /temp
tar -xf state.tgz
tar -xf local.tgz
rm *.tgz
cd etc
The first batch of commands that need to be run to get to the shadow password file
We’re going to use vi to edit the shadow password file. Just move to the line starting with the root and delete the string between the first 2 colons. Use the [Delete] key. When done press [:] and type wq followed by [Enter].
Delete the encrypted root password to reset it to null i.e. the root account will not have a set password
Continue by running the following batch of commands.
cd ..
tar -cf local.tgz etc/
tar -cf state.tgz local.tgz
mv state.tgz /boot
umount /boot
reboot
Step 4 – Once the ESXi host is back online, try logging in as root either from the DCUI (console) or via SSH using putty or similar. You should be able to log in without keying in a password although you will be reminded to set one which is what you should do.
How do I recover my root password?
Here’s a video demonstrating how to carry out the password recovery procedure from start to finish and reset the root password.
:0
Conclusion
There isn’t really much more to add other than to urge you to get into a habit of saving your passwords using a reliable password manager. While unsupported by VMware, the procedure of resetting a default ESXi root password outlined today works every time, at least on ESXi 6.x but it should also work with older releases. I have not come across any side-effects when using this hack for ESXi root recovery, understandably so, considering we’re simply zeroing out a hash value from a password file. Ever lost your password and was frozen out of ESXi? What did you do? Let me know in the comments below. And if you need any help about how to reset ESXi root password, I’m happy to help out.
Not a DOJO Member yet?
Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!
Frequently Asked Questions
What is the default ESXi root password?
How do I reset my ESXi root password?
How do I change ESXi root password from Console?
How do I recover my root password?
More in this category
About the Author
Jason Fenech
71 thoughts on "How to Reset the ESXi Root Password"
Really good walk-through. In the past i have been able to reset a password using Host Profiles. Security and Services> Security Settings> Security> User COnfiguration> root> set the password to “Fixed password” and type it in
Thanks!
Yes, but in order to do this, You need the highest possible Vmware licencje Enterprise plus.
If you’re able to get into vCenter then you can quickly change the root password via the customer VIB and accompanying PowerCLI script I had to create for just such a purpose. https://gitlab.com/meyeaard/ESXi_5-6_root_Recovery
In my case I didn’t even have vCenter access and had to do a the standard Linux password recovery procedure (boot loader init=/bin/sh override…), once I had root on the VCSA, I was able to use the console command to change PW on the [email protected] account and finally from there manage the hosts. (I was on a VCSA 5.5, they may have locked down the bootloader on the newer VCSA releases so this may not be an option)
If you’re concerned with running my customer VIB which does include a script, I include all the detail needed to build your own in the GitLab repository as well.
If you’re on vSphere 6.0 or greater I *think* there may be a PowerCLI command added that will change the root password through the vCenter management API vs directly connecting to the ESXi hosts. I’ve not used it and so far haven’t had the need to do so.
Will this work without vcenter?
Yes it should.
If your host is managed by a vCenter, you can recovery root using this custom VIB method. https://gitlab.com/meyeaard/ESXi_5-6_root_Recovery
Great. Will give it a try!
Awesome workaround and lifesaver! Helped me recover a sandbox ESXi which would have otherwise had to be reinstalled losing all our VMs..
Worked perfectly on 6.7, thanks!
Great! Excelente artigo!
Worked great. Very clear.
Thank you.
Nice works, you saved me a lot of time with reinstalling ESXi. Thanks!
Very excited when I saw that these steps worked. Thank you so much! You’ve brought hope to the hopeless.
worked great (saved my day and more)
Hi Jason. I have done this procedure nice and smooth from beginning to end, but after restart there is still prompt for root password. I’ve done it for ESXi 6.0.0. I thought that maybe password after restart was revert to original, but after another restart I see that in shadow file there is no password for root. So maybe there is another place where I must remove it?
Worked for me on esxi 6.5 🙂
Just to note – I did this trick for both /dev/sda5 and /dev/sda6 because only with sda5 was not enough – password was still in place after reboot
do not forget about the partition /dev/sdd6 , it seems it is backup/mirror partition !
Thanks! is this gonna work for esxi 6.7?
This method should work for 6.7.
unfortunately not.
There is no shadow file in the etc folder.
any ideas on that?
reinstall is not a good option for me because its pain in the a** with my hoster.
I would look under /dev/sda5.
I was able to do this from within a BART PE disc (maybe I should have used a Linux Live CD instead). Used Notepad to edit the file, then used 7zip to tar gzip it back. Placed the file back into it’s original location, but after starting up the host, saw it unregistered my VM and lost the custom network settings.
Just wanted to see if anyone else had that issue, or to put that out there, as a caveat for doing this. It’s no biggie, I just had to register the VM and recreate my network settings.
It could also be some glitch or something I did that could have caused that issue. But, I did not do anything else but attempted multiple failed logins, and forced shutdown with power button.
Other than that. It worked great, regained access to my esxi host. Appreciate the information!
Just did it in ESXi 6.7.0 and works, really easy, thanks a lot!!
where did you find the shadow file?
I mounted almost every partition and searched it, but did not find it.
Thank you for this walk through. I’ve taken over as IT Manager for a small company after they sacked the previous guy. No passwords for anything and a nightmare seeing how everything is built.
ESXi 6.5 running 3 VM Servers, 1 of which crashed and no access to it or the VMware.
This walk through was invaluable and very much appreciated. Reset password, login, powered all servers up – day saved.
Thanks for sharing your experience.
Hey Colin, thanks for the feedback. Glad you enjoyed the post.
Hey Ryan, thank you so much for this post. You’ve helped me out a lot in getting access to a VMWare host that was taken hostage by a scorned IT guy.
One thing I’d like to add is that it may not always be partition 5 on the device that is being used at boot by VMWare. In my case, the boot drive was a flash drive, and editing the state.tgz on sdd5 did not reset the root password for me. However, once I repeated the steps on sdd6, I was able to get in to the host. It seems like whichever partition among the two 250MB ones has the least amount of free space, is the one you want to edit.
Glad to hear you got it resolved! Thanks for the comment.
Save my day. Thankyou!
Great article Ryan helped me to reset the password on my own esx host that I built a couple months ago on 6.0 and couldn’t remember the password doh!!. Worked fine just changed it on sda5.
Worked great, it was sdf5 for me. Thanks heaps!
I am able to remove the password but when I tried to change the password after reboot it is not accepting any passwords irrespective of how complex the password it is. giving me complexity requirements error
Great!
Saved my day!
Worked like a charm on VMWare ESXi 6.5 U1, thank U very much!
After resetting the password it is giving me a hard time to set a new one and is not keeping the network settings.
Any suggestions?
thank you
Hi Fabiano,
Are you getting an error when trying to set a new password?
Did the exact steps but note you need to run the Terminal with Root Privileges. Otherwise, no bueno.
Thanks for the heads up Scott!
This website allowed me to remove my ESXi 6.7 password that I had forgotten. The initial instructions should be updated to edit both sdx5 and sdx6 partitions as they appear to be mirrors so you do need to modify both. Watch the video as well before you do this procedure, it helps explain the editing of the shadow file.