Starting with version 7.0, the U2 update, the way some ESXi configuration files are saved has changed. One of these files was the ESXi user password.
VMware (and more recently Broadcom) officially states that it is not possible to reset the ESXi software password and if the administrator forgets the password, they must reinstall it (unless you have already connected your ESXi to a vCenter and can use a host profile).
Today we are providing you with the method for new versions (which has been tested up to version 9 in our test environment).
1- Boot your server with ISO version 7.0U2 or higher. (Preferably use the same version installed on your server)
2- After ESXi boots to your installation disk and the Installer is displayed, press Alt+F1 to enter DCUI and from there, log in to the shell with the root username and no password.
3- If you are not comfortable working through DCUI (for example, because you cannot copy/paste), you can start the SSH service and connect through it.
First, make sure that the IP Address is set in some way on your ESXi. By default, ESXi itself, if you have DHCPv4, will obtain an IP address on IPv4. On IPv6, it will also assign you an address using SLAAC and the EUI64 method, which you can see in this way:
localcli network ip interface ipv4 address listlocalcli network ip interface ipv6 address list |
If these methods for assigning an IP don’t work for you and you would prefer to use a static IP address, you can do it this way:
localcli network ip interface ipv4 set --interface-name vmk0 --ipv4 YOUR_IPv4_Address --netmask YOUR_NETMASK --type staticlocalcli network ip interface ipv6 address add --interface-name vmk0 --ipv6 YOUR_IPv6_ADDRESS/PREFIX |
passwd root
Before enabling SSH, make sure you set a valid password for the root user. To do this, use this command:
If you enable the SSH service without setting a password, then you can log in to ESXi using the root user without a password, which is certainly very dangerous in terms of security, especially if you are using a public IP address.
Finally, use the following command to enable SSH:
/etc/init.d/SSH start
Which will run the SSH Server for you on port 22/tcp.
4- The installation disk itself mounts the partitions for you by default, which you can see in this path:
/vmfs/volumes/5- The partitions we are interested in are labeled BOOTBANK1 and BOOTBANK2 and are of type fat. If you have never updated your ESXi, BOOTBANK2 will be empty, but if you have, ESXi will change its boot partition every time you perform a successful update. I will not go into the details of bootbanks anymore and from now on I will assume that your ESXi is booting from BOOTBANK1.
If you want to be 100% sure; let your original ESXi boot and while the bootloader waits for 5 seconds press Shift+O and note the bootUUID value at the bottom of the screen in the bootloader command line and finally use this command after you boot the server with the ISO
localcli storage filesystem list6- ESXi settings, including user passwords, are stored in the state.tgz file. For newer versions of ESXi, if you extract this file, there are two files inside, one is encryption.info and one is local.tgz.ve.
I use these commands.
mkdir /tmp/digiboycd /tmp/digiboycp /vmfs/volumes/BOOTBANK1/state.tgz .tar x -z -f state.tgzIn older versions of ESXi, this file contained a local.tgz.
Note: Since the bootbank file system is FAT, if you extract there you will lose the file permissions. I did this in tmp so as not to lose them.
The local.tgz.ve file is a type of file that VMware calls an envelope file and has encryption applied to it. So you can no longer extract it and view or modify its contents as before.
The encryption.info file is a plain text file whose contents depend on what your encryption mode is set to. (Currently it can be NONE or TPM)
If your hardware supports it and you would like to switch from NONE to the more secure TPM mode, you can use one of these commands after you have reset your password and logged into your ESXi:
localcli system settings encryption set --mode TPMesxcli system settings encryption set --mode TPM |
The method we are sharing with you allows you to reset your password in both NONE and TPM modes.
If we want to get information about the encryption of the local.tgz.ve file, we can do this with this command:
crypto-util envelope describe local.tgz.veWhat is most important to us is the KeyID that was used to encrypt this file.
This key is not currently in your key cache, and if you ask ESXi what key it is using to encrypt its configuration, it will give you a random key generated during the ISO boot process:
crypto-util keys getkidbyname ConfigEncryptionKeyWhich is usually not the same as the keyID we need to decrypt the local.tgz.ve file.
Let’s tell ESXi, booted from the ISO, to go with the information in the encryption.info file and add our desired key to the Key Cache.
localcli --plugin-dir=/usr/lib/vmware/esxcli/int system settings encryption stoplocalcli --plugin-dir=/usr/lib/vmware/esxcli/int system settings encryption setup -c encryption.infolocalcli --plugin-dir=/usr/lib/vmware/esxcli/int system settings encryption startAfter this, if you ask ESXi a second time what key it uses to encrypt its configuration, it will return the same keyID we need.
7- In the next step, we will decrypt the local.tgz.ve file.
crypto-util envelope extract --aad ESXConfiguration local.tgz.ve local.tgz8- Extract the local.tgz file.
mkdir localtar x -z -f local.tgz -C localcd local9- If you look closely, you will see that this archive no longer includes the following files as before.
etc/passwdetc/shadowThe reason is that VMware no longer stores the password in this file and has moved it to an sqlite database, the address of which is:
var/lib/vmware/configstore/backup/current-store-1And you can see the password hash stored for users with this command.
/usr/lib/vmware/sqlite/bin/sqlite3 var/lib/vmware/configstore/backup/current-store-1<tmp/digiboy/reset-password.sql
10- Create a file with the following contents.
UPDATEConfig SETUserValue='{"name":"root","password_hash":"$6$OuBJHTuaUlOIkE/k$p2fCVL5q5kniGsWYo1xU4Tzct0ZJ7hFQeJH2z9c5F/srN2hQkBKf/lTepTZHwJqRim48vNJ9Meky3E5S0amnL0","description":"Administrator"}'WHEREComponent='esx'ANDConfigGroup='authentication'ANDName='user_accounts'ANDIdentifier='root'I use vi to create it and save it in this address:
vi /tmp/vmorecloud/reset-password.sqlIf you don’t know how to use vi, you can create the file in your favorite text editor on your operating system and transfer it to your ESXi using SFTP. (For example, you can use FileZilla or WinSCP)
11- We tell sqlite to execute our query:
/usr/lib/vmware/sqlite/bin/sqlite3var/lib/vmware/configstore/backup/current-store-1<tmp/digiboy/reset-password.sqlThis will update the hash in the database, and you can verify the change with the command in step 9.
This hash that I provided to you is for the word pa$$w0rd .
12- We archive the files again to get a new local.tgz file:
tar c -z -f /tmp/vmorecloud/local-new.tgz `tar t -z -f /tmp/vmorecloud/local.tgz`
13- Now we encrypt our new file again using our key.
cd /tmp/vmorecloud/
key_id=`crypto-util keys getkidbyname ConfigEncryptionKey`
mv local.tgz.ve local-old.tgz.ve
crypto-util envelope insert --aad ESXConfiguration --id ${key_id} local-new.tgz local.tgz.ve
14- We create a new state.tgz file.
mv state.tgz state-old.tgztar c -z -f state.tgz local.tgz.ve encryption.info
15- We transfer the file to bootbank and replace it with the existing file.
cd /vmfs/volumes/BOOTBANK1mv state.tgz state.tgz.bakmv /tmp/digiboy/state.tgz .
I also made a backup of the original state.tgz to be sure.
Now you can reboot your server and log in with the root user and the password pa$$w0rd.
Here’s the TL;DR for those who need it
- Design