HowTo: Reset vCenter 7 VCSA Password or Unlock Account

Introduction

We are all human (unfortunately for now) and on occasion, one might inadvertently lock themselves out of the “root” account of the VCSA. Although a seldom-used account under normal operations, access to it is critical, especially during technical emergencies.

The default wait time for the root account after three (3) failed attempts is five (3) minutes; however, resetting the root password will need a reboot for VCSA 7.

vcsa_failed_login_locked

The following steps will walk through resetting the root account credentials and unlocking the account. Downtime for VCSA should be expected, so plan your change accordingly.

Disclaimer: Follow these instructions at your own risk, they are provided without warranty. Ferroque Systems nor its affiliates will be held liable for unanticipated impacts in your environment from running its commands. Strongly recommended taking a snapshot, clone, or VM backup of the VCSA prior to executing these commands.

Step 1

Take a snapshot of the VM and proceed with forcing a reboot. Once the photon OS splash screen is showing, quickly press “e” to reveal the Grub boot menu.

Move the cursor to the end of the line starting with “linux” and ending with “$systemd_cmdline”, a quick way to do that is move the cursor to the Linux line and press “Ctrl” + “e”.

Append “rw init=/bin/bash” to enter single user mode, and press “Ctrl” + “x” to boot the appliance.

vcsa_failed_login_locked_photonos_boot_singleusermode

Step 2

Now that you are dropped into the system, proceed with entering the ‘passwd’ command to reset the root user account.

passwd

vcsa_password_reset_passwd

Step 3

User accounts can be unlocked using the pam_tally2 command with switches –user and –reset.

pam_tally2 –user=root --reset

vcsa_password_unlock_account_root

Once completed, the user account will be unlocked and the account can be used again.

Step 3a (Optional)

The default login parameters can be changed for the pam_tally2.so module.

vcsa_password_change_default_login_options

Parameter Explanation
file=/var/log/tallylog Log file.
deny=3 Deny counter until account is locked.
onerr=fail If $file is unable to open, default action is to fail all attempts.
even_deny_root Policy applies to root account also
unlock_time=86400 Users are locked for 24 hours.
root_unlock_time Root is locked for five (5) minutes.

Step 4

The system can now be rebooted to allow VCSA to load. The -f switch can be appended to force a reboot if the first option fails.

reboot

 

0 0 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x