We are all human (unfortunately for now) and on occasion, one might inadvertently lock themselves out of the “root” account of the VCSA. Although a seldom-used account under normal operations, access to it is critical, especially during technical emergencies.
The default wait time for the root account after three (3) failed attempts is five (5) minutes; however, resetting the root password will need a reboot for VCSA 7.
The following steps will walk through resetting the root account credentials and unlocking the account. Downtime for VCSA should be expected, so plan your change accordingly.
Disclaimer: Follow these instructions at your own risk, they are provided without warranty. Ferroque Systems nor its affiliates will be held liable for unanticipated impacts in your environment from running its commands. Strongly recommended taking a snapshot, clone, or VM backup of the VCSA prior to executing these commands.
Take a snapshot of the VM and proceed with forcing a reboot. Once the photon OS splash screen is showing, quickly press “e” to reveal the Grub boot menu.
Move the cursor to the end of the line starting with “linux” and ending with “$systemd_cmdline”, a quick way to do that is move the cursor to the Linux line and press “Ctrl” + “e”.
Append “rw init=/bin/bash” to enter single user mode, and press “Ctrl” + “x” to boot the appliance.
Now that you are dropped into the system, proceed with entering the ‘passwd’ command to reset the root user account.
User accounts can be unlocked using the pam_tally2 command with switches –user and –reset.
pam_tally2 -–user=root --reset
Once completed, the user account will be unlocked and the account can be used again.
Step 3a (Optional)
The default login parameters can be changed for the pam_tally2.so module.
|deny=3||Deny counter until account is locked.|
|onerr=fail||If $file is unable to open, default action is to fail all attempts.|
|even_deny_root||Policy applies to root account also|
|unlock_time=86400||Users are locked for 24 hours.|
|root_unlock_time=300||Root is locked for five (5) minutes.|
The system can now be rebooted to allow VCSA to load. The -f switch can be appended to force a reboot if the first option fails.
Michael Wieloch is part of Ferroque’s technology services team with a seasoned background in datacentre operations. Michael is an avid Linux enthusiast and specializes in networking, security, virtualization, and operational monitoring & alerting integrations. When not thwarting cyberattacks, engineering hypervisors, and building ZFS clusters, Michael can be found cruising the streets on his motorcycle.