Introduction
We are all human (unfortunately for now) and on occasion, one might inadvertently lock themselves out of the “root” account of the VCSA. Although a seldom-used account under normal operations, access to it is critical, especially during technical emergencies.
The default wait time for the root account after three (3) failed attempts is five (5) minutes; however, resetting the root password will need a reboot for VCSA 7.
The following steps will walk through resetting the root account credentials and unlocking the account. Downtime for VCSA should be expected, so plan your change accordingly.
Disclaimer: Follow these instructions at your own risk, they are provided without warranty. Ferroque Systems nor its affiliates will be held liable for unanticipated impacts in your environment from running its commands. Strongly recommended taking a snapshot, clone, or VM backup of the VCSA prior to executing these commands.
Step 1
Take a snapshot of the VM and proceed with forcing a reboot. Once the photon OS splash screen is showing, quickly press “e” to reveal the Grub boot menu.
Move the cursor to the end of the line starting with “linux” and ending with “$systemd_cmdline”, a quick way to do that is move the cursor to the Linux line and press “Ctrl” + “e”.
Append “rw init=/bin/bash” to enter single user mode, and press “Ctrl” + “x” to boot the appliance.
Step 2
Now that you are dropped into the system, proceed with entering the ‘passwd’ command to reset the root user account.
passwd
Step 3
User accounts can be unlocked using the pam_tally2 command with switches –user and –reset.
pam_tally2 -–user=root --reset
Once completed, the user account will be unlocked and the account can be used again.
Step 3a (Optional)
The default login parameters can be changed for the pam_tally2.so module.
Parameter | Explanation |
file=/var/log/tallylog | Log file. |
deny=3 | Deny counter until account is locked. |
onerr=fail | If $file is unable to open, default action is to fail all attempts. |
even_deny_root | Policy applies to root account also |
unlock_time=86400 | Users are locked for 24 hours. |
root_unlock_time=300 | Root is locked for five (5) minutes. |
Step 4
The system can now be rebooted to allow VCSA to load. The -f switch can be appended to force a reboot if the first option fails.
reboot
-
Michael Wieloch
Michael is a multi-disciplinary consultant with expertise in digital workspaces, networking, security, virtualization, DevOps, and Linux. When not engineering systems or building ZFS clusters, he enjoys cruising the streets on his motorcycle.
pam_tally2 –user=root –reset
Step 3 command should have two dashes before user, not one, like above.
The comment auto format keeps screwing up and merging dashes.
Step 3 command should be two dashes for each option
Good catch. Fixed!
hello, If we just have to unlock the root user if its locked due to multiple failed retries, no need to reboot right? Straight apply the Pam_tally2 tool correct?
If you can get into the root linux session (or equivalent permissions) then yes there would be no need to reboot.
Thank you. The pam_tally2 command was the piece I was missing. Worked to reset the account. Thanks so much!
If it’s for the Vcenter 7.0, if the root password is expired, you just have to take an SSH session to the centre server with your current root passwords. It will prompt you to reset the password. Enter your current and new passwords and you are done.
On 7.0.3 here, “pam_tally2 -u root -r” worked for me. The double tack (–) didn’t work for some reason.