Hello again my friends, this time I came across a customer who seemed to be completely blunt about the root password that he have set on his ESXi servers. As you may know previously we were able to reboot into single user mode and do the magic there.
Since ESXi implies security well its not possible sadly, now the method which I will be demonstrating hereunder is not supported by VMware and is purely an out-of-the-box method that will lessen your pain as a VMware Administrator and bring that smile of control to your face :-P (Wish I could take a picture of every Administrator after I reset the root password ^_^).
Update 28/04/2015: This also works with ESXi 6.0
Just a little briefing, the hereunder procedure will clear out the password that has been set to the root password and revert it to blank (no password at all) what we’re going to do it locate the disk where the “shadow” file is located in, then we’re going to mount it, edit it, save it and finally wrap everything back.
You can use any live CD, my favorite distribution is Linux Mint (you can get it here). Here i am using version 14 named MATE, also if you don’t have much knowledge about Linux and using the shell it would be great to start now as after you’re done, you’ll know that you were not really using a computer %).
After you burn the CD/DVD and boot up you’ll see the following screens:
Now open the terminal (menu->terminal), then type “sudo su –” this how we gain super user access when booting a live CD distro.
Now since new installations of ESXi 5 no longer use MBR and rather use GPT (GUID Partition Tables) check Partitioning in New ESXi 5.0 Installations, this means you can’t use fdisk to list the current disks. Instead we need to use a utility named gparted, just type in the terminal gparted and the utility will start.
Okay, I see the disks but which one to mount? Let me talk to you a bit about ESXi 5 partitioning:
1- sda1: used for booting up the system and pointing to the hypervisor image.
2- sda5: this is where ESXi is installed.
3- sda6: this has the identical size of sda5 and will store recovery images.
4- sda8: holds VMware Tools and other stuff including paravirtual scsi disk controller.
5- sda2: holds log files and vmkernel related files.
6- sda’s that are maked as unknown, yup you’ve guessed it they are VMFS volumes.
Now that we know that the disk which we need to mount is sda5, close gparted and return to the terminal and follow the following commands:
1- Create the mount directory: mkdir /mnt/esxi_disk/
2- Mount the disk to the directory: mount /dev/sda5 /mnt/esxi_disk/
Now lets verify that what we’ve mounted, type:
3- cd /mnt/esxi_disk
From the files listed, what we need is state.tgz this file contains another compressed archive named local.tgz which has the /etc directory compressed in it, what we need to do is un-archive these files so that gain access to the shadow file, type:
5- tar xzf state.tgz
6- tar xzf local.tgz
7- ls < here you will notice that we have the etc directory present.
8- cd etc
9- vi shadow (click here for the VI quick reference sheet)
The root password is the encrypted string found between root:encrypted_password: just delete all the characters found between the two :
Save the file, press ESC and shift+: and type wq!
After we’ve saved the shadow file, we need to wrap the compressed archives, type:
10- cd /mnt/esxi_disk
11- tar czf local.tgz etc
12- tar czf state.tgz local.tgz
13- rm -r local.tgz etc
And we’re done, just type reboot then remove the live CD and wait for ESXi to boot and when you press F2 keep the password field blank and tada you’re in ;-), don’t forget to change the root password and if your memory tends to fail you with passwords put those password in an encrypted database somewhere.