VxRail: Reset the Root Password in vCenter Server Appliance Without Reboot

In VMware vCenter Server Appliance (VCSA) 6.7 U1, SSO users in SystemConfiguration.BashShellAdministrator can access Bash and run sudo without a password, bridging the gap to root. By default, users log in to the appliance shell and must enable the shell to access Bash.

Process to Reset the Root Password in VCSA:

1. To connect to the VCSA over SSH, log in using administrator@vsphere.local, where vsphere.local is your default SSO domain. ​​​​​
   • If SSH is disabled, enable SSH using the VAMI (https://<vcenter_fqdn>:5480).
   • You can authenticate as administrator@vsphere.local or any other member of the SSO administrators group.
   • Enable or Disable SSH and Bash Shell Access.
2. If this is your first time logging in, first enable the shell, then type shell to access it.

shell.set --enable true
shell 

  

3. Once inside the shell as the sso-user, run the following command to switch to the root shell.  

sudo -i

4. If the root account is locked due to multiple failed login attempts, unlock it using the following command.  

pam_tally2 --user=root --reset

 

/usr/sbin/faillock --user root --reset

5. Once in the root shell, run passwd to change the root password.

passwd

sudo passwd root

6. After updating the password, verify access to the vCenter Server Appliance with the new credentials.
7. To prevent this issue in the future, set the root password to never expire by running the following command.

chage -I -1 -m 0 -M 99999 -E -1 root  or at the VAMI  ( https://<vcenter_fqdn>:5480)

For more information, see Broadcom article Reset the root password in vCenter Server Appliance without reboot/6.7u1/7.x/8.x (321369)