Workaround for a locked “root” account on ESXi 6.5 on Nutanix
The ESXi 6.x root account now has account lockout policies set. So if an incorrect password is used too many times, this will case the ESXi root password to get locked. This can be set/changed from the below policies on ESXi
Security.AccountLockFailures – Maximum allowed failed login attempts before locking out a user’s account. Zero disables account locking.
Security.AccountUnlockTime – Duration in seconds to lock out a user’s account after exceeding the maximum allowed failed login attempts.
But the question is, how do you gain access to the host if the account is locked? Both the Browser and SSH access just throws up a generic password error
For a Nutanix system, the below workaround can be sued
- Log in to the CVM using SSH
- SSH to the ESXi host using the 192.168.5.1 interface
Next:
- Create an account
- Provide permissions
- Log in with that account!
Here is what you do:
Log on to the CVM
ayans-mbp:~ ayan$ ssh nutanix@x.x.x.xFrom there, SSH to the host
nutanix@NTNX-111111111111-B-CVM:x.x.x.x:~$ ssh root@192.168.5.1This should give you root access
Now esxcli should be available!
<!-- wp:paragraph -->
<p> esxcli<br>
Usage: esxcli [options] {namespace}+ {cmd} [cmd options]
</p>
<!-- /wp:paragraph -->
<!-- wp:paragraph -->
<p>Options:<br>
--formatter=FORMATTER<br>
Override the formatter to use for a given command. Available formatter: csv, keyvalue, xml<br>
--debug Enable debug or internal use options<br>
--version Display version information for the script<br>
-?, --help Display usage information for the script</p>
<!-- /wp:paragraph -->
<!-- wp:paragraph -->
<p>Available Namespaces:<br>
device Device manager commands<br>
elxnet elxnet esxcli functionality<br>
esxcli Commands that operate on the esxcli system itself allowing users to get additional information.<br>
fcoe VMware FCOE commands.<br>
graphics VMware graphics commands.<br>
hardware VMKernel hardware properties and commands for configuring hardware.<br>
iscsi VMware iSCSI commands.<br>
network Operations that pertain to the maintenance of networking on an ESX host. This includes a wide variety of commands to manipulate virtual networking components (vswitch, portgroup, etc) as well as local host IP, DNS and general host networking<br>
settings.<br>
nvme VMware NVMe driver esxcli extensions<br>
rdma Operations that pertain to remote direct memory access (RDMA) protocol stack on an ESX host.<br>
sched VMKernel system properties and commands for configuring scheduling related functionality.<br>
software Manage the ESXi software image and packages<br>
storage VMware storage commands.<br>
system VMKernel system properties and commands for configuring properties of the kernel core system and related system services.<br>
vm A small number of operations that allow a user to Control Virtual Machine operations.<br>
vsan VMware vSAN commands</p>
<!-- /wp:paragraph -->Cool!
Create a user
esxcli system account add -i test -p PASSWORD -c PASSWORD
Esxcli should now show the user
[root@XXX-2:~]
esxcli system account list
User ID Description
——- ——————————————-
root Administrator
dcui DCUI User
vpxuser VMware VirtualCenter administration account
test ESXi User
Now check the permissions
[root@XXX-2:~]
esxcli system permission list
Principal Is Group Role Role Description
——— ——– —– ——————
dcui false Admin Full access rights
root false Admin Full access rights
vpxuser false Admin Full access rights
To add the permission
[root@XXX-2:~]
esxcli system permission set –id test -r Admin
Check the permmissions
root@XXX-2:~] esxcli system permission list
Principal Is Group Role Role Description
——— ——– —– ——————
dcui false Admin Full access rights
root false Admin Full access rights
test false Admin Full access rights <—————
vpxuser false Admin Full access rights
There you go! You should now be able to log in using the “test” user
To reset the root account the command is pam_tally2 –user root –reset
