How to unlock root user on VMware VCSA appliance

If you have just upgraded VMware VCSA to v7.0.1, but cannot log in, even though the root password is correct, you have probably locked the root user out. You can of course wait or you can proceed with the unlock procedure.

To perform the unlock procedure, the VCSA needs to be restarted in a single user mode. To do this, restart the VCSA, and when the PhotonOS logo is displayed, click e to edit the boot loader. Look for the line that starts with linux, and at the end of the line add the following boot option:

rw init=/bin/bash

Click F10 to continue the boot process. Once in the root shell, mount the root partition:

# mount -o remount,rw /

Next, make a copy of the configuration file we will alter:

# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.1

Now edit the file 

# vim /etc/pam.d/system-auth

and set the disable attribute to something higher than 3:

# cat /etc/pam.d/system-auth
# Begin /etc/pam.d/system-auth

auth required pam_unix.so

# End /etc/pam.d/system-auth
auth required pam_tally2.so file=/var/log/tallylog deny=10 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300

If you want to completely disable the lock-out (not recommended), comment out the entire line:

# cat /etc/pam.d/system-auth
# Begin /etc/pam.d/system-auth

auth required pam_unix.so

# End /etc/pam.d/system-auth
#auth required pam_tally2.so file=/var/log/tallylog deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300

Save and exit. Run the following command to unlock the root user:

# pam_tally2 --user=root --reset

In the unlikely event of receiving an error that the log file /var/log/tallylog cannot be created, create the folders along the path:

# mkdir -p /storage/log/var/log

and run the unlock command again. You should see output similar to this:

Login          Failures          Latest failure          From
root              0

Unmount the root partition:

# umount /

Reboot the VCSA:

# reboot -f

and confirm that you can log in into the management interface.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.