Skip to content

vMA 6: Recover vi-admin Password and Remove Password Complexity

When you've installed the vSphere Management Assistant 6.0 (vMA) you very like came across its very strict password policy. With this requirements, the password recovery for vMAs is a common tasks. This post explains how to recover forgotten vMA passwords and how to use insecure, simple passwords for lab uses.vma-bad-password

Please provide a password for the vi-admin user.
BAD PASSWORD: to short
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
...Have exhausted maximum number of retries for service

vMA vi-admin Password Recovery

The vSphere Management Assistant appliance has a very strict password policy so it might happen that you need to reset the password because you can't remember it. VMware has even made the single user mode password protected so the default Linux method of resetting passwords does not work.

Nevertheless, this is how you can reset the password for root, vi-admin, vi-user or any other user without using a live CD:

  1. Open the VM Console and reboot the vMA
    vma-password-recovery-reboot-vma
  2. When the GRUB bootloader shows up, quickly press e. (You only have 7 seconds)
    vma-password-recovery-grub-bootloader
  3. Highlight the kernel line in the next screen and press e again.vma-password-recovery-kernel-command
  4. Append init=/bin/bash in the kernel line and press enter.
    vma-password-recovery-kernel-init-bin-bash
  5. Press b to boot
  6. The vMA should now boot and present a red prompt. Use passwd vi-admin to set a new password for the vi-admin user. You don't need to comply with any password policies except the password history.
    vma-password-recovery-change-passwd
  7. Reboot or reset the VM

You should now be able to login with the new password.

Remove Password Security

For demos and labs there might be the requirement to use simple passwords and remove policies. The following section explains how to disable security features used with the vMA. All security changes require root permissions. The vi-admin user can elevate to root with the command "sudo -s".

Needless to say that you should not use that in production.

Bypass Password Complexity
Password and authentication policies are defined in /etc/pam.d/ with the following settings preconfigured by VMware:

  • pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 difok=4 retry=3
  • pam_pwhistory.so enforce_for_root remember=5 retry=3
  • pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300

This sets the password policy to the following requirements:

  • dcredit=-1 -> Password requires 1 lower-case characters
  • ucredit=-1 -> Password requires 1 upper-case characters
  • lcredit=-1 -> Password requires 1 numeric characters
  • ocredit=-1 -> Password requires 1 special characters
  • minlen=8 -> Password requires at least 8 characters
  • difok=4 -> 4 Characters must be different from the previous password
  • retry=3 -> You have 3 attempts to pick a good password before the passwd program aborts
  • remember=5 -> The last 5 passwords can not be used
  • deny=3 -> Account is logged after 3 failed login attempts
  • unlock_time=86400 -> Unlock time for users: 1 day
  • root_unlock_time=300 -> Unlock time for root: 5 minutes

Reset to SLES defaults:

rm /etc/pam.d/common-password
ln -s /etc/pam.d/common-password-pc /etc/pam.d/common-password

rm /etc/pam.d/common-auth
ln -s /etc/pam.d/common-auth-pc /etc/pam.d/common-auth

chmod +x /usr/sbin/pam-config

pam-config -d --cracklib
pam-config -d --pwhistory

Some basic requirements are still active and can only bypassed by the root user.

Unlock User after 3 failed login attempts
When a user enters the wrong password 3 times, the account is locked for 1 day. Check failed login attempts:

# pam_tally2 --user vi-admin
Login           Failures Latest failure     From
vi-admin           10    08/09/16 19:09:14  172.16.0.31

Reset the counter and unlock the account:

# pam_tally2 -u vi-admin --reset

Enable Single-User Mode without root password
As explained above, it is required to enter the root password when booting into Single-User Mode.
vma-password-recovery-give-root-password-for-maintenance
To remove the password prompt for single-user mode edit /etc/inittab and change...

~~:S:respawn:/sbin/sulogin

to...

~~:S:respawn:/bin/sh

vma-password-security-single-user-mode

Leave a Reply

Your email address will not be published. Required fields are marked *