Nigel Boulton's Blog
24Apr/155

Disabling Password Expiration for the vCenter 6 Appliance Root Password

I am working on a vSphere 6 design for a customer, and they have requested that password expiration for the vCenter Appliance root password be disabled. By default this password expires after 365 days, so it could be easy to forget to change it before it does (it is possible to configure the appliance to notify you by email of impending password expiry, but for that to work you must remember to specify an email address for the root account first).

The vSphere 6 documentation details the command that you need to use to disable password expiration for the root user, but there are some prerequisite steps that aren't covered in the same place, so I though I'd document the whole process here.

  1. First, decide whether you want to access the vCenter Server Appliance (vCSA) using SSH, or its Direct Console User Interface (DCUI). If you want to use SSH, you will need to enable SSH access. If this wasn't enabled in the deployment wizard when the appliance was deployed, use the vCSA DCUI console to enable it (F2 – Customize System - Troubleshooting Mode Options) or the Web Client under Home - System Configuration - Nodes – (select node) - Manage - Settings – Access
  2. Use your favourite SSH client to connect to the vCSA and log on as root, or enable the shell using Alt-F1 at the vCSA DCUI console and do the same
  3. Enable bash shell access. To do this, issue the "shell.set --enabled True" command to the appliance shell. Note that the default timeout for this enablement is 1 hour, after that time the bash shell will be automatically disabled. You can use the "shell.get" command at the appliance shell Command> prompt to show the time remaining (you can also check it in the Web Client). As an alternative, you can enable the bash shell under Troubleshooting Mode Options in the DCUI if you prefer
  4. Start a bash shell using the "shell" command
  5. Run "chage -l root". This will display the current settings for the root user:

    image2

  6. Run "chage -M -1 root" to disable password expiration (i.e. set 'Maximum' to -1) for root
  7. Optionally, run "chage -l root" again to verify the change
    image5
  8. "exit" from the bash shell
  9. Finally, "exit" from the appliance shell

That's it!

Comments (5) Trackbacks (0)
  1. Great article, worked perfectly

  2. Helped me today, thanks Nigel!

  3. Hello Nigel,

    I get this error message when I want to run “chage -l root”

    You are required to change your password immediately (root enforced)
    chage: PAM: Authentication token is no longer valid; new one required

    and I’m not able to change the password now. Is there anything else I can do?

    I also get the message that my password expires on Fri Jan 01 1971 in the web and I’m not able to change something in the web now that has to do with the password or the expire date!

    • Hi Rolf,

      Is the time on your appliance synced to a reliable time source (and has it always been?). Might be worth checking this and then trying a password reset using passwd root.

    • I just ran into this problem/error you are seeing. Your password has expired.

      If you try to change it in the web GUI you will get an error that it can’t be changed. So you need to first change it from the CLI. I did this using a Vmware console session so I you can press the right keys quick enough as you need to hit the “e” key when it is booting up. Here is the KB article for how to change a lost or expired password.

      https://kb.vmware.com/s/article/2147144

      Once you do that then you can set it to never expire.


Leave a comment

No trackbacks yet.