Problem
Following the update of vShield Manager to NSX Manager 6.2.4 (with the update bundle), the previous passwords seems that admin, enable or web interface no longer work correctly. In few words, seems the we have lost passwords.
Let's covering the process down here in detail, step by step...
Disclaimer: Procedures described below, as the results of numerous attempts, are not officially supported by VMware. Use it at your own risk. The best way is to open a Service Request to the support.
Solution
First of all, let's start by analyzing a working NSX Manager appliance whose password we know. For my purpose I used VMware's HOL.
We access in "Tech Support Mode" to the NSX Manager console via an SSH client as indicated in my previous post (in italian) and then let's check the disk partitions with df -h
then ... mount
What we can see from the above images, in addition to the root partition mounted on /, we can notice the extended partition /dev/sda6 mounted in the /common folder.
Looking around into the folder /common I found an interesting file called passwd in /common/configs/cli/etc/passwd ....
that looks likes a shadow file ... as is possible to see below.
Then knowing the current password of the LAB HOL which is "VMware1!VMware1!" I try to verify if via perl I can generate the hash of the password .... performing the command:
perl -e 'print crypt("Password","\$6\$saltsalt\$") . "\n"'
In my case perl -e 'print crypt("VMware1!VMware1!","\$6\$u5rPILiF\$") . "\n"' and it match
After the analysis let's start with the steps. The fastest way I found to access the NSX Manager Appliance and reset the password, is to start the VM from a CDROM with a Linux live CD.
First of all, we turn off the VM and take a cold snapshot (for backup purposes).
after that we connect to the appliance the Linux live CD (in my case I used lubuntu)
and we boot the appliance selecting the CD-ROM Drive options
Start linux in live mode (without installing anything), and once started open a Terminal and ....
lubuntu@lubuntu:~$ sudo su
root@lubuntu:~# fdisk -l | more
root@lubuntu:~# mkdir /nsx
root@lubuntu:/# cd /
The partition that interests us are /dev/sda3 and /dev/sda6...
root@lubuntu:/# mount /dev/sda3 /nsx
root@lubuntu:/# cat /nsx/etc/shadow
So, now we have to keep notice of the hash algorithm ID (SHA-512 in our case ) and the key used to crypt, so we can generate the hash for ours password "changeme" with the following command ...
root@lubuntu:/# perl -e 'print crypt("changeme","\$6\$YuXXXXXq\$") . "\n"'
we copy the hash of the newly generated password and replace it in the file /nsx/etc/shadow
root@lubuntu:/# vi /nsx/etc/shadow
replace the hash with the new one and save the file hitting "ESC" and then typing ":wq!"
root@lubuntu:/# umount /nsx
root@lubuntu:/# mount /dev/sda6 /nsx
root@lubuntu:/# cat /nsx/configs/cli/etc/passwd
Into "/nsx/configs/cli/etc/passwd" should be stored the password of the enable mode user. Proceed with the same password hash generation procedure and replace into the file /nsx/configs/cli/etc/passwd as described above.
root@lubuntu:/# perl -e 'print crypt("changeme","\$6\$nXXXXXXP\$") . "\n"'
we copy the hash of the newly generated password and replace it in the file /nsx/configs/cli/etc/passwd
root@lubuntu:/# vi /nsx/configs/cli/etc/passwd
replace the hash with the new one and save the file hitting "ESC" and then typing ":wq!"
root@lubuntu:/# umount /nsx
root@lubuntu:/# reboot
When the appliance is up and running, try to get into providing the admin username "admin" and the password "changeme" ....
It Works!!!!!
Change the password of the admin and enable users following the KB2078825 Securing VMware NSX for vSphere 6.x CLI User Accounts and Privileged mode.
If everything went as expected remove the snapshot.
That's it.
Nessun commento:
Posta un commento