I came across a very strange bug/issue with ESXi 5.5 this week, I didn’t dig very deep into the issue, but here is some information that might prove useful to someone out there. The issue itself relates to the local authentication mechanism and the ESXi console and can leave you in a very tight spot.
When you login to an ESXi host using the vSphere client [Windows client] rather than a vSphere server console, you have control over the target ESXi host. Now to focus on the authentication window which can be found in the main host configuration under the “Local Users & Groups” tab.
Set a password for any user in here greater than 30 characters, say 32 characters, the problem occurs when you try to log back into your host, if you enter your 32 character password, the system will read the entire string you have entered and of course declare it invalid. The workaround for this is to enter the first 30 characters of your password and that should let you back into your system [and reduce your heart rate a bit]. Once you are into the box, you can now reset your password to something shorter than 30 characters.
Can’t I just init 1 and break in?
I’m afraid not, since ESXi 3.5 upwards it’s impossible to reset the root password [a good thing I suppose].
Is it a bug?
This maybe over simplistic, but certainly would go a long way to getting rid of this issue, simply prevent users from setting a password of over 30 characters in the GUI window.
Any useful tips?
A few very simple ones
- Don’t use the root account as a shared logon resource
- Tie the host to a central directory where possible
- Always have a break glass account with the password written on paper in a safe place