I have a freshly installed ESXi system (6.5.0a from 2017-02-02). I cannot login today to it using password. Both web gui (web vSphere) and ssh with password authentication does not work.
Error from web gui:
Cannot complete login due to an incorrect user name or password.
I configured a ssh pub key auth, which is still works fine, so I still have root access to the console over ssh. I tried to change the password using "passwd root" several times. I rebooted the host, but the neither web gui, nor ssh with password authentication works.
Is there anything else I can try to restore the access to ESXi host?
Best Answer
In short, there's a root account lockout feature that was introduced since ESXi 6, that gradually increases lockout timer after certain amount of failed login attempts up to 900 seconds, and those timers seem to be additive. DCUI console is not affected and your password should work there. If your management interface faces public network then you're in trouble, as brute-force ssh bots will make sure this timer never expires for root account. Look up your
/var/log/hostd.logand/var/log/auth.logto see the gory details..You can, in order of preference, make your management interface not to face public network, configure a built-in firewall to accept traffic from trusted networks only or disable SSH and wait for a few hours until the lockout expires. Then you should be able to login again.
You can create a separate non-root administrator account and use it, or disable account lockout feature by setting
Security.AccountLockFailuresin Advanced options to zero to avoid this happening in the future. At the same time you should consider sticking to best practices and remove public access from your management network and disable SSH access when it is not needed for troubleshooting.