VMware Cloud Community
bogy1
Contributor
Contributor

ESXi 6.7 SSH & web console lockout

Greeting everyone.  I’m literally at my wits end, concede defeat, acquiesce, etc.  I really need some help.  😞

I’m Running ESXi 6.7 on an HPE Proliant 380 G9 Server.  The keyboard in iLO and the DCUI is set to "US". 

No matter what I’ve tried, I can’t login via SSH or the web console however, I can ONLY login to the DCUI.

At the web console I keep getting the error:  "Cannot complete login due to an incorrect user name or password."

This is a test server so it’s not mission critical but still super annoying because I can’t figure it out.  Thus far I have:

  1. Removed the ESXi host from the NAS backup software
  2. Changed the static IP
  3. Changed the “root” password, several times
  4. Reset the management network, several times
  5. Rebooted the server, several times
  6. Restarted the management network, several times
  7. Under “Network Restore Options” – there are 3 options, “Restore Network Settings”, “Restore Standard Switch” and “Restore vDS” – the ONLY option available is “Restore Network Settings”, so I selected “Restore Network Setting” then rebooted.
  8. Performed a “Reset System Configuration”
  9. Reinstalled ESXi 6.7 with drive format
  10. Tried using several browsers (Firefox, Edge, Chrome) on two different computers

NONE of the above have solved the incorrect password problem.  I still can NOT login via SSH or ESXi web console. 

FYI: “Configure lockdown mode” is greyed out.

 

Separate issue but preventing me from entering proper commands in DCUI: I also noticed when I go to the command prompt in DCUI, I'm not able to type characters like, underscore and question mark.  When I press those keys I get the dash and forward slash instead and it doesn't matter if I press "Shift" in conjunction or not, I also tried using the "shift" in the virtual keyboard but that didn't work either.

I'm probably making some stupid mistake, sorry in advance.  lol 

 

Tags (1)
Reply
0 Kudos
12 Replies
IRIX201110141
Champion
Champion

Some guessing.... is there something (Monitoring system!!) that will try to login into your new installed ESXi? If so than most likely the account will be locked because of the default security baseline which add in ESX 6.x some time ago. All network logins will be blocked and only the physical DCUI will be usable.

If you are logged into ESXi on the console try

[root@esx-node-04:~] pam_tally2 --user root
Login Failures Latest failure From
root 1 12/25/21 23:19:30 unknown

and check the status. You can unlock the account by resetting the counter back to 0 by using the "-r" switch.  The login failure are also logged and you can see the source system which causing the problem. IIRC the default possible is 6 wrong  login try followed by 10min wait time. If you have a monitoring which tries it several time per minute it will locked the account for ever 🙂 I have these often when re-using existing IP addresses.

If you have enable Lockdown than its clear why you cant login as "root" trough anymore trough the wire. Without special conifugration this Host can only be managed through a vCenter Server.

 

Regards,
Joerg

Reply
0 Kudos
bogy1
Contributor
Contributor

Joerg,

I forgot to mention in my first post that this was connected to VCenter server.  However, I did change the static IP address AND I reinstalled ESXi (with option to format the drive), so I don't understand how it could have any connection left to VCenter server.  

Also, I'm NOT able to type (or copy and paste) the  underscore character so I can't type the command you posted.  I'm accessing the server via iLO and DCUI via iLO's HTML 5 Remote connection.  I currently do not have direct access to the physical server.  The server is at my house and I'm on vacation...not at my house.  lol

Reply
0 Kudos
IRIX201110141
Champion
Champion

ILO is your physical access... so login into ESXi shell and try the pam_tally2 (try tab,tab,tab).

Normaly a modern ILO also contains a virtual Keyboard so please try this also.

Regards,
Joerg

Reply
0 Kudos
bogy1
Contributor
Contributor

Yes I know iLO is my "virtual" physical access and I did login to ESXi shell but again, I'm not able to type the underscore character.  I have no idea why it will not type that character and it doesn't matter what key combo I press i only get -------   that's it, never ____

Reply
0 Kudos
IRIX201110141
Champion
Champion

Just type  pam followed by pressing that TAB key multiple times. The shell will complete the command.

Regards,
Joerg

Reply
0 Kudos
bogy1
Contributor
Contributor

I really hate to be a buzz kill, but pressing TAB key 1,2,3, or 12 times in a row does not autocomplete.

Is there a way to get a full virtual keyboard?  I'm only see a few keys.  See attached picture.

 

Reply
0 Kudos
bogy1
Contributor
Contributor

OMG, so Firefox is lame, I switched to Edge and I can now type the underscore character (__)  WTF Firefox??  I'm locked out of ESXi shell now, so I have to wait before I can try the pam command.  I'll report the results once I have access again.

Reply
0 Kudos
IRIX201110141
Champion
Champion

You should be able to login into ESXi shell/DCUI even when the account is locked. Only SSH and Hostclient cannot be used with a locked root account.

Regards,
Joerg

Reply
0 Kudos
bogy1
Contributor
Contributor

Ok, so when I try and login using Edge, I get invalid password (see screen pics) but I can login just fine with Firefox.

HOWEVER, Firefox will not allow me to type the underscore character BUT Edge will allow me to type an underscore character.  WTF ???

I switched to Chrome.lol   I've also attached the results of pam_tally2

 

Reply
0 Kudos
IRIX201110141
Champion
Champion

I would assume that FF + ILO have messed up your choosn password and thats why youre able to login with FF on the console but not with SSH, Hostclient or the Edge browser because now your password doesnt match any more.

If you manged to login with FF+ILO to the shell try to find out which keys work as expected and than try to use "passwd" on the command line to change it.

Also... try to log into ILO twice which different browser.. use FF first and after log into the shell switch to Edge and see how it differs.

Regards,
Joerg

Reply
0 Kudos
bogy1
Contributor
Contributor

Joerg,

First off, THANK YOU for all your help!!!  I switched to Google Chrome browser and was able to access DCUI and change the password using "passwd" command you provided and wouldn't you know it, now I can access the ESXi host.

Again, THANK YOU SOOOO MUCH!!

Reply
0 Kudos
IRIX201110141
Champion
Champion

Youre welcome.

Reply
0 Kudos