Hello ,
Recently Our ESX sevrers were Compliance checked against
CIS VMware ESX Server 3.x
Benchmark v1.0
There were Many risks found as part of the Check and a remediation plan was given to be followed , which we did the server seems to be working fine except we cannot Logon with root :
While doin putty we are using and intermediatery account to Logon the SU to root , earleir it was working now it says Incorrect Password .
Logging in through root from Console says Login Incorrect ,
Any help to sort & understand this issue would be much Appreciated
OK, your first screenshot confirmed suggestion 1 will give your user the ability to su to root. There is even a custom comment that you made, in the /etc/pam.d/su file, above the line that I asked you to look for: "Uncomment the following line to allow users in the Wheel group that are allowed to that are allowed to become root"
1. In that case, just logon to the host with VI client as root, go to users and groups tab. Find the regular user(s) (vmadmin is one for sure) that you are trying to su from, edit the user and add to wheel group. You should now be able to ssh or console (DRAC) to the ESX host and su from that specific user(s).
2. Once you are in as root you can "cat /etc/securetty" the console and vc/1, vc2, etc. lines should be missing. The missing lines are preventing you from login at the consle (DRAC) as root. If you want to keep the CIS remediation you don't have to make any other changes, besides 1 above.
Let me know if you have any questions.
----
Robert
BSIT, MCP, A+, VCP (VI3)
Please consider awarding points for "helpful" and/or "correct" answers.
Message was edited by: Walfordr
Hi AJY,
I had a similar issue with a few of our ESX hosts where I was unable to login via SSH even though I knew the details were correct. I resolved this issue using Veeam RootAccess - http://www.veeam.com/root_access.html
It's free to download, you just need to register. It's a nice simple tool to open up root access on ESX hosts. It did the job for me.
Hi,
If you forgot your root password, you can reset using the below link
http://www.petri.co.il/vmware-esx-server-root-password-reset-recovery-lost.htm
To enable root access directly when doing SSH,
go to /etc/ssh/sshd_config
comment line "Permit root logon" or change the value to yes.
Award Points if helpful!!
Did you allow Root logins on the host ?
vi /etc/ssh/sshd_config
Set the following options
PermitRootLogin yes
The restart sshd
www.phdvirtual.com, makers of esXpress
When trying to access this File I am getting Permission Denied
Getting Permission to perform this Operation Denied when trying to Connect to server using this tool
You need to logged in as root to edit the file.
If u forgot the root password, reset it (use the link the last post i gave you)
Award Points if helpful!!
I was assuming you could log in as another user and then su - to root.
Then you make the change to allow a direct root login.
If the issue is a lost root password then that is a seperate issue which I see was posted on this thread with a link to address that issue.
www.phdvirtual.com, makers of esXpress
I have not lost the root password , but cannot logon with root anymore ,
Issue is not the lost root password , but I can no longer logon with root Or do a SU - may be something was broken as part of applying remediation plan for CIS , I will try a reinstall , Thanks for your help
AJY,
Are you the only administrator? Sure someone didn't change the pwd as part of the compliance.
A quick suggestion before you re-install. Is your intermediate account (the one tha that you logon with before su -) a memeber of the Administrator role? IF so you can logon to the host with the VMware Client as that user and change the root password.
I have learned the hard way to have an additional "backup" user with the needed permissions available to logon to the host. - Another admin changed passwords.
----
Robert
BSIT, MCP, A+, VCP (VI3)
Please consider awarding points for "helpful" and/or "correct" answers.
As you mentioned you can do ssh to the server and get login prompt
you can login with any user ID you know of on this server that is part of sudo access.
login as user
Then do su -
put the users password.(not root passwd)..sometimes ppl make mistake here
If this is not working, my sugeestion is to login to console with root access instead of putty/ssh session
you may user ILO/ITRAC depending on HP/dell H/W you use for ESX server.
Thanks
I have tried loging through DRAC , when I try to Logon through root I get Login Incorrect .
Thanks to you atleast I know now that its not a root Password problem as I can Logon with root through VI Client , seems the remediation plan suggested by CIS compliance check messed up the root access through SSH & DRAC (Console) .
It still may be worth your while just to reset the password, but it would require a reboot
I think you may have enforced the "restrict root logins to system console" and the "Limiting access to su" remediation. Thats usually two of the suggestions from CIS. I have not personally enforce any CIS remediation but ran the report. If you did it their way you will restrict root access on ALL consoles and from su.
Do you have access to cat /etc/securetty? Is console, all the vc/* and tty listed?
Also is your daily driver account a member of wheel? You should be able to add that accoun to wheel which gives su permissions.
check this out: KB Article: 1010027
*I'll see if I can duplicate this in my lab and let you know.
----
Robert
BSIT, MCP, A+, VCP (VI3)
Please consider awarding points for "helpful" and/or "correct" answers.
I was able to duplicate the issue:
1. Unable to su to root from remote console (ssh) – incorrect password
2. Unable to logon to the console (kvm) as root – incorrect password
How:
1. I blank my /etc/securetty file. This prevented root to logon at kvm or ilo console -I got login incorrect from the console (KVM).
2. I disabled su to root – this produced incorrect password at all attemps
Suggested solutions:
Logon to the console or ssh with regular user .
1. Verify if user is required to be a member of wheel to su. You can run “cat /etc/pam.d/su” as regular user. If the “#auth required /lib/security/$ISA/pam_wheel.so use_uid” does not have a pound/number sign (#) before “auth” the user needs to be a member of wheel. In that case just logon to the host as root, in VIC, go to users and groups tab. Find the regular user and add to wheel group. If you want root to be able to logon to the console (DRAC) again you need to update the securetty file to include all the consoles vc/1, tty1, console, etc. For that you will need root access.
If there is a # before “auth” go to next suggestion.
2. Verify if users were enabled for sudo. You can do this by “cat /etc/sudoers”. If no users were configured for sudo you pretty much have locked yourself out of the host console and may need to rebuild the server. If users are configured, use sudo, copy the /etc/securetty file from another un-remediated host.
If you don’t have a /etc/securetty file I can provide one to you.
----
Robert
BSIT, MCP, A+, VCP (VI3)
Please consider awarding points for "helpful" and/or "correct" answers.
I was able to duplicate the issue:
1. Unable to su to root from remote console (ssh) – incorrect password
2. Unable to logon to the console (kvm) as root – incorrect password
How:
1. I blank my /etc/securetty file. This prevented root to logon at kvm or ilo console -I got login incorrect from the console (KVM).
2. I disabled su to root – this produced incorrect password at all attemps
Suggested solutions:
Logon to the console or ssh with regular user .
1. Verify if user is required to be a member of wheel to su. You can run “cat /etc/pam.d/su” as regular user. If the “#auth required /lib/security/$ISA/pam_wheel.so use_uid” does not have a pound/number sign (#) before “auth” the user needs to be a member of wheel. In that case just logon to the host as root, in VIC, go to users and groups tab. Find the regular user and add to wheel group. If you want root to be able to logon to the console (DRAC) again you need to update the securetty file to include all the consoles vc/1, tty1, console, etc. For that you will need root access.
If there is a # before “auth” go to next suggestion.
See the attachment for SU file
2. Verify if users were enabled for sudo. You can do this by “cat /etc/sudoers”. If no users were configured for sudo you pretty much have locked yourself out of the host console and may need to rebuild the server. If users are configured, use sudo, copy the /etc/securetty file from another un-remediated host.
Please see attached
If you don’t have a /etc/securetty file I can provide one to you.
OK, your first screenshot confirmed suggestion 1 will give your user the ability to su to root. There is even a custom comment that you made, in the /etc/pam.d/su file, above the line that I asked you to look for: "Uncomment the following line to allow users in the Wheel group that are allowed to that are allowed to become root"
1. In that case, just logon to the host with VI client as root, go to users and groups tab. Find the regular user(s) (vmadmin is one for sure) that you are trying to su from, edit the user and add to wheel group. You should now be able to ssh or console (DRAC) to the ESX host and su from that specific user(s).
2. Once you are in as root you can "cat /etc/securetty" the console and vc/1, vc2, etc. lines should be missing. The missing lines are preventing you from login at the consle (DRAC) as root. If you want to keep the CIS remediation you don't have to make any other changes, besides 1 above.
Let me know if you have any questions.
----
Robert
BSIT, MCP, A+, VCP (VI3)
Please consider awarding points for "helpful" and/or "correct" answers.
Message was edited by: Walfordr
Great Thank you very Much
adding the regular user to Wheel straight did not work I had to reboot the ESX & after that I can do the SU to root after logging on to the server through Putty , My cat /etc/securetty shows empty , Do yo have one ?