AJY
Contributor
Contributor

Cannot Logon with Root

Jump to solution

Hello ,

Recently Our ESX sevrers were Compliance checked against

CIS VMware ESX Server 3.x

Benchmark v1.0

There were Many risks found as part of the Check and a remediation plan was given to be followed , which we did the server seems to be working fine except we cannot Logon with root :

While doin putty we are using and intermediatery account to Logon the SU to root , earleir it was working now it says Incorrect Password .

Logging in through root from Console says Login Incorrect ,

Any help to sort & understand this issue would be much Appreciated

0 Kudos
1 Solution

Accepted Solutions
Walfordr
Expert
Expert

OK, your first screenshot confirmed suggestion 1 will give your user the ability to su to root. There is even a custom comment that you made, in the /etc/pam.d/su file, above the line that I asked you to look for: "Uncomment the following line to allow users in the Wheel group that are allowed to that are allowed to become root"

1. In that case, just logon to the host with VI client as root, go to users and groups tab. Find the regular user(s) (vmadmin is one for sure) that you are trying to su from, edit the user and add to wheel group. You should now be able to ssh or console (DRAC) to the ESX host and su from that specific user(s).

2. Once you are in as root you can "cat /etc/securetty" the console and vc/1, vc2, etc. lines should be missing. The missing lines are preventing you from login at the consle (DRAC) as root. If you want to keep the CIS remediation you don't have to make any other changes, besides 1 above.

Let me know if you have any questions.






----


Robert

BSIT, MCP, A+, VCP (VI3)

Please consider awarding points for "helpful" and/or "correct" answers.

Message was edited by: Walfordr

Robert -- BSIT, VCP3/VCP4, A+, MCP (Wow I haven't updated my profile since 4.1 days) -- Please consider awarding points for "helpful" and/or "correct" answers.

View solution in original post

0 Kudos
21 Replies
six4rm
Enthusiast
Enthusiast

Hi AJY,

I had a similar issue with a few of our ESX hosts where I was unable to login via SSH even though I knew the details were correct. I resolved this issue using Veeam RootAccess - http://www.veeam.com/root_access.html

It's free to download, you just need to register. It's a nice simple tool to open up root access on ESX hosts. It did the job for me. Smiley Happy

0 Kudos
Rajeev_S
Expert
Expert

Hi,

If you forgot your root password, you can reset using the below link

http://www.petri.co.il/vmware-esx-server-root-password-reset-recovery-lost.htm

To enable root access directly when doing SSH,

go to /etc/ssh/sshd_config

comment line "Permit root logon" or change the value to yes.


Award Points if helpful!!

0 Kudos
petedr
Virtuoso
Virtuoso

Did you allow Root logins on the host ?

vi /etc/ssh/sshd_config

Set the following options

PermitRootLogin yes

The restart sshd






www.phdvirtual.com, makers of esXpress

www.thevirtualheadline.com www.liquidwarelabs.com
0 Kudos
AJY
Contributor
Contributor

When trying to access this File I am getting Permission Denied

0 Kudos
AJY
Contributor
Contributor

Getting Permission to perform this Operation Denied when trying to Connect to server using this tool

0 Kudos
Rajeev_S
Expert
Expert

You need to logged in as root to edit the file.

If u forgot the root password, reset it (use the link the last post i gave you)


Award Points if helpful!!

0 Kudos
petedr
Virtuoso
Virtuoso

I was assuming you could log in as another user and then su - to root.

Then you make the change to allow a direct root login.

If the issue is a lost root password then that is a seperate issue which I see was posted on this thread with a link to address that issue.






www.phdvirtual.com, makers of esXpress

www.thevirtualheadline.com www.liquidwarelabs.com
0 Kudos
AJY
Contributor
Contributor

I have not lost the root password , but cannot logon with root anymore ,

0 Kudos
AJY
Contributor
Contributor

Issue is not the lost root password , but I can no longer logon with root Or do a SU - may be something was broken as part of applying remediation plan for CIS , I will try a reinstall , Thanks for your help

0 Kudos
Walfordr
Expert
Expert

AJY,

Are you the only administrator? Sure someone didn't change the pwd as part of the compliance.

A quick suggestion before you re-install. Is your intermediate account (the one tha that you logon with before su -) a memeber of the Administrator role? IF so you can logon to the host with the VMware Client as that user and change the root password.

I have learned the hard way to have an additional "backup" user with the needed permissions available to logon to the host. - Another admin changed passwords.






----


Robert

BSIT, MCP, A+, VCP (VI3)

Please consider awarding points for "helpful" and/or "correct" answers.

Robert -- BSIT, VCP3/VCP4, A+, MCP (Wow I haven't updated my profile since 4.1 days) -- Please consider awarding points for "helpful" and/or "correct" answers.
dickybird
Enthusiast
Enthusiast

As you mentioned you can do ssh to the server and get login prompt

you can login with any user ID you know of on this server that is part of sudo access.

login as user

Then do su -

put the users password.(not root passwd)..sometimes ppl make mistake here

If this is not working, my sugeestion is to login to console with root access instead of putty/ssh session

you may user ILO/ITRAC depending on HP/dell H/W you use for ESX server.

Thanks

0 Kudos
AJY
Contributor
Contributor

I have tried loging through DRAC , when I try to Logon through root I get Login Incorrect .

0 Kudos
AJY
Contributor
Contributor

Thanks to you atleast I know now that its not a root Password problem as I can Logon with root through VI Client , seems the remediation plan suggested by CIS compliance check messed up the root access through SSH & DRAC (Console) .

0 Kudos
Troy_Clavell
Immortal
Immortal

It still may be worth your while just to reset the password, but it would require a reboot

http://kb.vmware.com/kb/1317898

0 Kudos
Walfordr
Expert
Expert

I think you may have enforced the "restrict root logins to system console" and the "Limiting access to su" remediation. Thats usually two of the suggestions from CIS. I have not personally enforce any CIS remediation but ran the report. If you did it their way you will restrict root access on ALL consoles and from su.

Do you have access to cat /etc/securetty? Is console, all the vc/* and tty listed?

Also is your daily driver account a member of wheel? You should be able to add that accoun to wheel which gives su permissions.

check this out: KB Article: 1010027

*I'll see if I can duplicate this in my lab and let you know.






----


Robert

BSIT, MCP, A+, VCP (VI3)

Please consider awarding points for "helpful" and/or "correct" answers.

Robert -- BSIT, VCP3/VCP4, A+, MCP (Wow I haven't updated my profile since 4.1 days) -- Please consider awarding points for "helpful" and/or "correct" answers.
0 Kudos
Walfordr
Expert
Expert

I was able to duplicate the issue:

1. Unable to su to root from remote console (ssh) – incorrect password

2. Unable to logon to the console (kvm) as root – incorrect password

How:

1. I blank my /etc/securetty file. This prevented root to logon at kvm or ilo console -I got login incorrect from the console (KVM).

2. I disabled su to root – this produced incorrect password at all attemps

Suggested solutions:

Logon to the console or ssh with regular user .

1. Verify if user is required to be a member of wheel to su. You can run “cat /etc/pam.d/su” as regular user. If the “#auth required /lib/security/$ISA/pam_wheel.so use_uid” does not have a pound/number sign (#) before “auth” the user needs to be a member of wheel. In that case just logon to the host as root, in VIC, go to users and groups tab. Find the regular user and add to wheel group. If you want root to be able to logon to the console (DRAC) again you need to update the securetty file to include all the consoles vc/1, tty1, console, etc. For that you will need root access.

If there is a # before “auth” go to next suggestion.

2. Verify if users were enabled for sudo. You can do this by “cat /etc/sudoers”. If no users were configured for sudo you pretty much have locked yourself out of the host console and may need to rebuild the server. If users are configured, use sudo, copy the /etc/securetty file from another un-remediated host.

If you don’t have a /etc/securetty file I can provide one to you.






----


Robert

BSIT, MCP, A+, VCP (VI3)

Please consider awarding points for "helpful" and/or "correct" answers.

Robert -- BSIT, VCP3/VCP4, A+, MCP (Wow I haven't updated my profile since 4.1 days) -- Please consider awarding points for "helpful" and/or "correct" answers.
0 Kudos
AJY
Contributor
Contributor

I was able to duplicate the issue:

1. Unable to su to root from remote console (ssh) – incorrect password

2. Unable to logon to the console (kvm) as root – incorrect password

How:

1. I blank my /etc/securetty file. This prevented root to logon at kvm or ilo console -I got login incorrect from the console (KVM).

2. I disabled su to root – this produced incorrect password at all attemps

Suggested solutions:

Logon to the console or ssh with regular user .

1. Verify if user is required to be a member of wheel to su. You can run “cat /etc/pam.d/su” as regular user. If the “#auth required /lib/security/$ISA/pam_wheel.so use_uid” does not have a pound/number sign (#) before “auth” the user needs to be a member of wheel. In that case just logon to the host as root, in VIC, go to users and groups tab. Find the regular user and add to wheel group. If you want root to be able to logon to the console (DRAC) again you need to update the securetty file to include all the consoles vc/1, tty1, console, etc. For that you will need root access.

If there is a # before “auth” go to next suggestion.

See the attachment for SU file

2. Verify if users were enabled for sudo. You can do this by “cat /etc/sudoers”. If no users were configured for sudo you pretty much have locked yourself out of the host console and may need to rebuild the server. If users are configured, use sudo, copy the /etc/securetty file from another un-remediated host.

Please see attached

If you don’t have a /etc/securetty file I can provide one to you.

0 Kudos
Walfordr
Expert
Expert

OK, your first screenshot confirmed suggestion 1 will give your user the ability to su to root. There is even a custom comment that you made, in the /etc/pam.d/su file, above the line that I asked you to look for: "Uncomment the following line to allow users in the Wheel group that are allowed to that are allowed to become root"

1. In that case, just logon to the host with VI client as root, go to users and groups tab. Find the regular user(s) (vmadmin is one for sure) that you are trying to su from, edit the user and add to wheel group. You should now be able to ssh or console (DRAC) to the ESX host and su from that specific user(s).

2. Once you are in as root you can "cat /etc/securetty" the console and vc/1, vc2, etc. lines should be missing. The missing lines are preventing you from login at the consle (DRAC) as root. If you want to keep the CIS remediation you don't have to make any other changes, besides 1 above.

Let me know if you have any questions.






----


Robert

BSIT, MCP, A+, VCP (VI3)

Please consider awarding points for "helpful" and/or "correct" answers.

Message was edited by: Walfordr

Robert -- BSIT, VCP3/VCP4, A+, MCP (Wow I haven't updated my profile since 4.1 days) -- Please consider awarding points for "helpful" and/or "correct" answers.

View solution in original post

0 Kudos
AJY
Contributor
Contributor

Great Thank you very Much

adding the regular user to Wheel straight did not work I had to reboot the ESX & after that I can do the SU to root after logging on to the server through Putty , My cat /etc/securetty shows empty , Do yo have one ?

0 Kudos