Every now and then, there comes a time when you have to change the “root” password on an ESX host.  It might be because someone has left the company or could simply be an event when a problem required the root password to be revealed to people other than the “gods”.

One of the common misconceptions about changing password on an ESX host is that you have to go into single-user mode to change it.  That is simply not true.  If the password is known but just need changing, all you need to do is:

  1. Gain console access to ESX as root (best practice would suggest you use “su -“)
  2. Type “passwd root” and hit Enter
  3. Type new password and confirm by retyping, when asked
  4. Message returns: “passwd: all authentication tokens updated successfully”

That’s it!  Sometimes the concern is that it would cause the ESX Server to lose contact with the cluster (as root password is required when adding the host to the cluster).  This is also not true because the root password is only required to deploy the vpxa agent, which uses its own random password – automatically reset periodically.

It’s a different matter altogether if you’ve forgotten the password, in which case, you do need to go into single-user mode and this article explains the process:  http://kb.vmware.com/kb/1317898 – and yes, it does mean that anyone with physical access to the ESX host, can gain root access to it.  That said, if someone has gained physical access to any of your machines, you can considered yourself hacked anyway!

So, if you ever wanted to change the root password on ESX hosts while they are running services and were too afraid, fear not – it should work.  I hope this will go some way in reducing anxiety when faced with this scenario.