Automation

 View Only
  • 1.  VCenter attached ESX hosts root password rotation

    Posted Jul 19, 2024 04:23 AM

    Hi together,

    I am using cluster in Vcenters and have to change the root passwords of the attached ESX hosts regularly.

    Each ESX hosts must have an own password, best random generated based on some rules.

    I saw some existing script changing passwords.

    Additionally, I will document the password change in a report file

    But, my question,how to reconnect the host with the new password?

    Did someone did something similar?

    Thanks in advance for any hint.

    Kind regards,

    Christoph



  • 2.  RE: VCenter attached ESX hosts root password rotation

    Posted Jul 19, 2024 04:28 AM

    I would try a Remove-VMHost followed by an Add-VMHost, with the new credentials



    ------------------------------


    Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference


    ------------------------------



  • 3.  RE: VCenter attached ESX hosts root password rotation

    Posted Jul 20, 2024 09:23 AM

    I had done this recently. I don't recall having to rejoin. I think the agent from vCenter takes care of that.

    I had two parts in my script.. the first part I connected to the vcenter and made a list of hosts.

    the next part I disconnected form vcenter and looped through my host list connecting directly

        Connect-VIServer $HostName -User root -password $password_old
        Set-VMHostAccount -UserAccount root -password $password_new
        Disconnect-VIServer -Confirm:$False

    Maybe try it out on one and see. I think there might have been some alarms to deal with after.




  • 4.  RE: VCenter attached ESX hosts root password rotation

    Posted Jul 20, 2024 03:10 PM

    The root account is only used to connect a host to the vCenter Server environment.

    Once connected, vCenter Server manages the hosts using the "vpxuser" account, for which vCenter Server changes the password regularly.

    André




  • 5.  RE: VCenter attached ESX hosts root password rotation

    Posted Jul 22, 2024 10:48 AM

    I know what you're doing. I've had to do the same to satisfy the security team and their STIGs. I wish I had the script I used to post but unfortunately, it is on the system of a previous job. I can give you the basic outline though.

    I never had to remove and re-add a host for this. As someone mentioned below, once it's connected, the VCSA deals with the secure comms on it's own. I've also had to use this to change service accounts on all the hosts (looking at you ACAS). I kept all our secure passwords in a special KeePass vault to begin with and then I moved to a BitWarden vault. Luckily, there are PowerShell modules for both available in the Gallery and they work great. My big trick was encrypting the credentials to access the vault but it's doable. I used a generated encryption key but you can easily just feed it creds. Another gotcha is to create the entries with the hostnames. Here is the basic outline.

    • Get credentials to access the password vault
    • Connect to the vault
    • Connect to vCenter
    • Pull all powered on hosts
    • For each host, look up the host in the vault
      • If you do not find an entry, make one with the name of the host. You'll then update the vault as you change passwords
    • If you find a host, pull the password for the user and update the notes field with the old password. I did this just to keep a running history of changes
    • Tell KeePass or BitWarden to generate a new password according to your complexity. You can also do it in PS
    • Use the new password with esxcli commands to update the user's password on the host
    • Update the entry in your vault
    • Rinse and repeat till you've cycled through all the hosts
    • Save the new vault
    • Disconnect from everything

    You can of course use a host profile to change passwords. You can even use PS to create a host profile for each host and apply it so you've still have different root passwords and export the new creds someplace for recording. We used the script I wrote instead of host profiles because we expanded it and used it to cycle passwords on most of our systems. We used it for ESXi hosts as well as Linux and Windows machines. We had a mix of separated environments and systems that were not domain joined. This basic idea was used to streamline password rotations on almost everything I could get my grubby little hands on. 

    Good luck with this. Be sure to wave your hat when you have it working