Kyle Gleed, Sr. Technical Marketing Architect, VMware
I was recently asked about the following alert that pops-up when doing an in-place upgrade from ESX 4.x to ESXi 5.0 using the installer:
The question is particularly relevant because in the vSphere Security Guide we have a caution that says you should never change the vpxuser’s password:
First, some background on the ‘vpxuser’ account. This account is a full privileged administrator account that gets created on each ESXi host when it is attached to vCenter. This is the account that vCenter uses to manage the host. When the account is added a password is dynamically created, and for security reasons the password gets reset every 30 days (default).
The alert comes because of an issue in ESX/ESXi 4.x that resulted in only the first 8 characters of a password being needed to authenticate to an ESX/ESXi host. There is a KB article on how to fix this (http://kb.vmware.com/kb/1024500).
Because the ‘vpxuser’ account is needed for vCenter to manage the ESXi host it is important to keep the password in sync with vCenter, and therefore you should never manually change the password. Hence why the security guide recommends you never modify this account, to include resetting the password. I did some testing in my lab and found at least two problems that result when manually changing the 'vpxuser' password:
- After you change the password, the next time you reboot/disconnect the ESXi server it will fail to reconnect to vCenter. You will have to manually intervene to reconnect the host, at which time you will need to re-supply the root credentials.
- After you change the password, if you put the ESXi server into maintenance mode and then take it out you will get HA errors as the host will be unable to re-join the cluster (assuming HA is enabled of course). To fix you will need to manually disconnect/reconnect the host by re-entering the root credentials (simply disabling and re-enabling HA won't work).
These are just two issues that I caught. There could be more. Bottom line, changing the ‘vpxuser’ password is not recommended. If you are required to have passwords longer than 8 characters I would recommend implementing the change outlined in the KB before upgrading. If you’ve already upgraded, you can manually reset the password but just make sure you take the extra steps to manually disconnect and re-connect the host so you can keep things in sync with vCenter.
Also, keep in mind that by default the vpxuser’s password gets reset every 30 days (http://kb.vmware.com/kb/1016736), so even if you don't manually update the password at some point within 30 days of the upgrade it will eventually get changed it to something longer than 8 characters.
Follow me on twitter @VMwareESXi