RSS

PowerCLI: one-liner to verify root password on ESXi hosts

03 May

There is only one account with full admin privilege on ESXi host before 5.5 and that is the root account. In the financial sector like a bank, you are required to use a password broker to manage your root password. That is, you check in the initial root password to the broker (like cyberark) and it will reset the password regularly. When you need to perform work on the host using root passwords, you will need to check out the password with dual authentication. Of course, this really makes life hard for us admins when we need to perform bulk work that requires root passwords. For example have to move hundreds of host from one vCenter to another.

I use this one-liner below to verify if a host is using the default root password (which were standardized previous). This is useful as part of audit remediation as some hosts may be rebuilt due to an issue and the root passwords was not re-checked in to the broker to be managed. One caveat I found is that for the same PowerCLI session, you should not be logged into any of the vCenters where the hosts are managed via connect-viserver before running this. The h.csv file is just a list of host name with “name” as the column.


import-csv .\h.csv | %{ $err = @() ; connect-viserver $_.name -user root
-password "default" -EA silentlycontinue -EV err ; if ($err.count -gt 0)
{ $_.name | out-file .\hosts_std_root.txt -append }
else {disconnect-viserver $_.name -force -confirm:$false} }

I use this one-liner below to test each ESXi host before I start work AFTER checking out each root passwords. The creds.csv file is list of name,password.


dir creds.csv | % {import-csv .\$($_.name) |
%{ $err = @() ; connect-viserver $_.name -user root -password $_.password -EA silentlycontinue -EV err ;
if ($err.count -gt 0) { $_.name | out-file .\esx_wrong_root.txt -append }
else {disconnect-viserver $_.name -force -confirm:$false} }}
Advertisements
 
2 Comments

Posted by on May 3, 2014 in powershell, Scripts, vmware

 

Tags:

2 responses to “PowerCLI: one-liner to verify root password on ESXi hosts

  1. Harel

    June 22, 2015 at 4:02 am

    Excellent post, I used this one-liner to create a multi-threaded script:
    http://serv.co/blog/check-root-password-with-powercli-multi-threading/

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: