Thursday, 18 April 2013

Reset padmin VIO password from the HMC with zero downtime

Here is a method you can use to reset a lost VIO padmin password from the HMC with zero downtime on the VIO server.   This is a somewhat involved process, but much easier than having to take a downtime on the VIO server to change the password.   This is a very challenging task because the viosvrcmd HMC command doesn't allow the command run on the VIO server to have a pipe ("|"), or any redirection ("<", ">") and doesn't allow for interactive input.   So this rules out using something like "chpasswd" to change the password. 

Step 1:  Find the current padmin password hash.   

From the HMC, type (change "-m p520 -p vio1" to your managed system / VIO server names)
command=`printf "oem_setup_env\ncat /etc/security/passwd"`; viosvrcmd -m p520 -p vio1 -c "$command"
Look for the padmin stanza and its password hash:
    password = TRl01MDd3QnVw
    lastupdate = 1352950198

Step 2:  Generate a new password hash.   

From a different AIX server that has openssh/openssl installed, type "openssl passwd"  and type in the new password that you want to assign to the padmin account.  Openssl will generate the password hash and display it on the screen.
 # openssl passwd
Verifying - Password:

Step 3:   Replace the VIO padmin's password hash with the new password hash from the HMC using viosvrcmd/perl.   

Use a command similiar to this from the HMC:
command=`printf "oem_setup_env\nperl -pi -e 's/<OLD_HASH>/<NEW_HASH>/' /etc/security/passwd"`; viosvrcmd -m p520 -p vio1 -c "$command"
In our example, it would be (make sure to change "-m p520 -p vio1" to your managed system / VIO names)
 command=`printf "oem_setup_env\nperl -pi -e 's/TRl01MDd3QnVw/OSdD0E9SQYE.E/' /etc/security/passwd"`; viosvrcmd -m p520 -p vio1 -c "$command"

Step 4:  Optionally reset padmin failed login count.   

If you need to reset the failed login count, run this command from the HMC:  (make sure to change "-m p520 -p vio1" to your managed system / VIO names)
command=`printf "oem_setup_env\nchsec -f /etc/security/lastlog -a unsuccessful_login_count=0 -s padmin"`; viosvrcmd -m p520 -p vio1 -c "$command"
Update:  If the old or new password hash has a slash in it ("/") then the perl line above needs to be changed..   Instead use a different delimiter such as a comma:   
command=`printf "oem_setup_env\nperl -pi -e 's,<OLD_HASH>,<NEW_HASH>,' /etc/security/passwd"`; viosvrcmd -m p520 -p vio1 -c "$command"

0 blogger-disqus:

Post a Comment