Skip to main content

Tutorial: How to Secure the Root User Account on a Virtual Appliance

Abstract

We recommend you secure the root user account when deploying Access Server on a virtual appliance such as Hyper-V or VMWare ESXi.

Overview

If you install Access Server on a virtual appliance with VMWare ESXi or Microsoft Hyper-V, we recommend taking these additional steps to secure the OS root user account.

The root account's initial password on one of our appliances is simplistic. While we take precautions with our appliances, accessing the root account over the network isn’t easy and we recommend strengthening the password to protect against the risk of someone gaining access to the console.

Important

The case-sensitive, default username and password for the VMWare and Windows VHD virtual appliances are:

  • Default Username: root

  • Default Password: openvpnas

Prerequisites

  • Access Server installed on Hyper-V or ESXi.

Option 1: Replace the account password for the root user

  1. Sign on to the operating system as a root user via the console (or sign in and then gain root privileges).

  2. Enter this command to set a new password:

    passwd

    • You've changed the root user's password.

Option 2: Create your own Linux account for SSH access

If you can't use the root account for SSH access, you can create your own Linux account for this and adjust the SSH server settings to allow it.

Create a new user with sudo rights

  1. Install the sudo program:

    apt-get -y install sudo

  2. Add a new user:

    adduser <USERNAME>

  3. Give the user the right to run commands as a root user:

    usermod -aG sudo <USERNAME>

    • Where <USERNAME> is a name of your own choice, without spaces or special characters. You can use this account to sign in through SSH and transfer files with programs such as SCP or WinSCP.

  4. To gain root privileges with your new account, run this command and provide the user password:

    sudo su

  5. Finally, we recommend setting up an SSH keypair for signing in with this user account instead of only the username and password.

Note

AWS appliances already require a secure private/public key pair on an unprivileged account (openvpnas), and then you can “sudo up” to gain root access. AWS has no direct console access, and the root account is blocked from direct SSH access.

Regaining access to your virtual appliance

If you've lost access to your Access Server virtual appliance because you need to change the password, follow these steps to reset the password:

  1. Reboot the server and hold the Shift key to display the GRUB boot loader screen.

  2. Press E to edit the boot parameters.

  3. Add rw init=/vin/bash at the end of the line starting with linux, and press Ctrl + X to boot.

  4. After the system boots, type passwd, enter your password twice, and reboot the server.

For cloud-based appliances, refer to your provider’s documentation for further instructions.

In this section: