Cannot login user root@127.0.0.1: no permission

If you are running vSphere environments you will probably recognize this error and log-entry that is flooding your (log)server-logs. Luckily I was working with a customer that did not accept the default answer as mentioned in this KB. Therefor I investigated the issue and found several causes for this error to occur.

The basis for this error to occur is running your host in Lockdown Mode:

ESXi Lockdown Mode is a security feature in VMware ESXi that restricts direct access to the ESXi host, allowing management only through vCenter Server. There are two types: Normal Lockdown Mode, which allows access for certain exception users, and Strict Lockdown Mode, which completely disables direct access for all users.

That means we will be unable to login with user root on ESXi level, also for internal processes.

But, several processes/scripts run locally to gather information or for general house-keeping. In the recent years several of these still used root to execute the script or run the process. A currently known list of these are:

• vSAN-Health plugin > fixed in 8.0U3e by using vpxuser
• vSphere Replication/VLR (HBR-agent) > workaround is to disable the agent
• NSX-agents (nsx-transporter) > fixed in 4.2.3.2 by using vpxuser
• HP-SUT (KB) > Ask HPE support for a fix! Workaround is to disable SUT when not in use.
• Any other native or third-party process or script running on ESXi

Most of these processes run based on vimsvc/vim-cmd/esxcli/pyvmomi with a specific user and on different intervals, so there is a way to identify the process causing the issue. This recent KB describes how to find the script behind vim-cmd or esxcli. From there it’s a matter of installing the right patch, using the workaround or register a case with support to get it fixed for this unknown occurence.