K13121: Changing system maintenance account passwords (11.x - 15.

x)

Non-Diagnostic

Original Publication Date: Nov 13, 2018

Update Date: Mar 19, 2020

Topic

Note: For information about changing system maintenance account passwords in earlier versions, refer to
K3350: Changing system maintenance account passwords (9.x - 10.x).

You should consider using this procedure under either of the following conditions:

You want to modify the passwords for the root or admin users.
You want to reset a lost or forgotten root password.

Description

On installation, the BIG-IP system creates a default root user and a default administrative user with the
following credentials.

Username Password
root default
admin admin

For more information about default users, refer to K13148: Overview of default management access
settings for F5 products.

You should always modify the passwords for BIG-IP maintenance accounts from their defaults. The
procedures in this article provide multiple ways to modify the system maintenance account password to
comply with password policies, standards such as PCI compliance, or other security policies appropriate to
your organization. If you lose or forget the root password, you can reset it without reinstalling the system
software.

Prerequisites

You must meet the following prerequisites to use these procedures:

To modify the root or admin passwords, you must have either administrator or root level access to
either the Configuration utility or the command line, respectively.
To reset a lost root password, you must have access to the BIG-IP serial console.

Procedures
 Using the Configuration utility to modify system maintenance account passwords
Using tmsh to modify system maintenance account passwords
Resetting a lost or forgotten root password

Using the Configuration utility to modify system maintenance account passwords

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility.

2. Go to System > Platform.
3. Under User Administration, choose the Password box for either Root Account or Admin Account.
4. Enter the new password.
5. Enter the same password in the Confirm box for the account that you chose in step 3.
6. Select Update.
7. If you have updated the password for Admin Account, the system logs you out of the Configuration
utility, and you must log in again using the new password.

Using tmsh to modify the system maintenance account passwords

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the TMOS Shell (tmsh) by entering the following command:

tmsh

2. To modify the password for the root account, enter the following command:

Note: If you need to modify the password for only the admin account, skip to step 5.

modify auth password root

3. When prompted, enter the new root password.

4. When prompted, reenter the new root password to confirm.

Note: If you need to modify the password for only the root account, skip the remaining steps.

5. To modify the password for the admin account, enter the following command:

modify auth user admin prompt-for-password

6. When prompted, enter the new admin password.

7. When prompted, reenter the new admin password to confirm.
8. To save changes to the configuration files, enter the following command:

save sys config

9. To exit tmsh, enter the following command:

quit
Resetting a lost or forgotten root password

Note: If you want to reset a lost or forgotten root password on BIG-IP 14.1.0 and later, refer to the following
articles:

K35811337: How to recover the root password on non-RAID BIG-IP platforms (BIG-IP 14.1.0 and
later)
K23220345: How to recover the root password on RAID-capable BIG-IP platforms (BIG-IP 14.1.0 and
later)

Impact of procedure: This procedure requires that you restart the BIG-IP system in single-user mode. While
in this mode, the device is unable to process traffic.

1. Start the system in single-user mode.

Note: Access to the command prompt of the device may take five-to-10 minutes of boot time,
depending on the device type.

For platform-specific instructions and the GRUB version of your platform, refer to one of the following
articles:

Note: For information about determining the GRUB version, refer to K14658: Determining the GRUB
bootloader version on the BIG-IP, BIG-IQ, or Enterprise Manager system.

For platforms using GRUB2, refer to K14662: Restarting the BIG-IP system in single-user mode
(GRUB2)
For platforms using GRUB 0.97, refer to K4178: Restarting the BIG-IP system in single-user
mode (GRUB 0.97)
For Virtual Clustered Multiprocessing (vCMP) guests, refer to K14581: Resetting a lost or
forgotten administrative account password on a vCMP guest

Note: Some attempts at booting to single-user mode result in a forced FSCK and asking for the
password. K14662 states that you can skip the file system check by appending the words single
fastboot instead of single.

2. Enter the following commands:

mount -a

passwd root

3. When prompted, enter a new password.

4. Enter exit or reboot to return to the normal operating mode.

After the system restarts, you should be able to log in using the new password.

Supplemental Information

K12304: The TACACS+ secret key must not contain the number sign (#)
 K15497: Configuring a secure password policy for the BIG-IP system (11.x - 15.x)
Traffic Management Shell (tmsh) Reference Guide

Note: For information about how to locate F5 product manuals, refer to K98133564: Tips for
searching AskF5 and finding product documentation.

Applies to:

Product: BIG-IQ
6.X.X, 5.4.X

Product: BIG-IP, BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP DNS, BIG-IP GTM, BIG-IP
Link Controller, BIG-IP LTM, BIG-IP PEM
15.X.X, 14.X.X, 13.X.X, 12.X.X, 11.X.X

Product: Legacy Products, BIG-IP WebAccelerator, BIG-IP WOM, BIG-IP PSM, BIG-IP Edge Gateway
15.X.X, 14.X.X, 13.X.X, 12.X.X, 11.X.X