If you're unfortunate enough to lose the root password on an AIX host, there is a way of recovering it. You can also recover the padmin password in VIOS if you've lost it. Basically, it's a matter of booting from AIX or VIOS installation media and stepping through the System Maintenance menus. When you do that, the boot file systems come from the installation media, and then you import the rootvg volume group which is on the original disks (the one with the unknown password). At that point you can run the passwd command or edit /etc/passwd.
No luxury, no necessity
This procedure requires a reboot, and if you don't have that luxury, you may find you don't have the necessity of changing root's password. There are several back doors (or alternatives) which may allow you to have the equivalent of root access or set the root password anew. Here are some of them:
- a second user (not called "root") but with the UID of 0 (this is a real loophole and it's one of the first things a security audit ought to find).
- ssh keys which allow you to log in as root from another host without the root password (another security exposure)
- sudo - which may let you run commands with a higher authority - even root authority - and you enter your own password, rather than root.
- From AIX 6.1 the swrole command, which allows you to switch roles. This is part of Enhanced RBAC, which stands for Role Based Access Security.
Booting from media
If you are left with booting from media, in this virtualised world, that's not as easy as the old days when you had a dedicated tape drive, CD-ROM or DVD-ROM for your AIX system. Today the slot containing such a device is most likely not allocated to the LPAR (now known as virtual server) which needs a root password recovery.
You could allocate the I/O slot to the LPAR, that is the I/O slot containing the adapter which connects the DVD-ROM. You could do this using Dynamic LPAR or by shutting down the LPAR, assiging the slot to its profile as Desired or Required and activating the LPAR.
Other boot options
Other ways of booting are using the Virtual Media Library, using NIM, or booting off a mksysb backup.
The Virtual Media Library would be my preferred option, since it's simple and quick to set up. I like to have my AIX "media" in ISO format permanently loaded in the Virtual Media Library on the VIO server. This works for lost root passwords on AIX LPARs. Unfortunately, this virtual media library option is not possible if it's the VIOS padmin password you've lost as the VIO server can't be a client of another VIO server.
NIM is also a popular option (both for AIX LPARs and VIOS), and it allows you to boot off an ethernet adapter (physical or virtual) which will see the boot device presented by NIM, if it's all set up correctly.
With both the Virtual Media Library and NIM you can use a mksysb backup or AIX installation "media" (although you're not using physical removable media such as a DVD).
I'm sure you could use virtual tape options or virtual CD-ROM without using the Virtual Media Library. You could do it this way if you had a bootable DVD (AIX installation media or a mksysb) allocated to a DVD-ROM which was owned by the VIO server. Then you could map that physical DVD to a VSCSI adapter on the VIO server and the client which had its password lost.
An unplanned outage is bad enough, but a planned one just because you had to recover a lost password can take some explaining. If you have a dual VIOS configuration and are confident that you can shut down / reboot one VIO server without too much fuss, you'll be glad about it. The AIX outage will depend on how critical the system is.
The root password recovery only really takes a couple of minutes (plus time to stop applications if you can, boot the LPAR and start apps again). Still, it's no fun having to arrange an outage at a busy time for a perfectly avoidable situation. It reminds me of G. K Chesterton's response when he was asked what book he would take if he were to be stranded on a desert island. I don't recall what the book was, but he prefaced his answer with the observation that he'd rather not make the trip in the first place.
Update: perhaps my memory is failing me. I looked it up and it turns out that Chesterton's choice of book on the stranded island was Thomas' Guide to Practical Shipbuilding.