I have recently needed to reset lost padmin VIOS password. With hscroot access on the HMC, this is possible without any downtime. I'll explain to you how.
First of all, I came across this link (https://www.ibm.com/developerworks/mydeveloperworks/blogs/brian/entry/reset_padmin_vio_password_from_the_hmc_with_zero_downtime13?lang=en) which unfortunately doesn't exist anymore, but I was able to recover the content from Wayback machine. The author is Brian Smith, who deserves credit for this great method. I had to make some little changes to the procedure due to security improvements on VIOS server from version 2.
Step 0:
(I got this from here: https://www.ibm.com/support/pages/hmc-viosvrcmd-fails-hscl2970)
Login to the HMC as hscroot and create a user with VIOS Task admin role.
mkaccfg -t taskrole -i "name=VIOS_Admin,parent=hmcsuperadmin,"resources=lpar:ViosAdminOp""
mkhmcusr -u viosadminuser -a VIOS_Admin --passwd vios-admin -M 3
Then, log in to the HMC as this viosadminuser.
From here, the procedure is the same as Brian Smith published in 2012, except you just need to add the "--admin" flag to each command (I already did it for you ;) ).
Step 1: Find the current padmin password hash. From the HMC, type (change "-m p520 -p vio1" to your managed system / VIO server names)
command=`printf "oem_setup_env\n cat /etc/security/passwd"`; viosvrcmd -m p520 -p vio1 -c "$command" --admin
Look for the padmin stanza and its password hash:
padmin:
password = TRl01MDd3QnVw
lastupdate = 1352950198
Step 2: Generate a new password hash. From a different AIX server that has openssh/openssl installed, type "openssl passwd" and type in the new password that you want to assign to the padmin account. Openssl will generate the password hash and display it on the screen.
# openssl passwd
Password:
Verifying - Password:
OSdD0E9SQYE.E
Step 3: Replace the VIO padmin's password hash with the new password hash from the HMC using viosvrcmd/perl. Use a command similiar to this from the HMC:
command=`printf "oem_setup_env\nperl -pi -e 's/<OLD_HASH>/<NEW_HASH>/' /etc/security/passwd"`; viosvrcmd -m p520 -p vio1 -c "$command" --admin
In our example, it would be (make sure to change "-m p520 -p vio1" to your managed system / VIO names)
command=`printf "oem_setup_env\nperl -pi -e 's/TRl01MDd3QnVw/OSdD0E9SQYE.E/' /etc/security/passwd"`; viosvrcmd -m p520 -p vio1 -c "$command" --admin
Step 4: Optionally reset padmin failed login count. If you need to reset the failed login count, run this command from the HMC: (make sure to change "-m p520 -p vio1" to your managed system / VIO names)
command=`printf "oem_setup_env\nchsec -f /etc/security/lastlog -a unsuccessful_login_count=0 -s padmin"`; viosvrcmd -m p520 -p vio1 -c "$command" --admin
Update 3/23/13 - If the old or new password hash has a slash in it ("/") then the perl line above needs to be changed.. Instead use a different delimiter such as a comma: command=`printf "oem_setup_env\nperl -pi -e 's,<OLD_HASH>,<NEW_HASH>,' /etc/security/passwd"`; viosvrcmd -m p520 -p vio1 -c "$command"
Hope it helps.
------------------------------
Alejandro Rojas
------------------------------