ESXi 4.0 Password Complexity

Some have noticed that the password requirements for ESXi 4.0 logins have become more stringent. In some cases, it may be desirable to edit those settings to make the password standards for ESXi 4.0 either stronger or weaker. Password requirements for ESXi are controlled by the file /etc/pam.d/common-password. Changes to this file will take effect immediately and will not require a reboot. The sticky bit for the file is enabled, so changes will be backed up into the system configuration backup file for the host. As this is not a supported changed, caution is advised and a system backup is recommended before making changes.

By default the common-password file will contain the following text and it is the min option (min=a1,a2,a3,a4,a5) that will control password complexity.

#%PAM-1.0
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6
password sufficient /lib/security/$ISA/pam_unix.so use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

a1 is the password length for passwords that contain one character class. The character classes are lower case characters, upper cases characters, digits and other characters. a2 is the password length for passwords that contain 2 character classes. a3 is used for password phrases. a4 and a5 is the password length required when using 3 or 4 character classes. It should be noted that the first and last character of the password will not count towards the character class count. So the password of ‘Password’ will only have 1 character class, while the password of ‘PassWord’ will have 2.

Note: the values for a1 to a5 must be equal or smaller than the prior value, so min=8,7,7,6,5 will be valid, but min=7,8,9,8,7 will not be. If min=7,8,9,8,7 were used, the error ‘User name or password has an invalid format’ would be generated even if you used a single class password will a length of 7 or more characters.

Sample changes to password complexity

1) To reduce the minimum password length to 6 characters, set min=6,6,6,6,6. As noted above, the values used for a1 to a5 must not be larger than the prior value.

2) To disable the use of one or two class passwords, set min=disabled,disabled,8,8,6. Note that this setting, password of ‘Password1’ would not be valid as the character class count would only be one. A password of ‘pAssw0rd’ would have a class count of 3 and thus be acceptable with a length of 8.

3) To turn off the enforcing of strong passwords, use the enforce option. Valid values for the option are none, users and everyone. So if the common-password file is changed to the below, then a single character password will be allowed regardless of the settings for the min option.

#%PAM-1.0
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6 enforce=none
password sufficient /lib/security/$ISA/pam_unix.so use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

Leave a Comment

Your email address will not be published. Required fields are marked *