When you installed your VMware ESXi hypervisor, you must have realized that the installer expected some complexity for the root account password.
While this is a good thing for the root account (which has full rights to your hypervisor), it can be a bit overkill or annoying in a test environment.

In this tutorial, you will see how to change and reduce complexity required by VMware ESXi for your users' passwords.
Thus, you will be able to create users with simpler passwords, since their rights will very often be limited.

1. Weak password detected
2. Change the complexity required for the password
   1. Understand how to change the password complexity check
   2. Change the complexity required for the password (in command line)
   3. Change the complexity required for the password (from the web interface)
3. Weak passwords accepted
4. Restore complexity required by default

1. Weak password detected

If you try to use a simple password (a dictionary word, a password that is too short, a password containing only lowercase letters, ...), VMware ESXi will refuse it and this error will appear :

Plain Text

Weak password : not enough different characters or classes.

As stated in the official VMware documentation, by default the password should :

• be at least 8 characters long
• have at least one lower case letter, one upper case letter, one number and one special character
• this must not be in the dictionary

2. Change the complexity required for the password

2.1. Understand how to change the password complexity check

In the documentation cited above, VMware tells you that ESXi uses the PAM module (pam_passwdqc) available on Linux to manage passwords (check their complexity, check them, ...) and that you should therefore refer to the manual for this module if you want more information.

This manual (or "man page") is available on several sites, including the Ubuntu one : Ubuntu Manpage: pam_passwdqc — Password quality-control PAM module.

On the page cited above, you will find a link to find detailed information about the configuration of the "passwdqc.conf" file affected by this PAM module (pam_passwdqc) : Ubuntu Manpage: passwdqc.conf — libpasswdqc configuration file.

Knowing that the default value is "retry=3 min=disabled,disabled,disabled,7,7", the page cited above will allow you to adapt this value to change the minimum complexity that you want to define on your hypervisor VMware ESXi for user passwords.

In accordance with the manual cited above, you can change the number of trials allowed by using the "retry=N" option.
By default, on VMware ESXi, this value is 3.

Plain Text

retry=3

For the minimum length that the password must have, you can define it according to the complexity used for it.
To do this, you must modify the option "min=N0,N1,N2,N3,N4".

With this option, you can specify the minimum length that the password must have :

• N0 : if it contains characters from a single character class (lower case letters, upper case letters, numbers, ...).
• N1 : same, but if this contains characters from 2 character classes.
• N2 : ditto, but for passphrases.
• N3 : same, but for 3 character classes.
• N4 : same, but for 4 character classes.

To accept passwords of at least 7 characters, while accepting weak passwords (which would contain at least one character class, for example), configure this option like this :

Plain Text

min=7,7,7,7,7

2.2. Change the complexity required for the password (in command line)

Now that you know which value to use, here's how to change the default value from the command line on your VMware ESXi hypervisor.

Enable the SSH server of your VMware ESXi hypervisor, and then log in as root on it.
Then, save the original configuration file by making a copy of it.

Bash

cp /etc/pam.d/passwd /etc/pam.d/passwd.bak

Edit this file with "vi".

Bash

vi /etc/pam.d/passwd

In this file, you will find several lines, one of which looks like this.
This indicates that the user has the right to 3 tries and that passwords using only 1 or 2 character classes or being passphrases are refused by default.
For passwords using at least 3 character classes, the minimum length is 7 characters.

Plain Text

password   requisite    /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,7,7

Edit this line by adapting the desired values as explained in the previous step.
For this tutorial, we will accept all passwords of at least 7 characters, including if it's a passphrase.

Plain Text

password   requisite    /lib/security/$ISA/pam_passwdqc.so retry=3 min=7,7,7,7,7

Source : ESX and ESXi 4.x or higher requirements and restrictions (1012033)

2.3. Change the complexity required for the password (from the web interface)

On VMware ESXi 6.7, it's also possible to change this value directly from the web interface (VMware Host Client) of your VMware ESXi hypervisor.
To do this, go to : Host -> Manage -> System -> Advanced settings.

As you can see, VMware ESXi has a thousand advanced settings.

To change the complexity required for passwords, you will need to change the advanced setting named "Security.PasswordQualityControl".
To find it easily, enter "quality" in the search box available at the top right of the table.
Then, select this "Security.PasswordQualityControl" setting and click on : Edit option.

As you can see, once this setting is selected, VMware ESXi will tell you that this is a password quality control setting and that it's raw options for the pma_passwdqc PAM module and that this value will be used as is in the PAM configuration file.

Enter the desired value in the box and click Save.

The "Successfully changed Security.PasswordQualityControl" message appears.

As you can see, the value used is now "retry=3 min=7,7,7,7,7" (in our case) and the default is "retry=3 min=disabled,disabled,disabled,7,7".

3. Weak passwords accepted

Now that you have adjusted the complexity required by VMware ESXi for passwords, try again to add the desired user via the "Host -> Manage -> Security & users -> Users" menu.

Specify a username and the desired password (so that it respects the new desired complexity) and click on : Add.

The desired user has been added.

4. Restore complexity required by default

To restore the value configured by default on VMware ESXi, go to "Host -> Manage -> System -> Advanced settings" and enter "quality" in the search box at the top right of the table.
Then, select the "Security.PasswordQualityControl" advanced setting modified previously and click on : Actions -> Reset to default.

Then, this message will appear : Successfully reset Security.PasswordQualityControl to default value retry=3 min=disabled,disabled,disabled,7,7.