When you installed your VMware ESXi hypervisor, you must have realized that the installer expected some complexity for the root account password.
While this is a good thing for the root account (which has full rights to your hypervisor), it can be a bit overkill or annoying in a test environment.
In this tutorial, you will see how to change and reduce complexity required by VMware ESXi for your users' passwords.
Thus, you will be able to create users with simpler passwords, since their rights will very often be limited.
If you try to use a simple password (a dictionary word, a password that is too short, a password containing only lowercase letters, ...), VMware ESXi will refuse it and this error will appear :
Weak password : not enough different characters or classes.
As stated in the official VMware documentation, by default the password should :
In the documentation cited above, VMware tells you that ESXi uses the PAM module (pam_passwdqc) available on Linux to manage passwords (check their complexity, check them, ...) and that you should therefore refer to the manual for this module if you want more information.
This manual (or "man page") is available on several sites, including the Ubuntu one : Ubuntu Manpage: pam_passwdqc — Password quality-control PAM module.
On the page cited above, you will find a link to find detailed information about the configuration of the "passwdqc.conf" file affected by this PAM module (pam_passwdqc) : Ubuntu Manpage: passwdqc.conf — libpasswdqc configuration file.
Knowing that the default value is "retry=3 min=disabled,disabled,disabled,7,7", the page cited above will allow you to adapt this value to change the minimum complexity that you want to define on your hypervisor VMware ESXi for user passwords.
In accordance with the manual cited above, you can change the number of trials allowed by using the "retry=N" option.
By default, on VMware ESXi, this value is 3.
For the minimum length that the password must have, you can define it according to the complexity used for it.
To do this, you must modify the option "min=N0,N1,N2,N3,N4".
With this option, you can specify the minimum length that the password must have :
To accept passwords of at least 7 characters, while accepting weak passwords (which would contain at least one character class, for example), configure this option like this :
Now that you know which value to use, here's how to change the default value from the command line on your VMware ESXi hypervisor.
Enable the SSH server of your VMware ESXi hypervisor, and then log in as root on it.
Then, save the original configuration file by making a copy of it.
cp /etc/pam.d/passwd /etc/pam.d/passwd.bak
Edit this file with "vi".
In this file, you will find several lines, one of which looks like this.
This indicates that the user has the right to 3 tries and that passwords using only 1 or 2 character classes or being passphrases are refused by default.
For passwords using at least 3 character classes, the minimum length is 7 characters.
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,7,7
Edit this line by adapting the desired values as explained in the previous step.
For this tutorial, we will accept all passwords of at least 7 characters, including if it's a passphrase.
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=7,7,7,7,7
Source : ESX and ESXi 4.x or higher requirements and restrictions (1012033)
On VMware ESXi 6.7, it's also possible to change this value directly from the web interface (VMware Host Client) of your VMware ESXi hypervisor.
To do this, go to : Host -> Manage -> System -> Advanced settings.
As you can see, VMware ESXi has a thousand advanced settings.
To change the complexity required for passwords, you will need to change the advanced setting named "Security.PasswordQualityControl".
To find it easily, enter "quality" in the search box available at the top right of the table.
Then, select this "Security.PasswordQualityControl" setting and click on : Edit option.
As you can see, once this setting is selected, VMware ESXi will tell you that this is a password quality control setting and that it's raw options for the pma_passwdqc PAM module and that this value will be used as is in the PAM configuration file.
Enter the desired value in the box and click Save.
The "Successfully changed Security.PasswordQualityControl" message appears.
As you can see, the value used is now "retry=3 min=7,7,7,7,7" (in our case) and the default is "retry=3 min=disabled,disabled,disabled,7,7".
Now that you have adjusted the complexity required by VMware ESXi for passwords, try again to add the desired user via the "Host -> Manage -> Security & users -> Users" menu.
Specify a username and the desired password (so that it respects the new desired complexity) and click on : Add.
The desired user has been added.
To restore the value configured by default on VMware ESXi, go to "Host -> Manage -> System -> Advanced settings" and enter "quality" in the search box at the top right of the table.
Then, select the "Security.PasswordQualityControl" advanced setting modified previously and click on : Actions -> Reset to default.
Then, this message will appear : Successfully reset Security.PasswordQualityControl to default value retry=3 min=disabled,disabled,disabled,7,7.
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment