How to change the password complexity requirements for the root account in Photon OS for the vCenter Server Appliance
search cancel

How to change the password complexity requirements for the root account in Photon OS for the vCenter Server Appliance

book

Article ID: 307292

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides steps that can be used to change the requirements for password complexity when setting a new password for the root account, beyond the default settings, e.g. if required by specific company security policies. 

 

Environment

VMware vCenter Server 8.0.x

Resolution

Note: Before taking any of the following steps, please ensure to create a snapshot or backup of the vCenter Server Appliance (VCSA). If the VCSA is a member of an Enhanced Linked Mode (ELM) replication, please be aware that offline snapshots (in powered off state) need to be created for all ELM nodes.

To edit the password complexity settings,

  1. Connect to the VCSA via SSH
  2. Login using the root account
  3. Take a backup of the file /etc/pam.d/system-password: 
    # cp -p /etc/applmgmt/appliance/system-password /etc/applmgmt/appliance/system-password-`date +%F_%H:%M:%S`.back
  4. Edit the file /etc/pam.d/system-password: 
    # vi /etc/applmgmt/appliance/system-password
  5. Find the following line: 
    password  requisite   pam_pwquality.so  dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root
  6. Edit the parameters as required. See below for an explanation for each of these options: 
    minlen  = establishes a measure of complexity related to the password length
lcredit = sets the minimum number of required lowercase letters
ucredit = sets the minimum number of required uppercase letters
dcredit = sets the minimum number of required digits
ocredit = sets the minimum number of required other characters
difok   = sets the number of characters that must be different from those in the previous password
  7. Save and exit the VI editor: 
    :wq
  8. Execute the following command to restart the applmgmt service: 
    # service-control --restart applmgmt
  9. Use the following command to check the status of the applmgmt service:
    # service-control --status applmgmt

-----
sample)
root@vcsa [ / ]# service-control --status applmgmt
Running:
 applmgmt


  10. Verify that the settings are reflected by executing the following command.
    # cat /etc/pam.d/system-password
# cat /etc/applmgmt/appliance/system-password

Additional Information

Changing only the /etc/pam.d/system-password setting will not save the change.

The setting will revert to the default value if you restart, stop, and then start the vCenter Server, or restart the service.

japaneseKB:vCenter のユーザー アカウント パスワード ポリシーを構成する方法

NOTE: This change will not be reflected in the VAMI UI for versions earlier than 9.1.

 

Powered by Wolken Software