• You are unable to set a password in ESX or ESXi 4.x or 5.x.
• You see these VMware vSphere Client errors:
   
  • A general system error occurred: passwd: Authentication token manipulation error
  • An internal error has occurred, and the wizard is unable to store the Administrator password securely. The customization cannot proceed. Please contact VMware technical support for more information.
     
• You see this console error:
  
  Weak password: not enough different characters or classes for this length.
  passwd: Authentication token manipulation error

A valid password requires a mix of upper and lower case letters, digits, and other characters. You can use a 7-character long password with characters from at least three of these four classes, or a 6-character long password containing characters from all the classes. A password that begins with an upper case letter and ends with a numerical digit does not count towards the number of character classes used. It is recommended that the password does not contain the username.

A passphrase requires at least 3 words, can be 8 to 40 characters long, and must contain enough different characters.

Notes:

• vCenter Server 4.0 can handle up to 26-character passwords.
• In ESXi 4.x or higher, the password cannot contain the words admin, root, or administrator in any form including any sub-strings of these words.
• The /etc/security/login.map file contains the authentication rules for ESX/ESXi. Refer to this file to determine which file to edit in the workaround.
  
  Example: The file might contain these rules:
  
  vpxuser : system-auth-local
* : system-auth-generic
  
  In this case, use system-auth-local to authenticate vpxuser. Use system-auth-generic to authenticate all other users. If system-auth-generic is not present on the system, the /etc/security/login.map file typically lists system-auth.

Caution: Modifying password restrictions may reduce the security of your VMware environment.

ESX 4.0

To disable the restriction:

1. Modify the /etc/pam.d/system-auth-generic file. Run the command:
   
   vi /etc/pam.d/system-auth-generic
    
2. Change the line:
   
   password required /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6 similar=deny match=0
   
   to:
   
   password required /lib/security/$ISA/pam_passwdqc.so min=0,0,0,0,0 similar=deny match=0
   
   or
   
   password required pam_cracklib.so try_first_pass retry=3
    
3. Save the changes and change the password.

ESXi 4.0 and ESXi/ESX 4.1

VMware ESXi/ESX 4.1 and ESXi 4.0 use the pam_passwdqc.so module to check for the password strength. By default, it uses these parameters:

pam_passwdqc.so retry=3 min=8,8,8,7,6

To modify these settings on an ESX/ESXi 4.1.x host:

1. Connect to the host using SSH. For ESXi hosts, you must enable Tech Support Mode.
    

   For more information on Tech Support Mode, see:

   • Tech Support Mode for Emergency Support (1003677)
   • Using Tech Support Mode in ESXi 4.1 and ESXi 5.0 (1017910)
      
2. Open the /etc/pam.d/system-auth file using a text editor. For example, to open the file using a vi editor, run this command:
   
   vi /etc/pam.d/system-auth
    
3. Change this line:
   
   password requisite /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6
   
   Note: You are changing the min values to match the password policy you want to enforce. For additional information about this module and the different syntax, see the pam_passwdqc man page.
    
4. Save the changes and change the password.

ESXi 5.x

To modify these settings on an ESXi 5.x (including ESXi 5.0, 5.1 and 5.5) host:

1. Enable technical support mode. For more information, see Using Tech Support Mode in ESXi 4.1 and ESXi 5.0 (1017910).
2. Modify /etc/pam.d/passwd file.
   
   vi /etc/pam.d/passwd
    
3. In the file, find this line:
   
   password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6
password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4
   
   Note: min=8,8,8,7,6 maps to min=N0,N1,N2,N3,N4 in the proceeding step. For more information, see pam_passwdgc man page.
    
4. Using these switches, make your required changes and save the file:
    
   • retry=3: A user is allowed 3 attempts to enter a sufficient password.
   • N0=12: Passwords containing characters from one character class must be at least twelve characters long. For example: charsoftware
   • N1=10: Passwords containing characters from two character classes must be at least ten characters long. For example: chars12345
   • N2=8: Passphrases must contain words that are each at least eight characters long. For example: software
   • N3=8: Passwords containing characters from all three character classes must be at least eight characters long. For example: CHars123
   • N4=7: Passwords containing characters from all four character classes must be at least seven characters long. For example: CHars1!

Example: password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min= 12,10,8,8,7

 

Note: To force a specific password complexity and disable all others, replace the number with the word with disabled. For example,to force passwords containing characters from all four character classes:

password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min= disabled,disabled,disabled,disabled,7

For more information, see Password Requirements.

 

1. Take a backup /etc/pam.d/passwd file.
2. Edit it to
   
   password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=0,0,0,0,0
   ​
3. Create the user and password.