When you set a password in ESX/ESXi 4.1, the pam_passwdqc plug-in parameter
max=nn sets the maximum length allowed for a password. The intended behavior is:
- For all max values except 8, proposed passwords that exceed the given max value length are not accepted.
- For the special value max=8, proposed passwords longer than 8 characters are not rejected, but passwords are truncated to 8 characters. After the password has been accepted and changed, a password submitted for authentication will also be truncated to 8 characters.
By default, no
max value is configured for ESX/ESXi 4.1. The default
max value for the plug-in is 40. This should be the operational
max value for password submission. When the default configuration is used, passwords should not be truncated, either when setting them or when they are authenticated.
In ESX/ESXi 4.1, after a password is accepted by the pam_passwdqc plug-in, ESX/ESXi behaves as if the
max value is 8. When a new password is submitted, the default 40-character maximum is enforced. Thereafter, password authentication behaves as if the
max value is 8, and only the first 8 characters of the password are necessary for authentication.