VMware ESXi password requirements and restrictions
search cancel

VMware ESXi password requirements and restrictions

book

Article ID: 307368

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

This article provides information about VMware ESX and ESXi 4.x or higher password requirements and restrictions.

Symptoms:
  • You are unable to set a password in ESX or ESXi 4.x or 5.x.
  • You see these VMware vSphere Client errors:
     
    • A general system error occurred: passwd: Authentication token manipulation error
    • An internal error has occurred, and the wizard is unable to store the Administrator password securely. The customization cannot proceed. Please contact VMware technical support for more information.
       
  • You see this console error:

    Weak password: not enough different characters or classes for this length.
    passwd: Authentication token manipulation error

Environment

VMware vSphere ESXi 5.0
VMware ESXi 4.0.x Installable
VMware ESX 4.0.x
VMware vSphere ESXi 5.5
VMware ESX 4.1.x
VMware ESXi 4.1.x Installable
VMware vSphere ESXi 5.1
VMware vSphere ESXi 6.0
VMware vCenter Server 6.0.x
VMware ESXi 4.1.x Embedded
VMware ESXi 4.0.x Embedded

Cause

This issue may occur if a password is invalid.

Resolution

A valid password requires a mix of upper and lower case letters, digits, and other characters. You can use a 7-character long password with characters from at least three of these four classes, or a 6-character long password containing characters from all the classes. A password that begins with an upper case letter and ends with a numerical digit does not count towards the number of character classes used. It is recommended that the password does not contain the username.

A passphrase requires at least 3 words, can be 8 to 40 characters long, and must contain enough different characters.

Notes:

  • vCenter Server 4.0 can handle up to 26-character passwords.
  • In ESXi 4.x or higher, the password cannot contain the words admin, root, or administrator in any form including any sub-strings of these words.
  • The /etc/security/login.map file contains the authentication rules for ESX/ESXi. Refer to this file to determine which file to edit in the workaround.

    Example: The file might contain these rules:

    vpxuser : system-auth-local
    * : system-auth-generic

    In this case, use system-auth-local to authenticate vpxuser. Use system-auth-generic to authenticate all other users. If system-auth-generic is not present on the system, the /etc/security/login.map file typically lists system-auth.

Caution: Modifying password restrictions may reduce the security of your VMware environment.

ESX 4.0

VMware ESX 4.x uses the pam module pam_passwdqc.so. For additional information about this module and the different syntax, see the pam_passwdqc man page.
 
Note: The preceding link was correct as of January 31, 2012 If you find the link is broken, provide feedback and a VMware employee will update the link.

To disable the restriction:

  1. Modify the /etc/pam.d/system-auth-generic file. Run the command:

    vi /etc/pam.d/system-auth-generic
     
  2. Change the line:

    password required /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6 similar=deny match=0

    to:

    password required /lib/security/$ISA/pam_passwdqc.so min=0,0,0,0,0 similar=deny match=0

    or

    password required pam_cracklib.so try_first_pass retry=3
     
  3. Save the changes and change the password.

ESXi 4.0 and ESXi/ESX 4.1

VMware ESXi/ESX 4.1 and ESXi 4.0 use the pam_passwdqc.so module to check for the password strength. By default, it uses these parameters:

pam_passwdqc.so retry=3 min=8,8,8,7,6

To modify these settings on an ESX/ESXi 4.1.x host:

  1. Connect to the host using SSH. For ESXi hosts, you must enable Tech Support Mode. 
     
  2. Open the /etc/pam.d/system-auth file using a text editor. For example, to open the file using a vi editor, run this command:

    vi /etc/pam.d/system-auth
     
  3. Change this line:

    password requisite /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6

    Note: You are changing the min values to match the password policy you want to enforce. For additional information about this module and the different syntax, see the pam_passwdqc man page.
     
  4. Save the changes and change the password.
Note: To ensure that changes to the file persist upon reboot, run this command before making edits to the /etc/pam.d/system-auth file:
 
chmod +t /etc/pam.d/system-auth
 

ESXi 5.x

To modify these settings on an ESXi 5.x (including ESXi 5.0, 5.1 and 5.5) host:

  1. Enable technical support mode. 
  2. Modify /etc/pam.d/passwd file.

    vi /etc/pam.d/passwd
     
  3. In the file, find this line:

    password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6
    password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4


    Note: min=8,8,8,7,6 maps to min=N0,N1,N2,N3,N4 in the proceeding step. For more information, see pam_passwdgc man page.
     
  4. Using these switches, make your required changes and save the file:
     
    • retry=3: A user is allowed 3 attempts to enter a sufficient password.
    • N0=12: Passwords containing characters from one character class must be at least twelve characters long. For example: charsoftware
    • N1=10: Passwords containing characters from two character classes must be at least ten characters long. For example: chars12345
    • N2=8: Passphrases must contain words that are each at least eight characters long. For example: software
    • N3=8: Passwords containing characters from all three character classes must be at least eight characters long. For example: CHars123
    • N4=7: Passwords containing characters from all four character classes must be at least seven characters long. For example: CHars1!
Example: password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min= 12,10,8,8,7
 
Note: To force a specific password complexity and disable all others, replace the number with the word with disabled. For example,to force passwords containing characters from all four character classes:

password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min= disabled,disabled,disabled,disabled,7

For more information, see Password Requirements.
ESXi 6.0:
 
To change the password complexity of ESXi local user:
 
For example:
 
Customer wanted to force a particular password to create a local user in ESXi with the credentials
 
User name : UserName
Password : !P@ssWord!
 
To make these settings on an ESXi 6.0 host, modify /etc/pam.d/passwd file:
  1. Take a backup /etc/pam.d/passwd file.
  2. Edit it to

    password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=0,0,0,0,0
  3. Create the user and password.
Note: ​Alternatively, you can change the Security.PasswordQuality Control from the Advanced option on the GUI. For more information, see ESXi Passwords and Account Lockout.

Additional Information

For more information on the PAM module and ESX login issues, see: