A valid password requires a mix of upper and lower case letters, digits, and other characters. You can use a 7-character long password with characters from at least three of these four classes, or a 6-character long password containing characters from all the classes. A password that begins with an upper case letter and ends with a numerical digit does not count towards the number of character classes used. It is recommended that the password does not contain the username.
A passphrase requires at least 3 words, can be 8 to 40 characters long, and must contain enough different characters.
Notes:
/etc/security/login.map
file contains the authentication rules for ESX/ESXi. Refer to this file to determine which file to edit in the workaround.vpxuser : system-auth-local
* : system-auth-generic
system-auth-local
to authenticate vpxuser
. Use system-auth-generic
to authenticate all other users. If system-auth-generic
is not present on the system, the /etc/security/login.map
file typically lists system-auth
.Caution: Modifying password restrictions may reduce the security of your VMware environment.
pam_passwdqc.so
. For additional information about this module and the different syntax, see the pam_passwdqc
man page.To disable the restriction:
/etc/pam.d/system-auth-generic
file. Run the command:vi /etc/pam.d/system-auth-generic
password required /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6 similar=deny match=0
password required /lib/security/$ISA/pam_passwdqc.so min=0,0,0,0,0 similar=deny match=0
password required pam_cracklib.so try_first_pass retry=3
VMware ESXi/ESX 4.1 and ESXi 4.0 use the pam_passwdqc.so
module to check for the password strength. By default, it uses these parameters:
pam_passwdqc.so retry=3 min=8,8,8,7,6
To modify these settings on an ESX/ESXi 4.1.x host:
/etc/pam.d/system-auth
file using a text editor. For example, to open the file using a vi editor, run this command:vi /etc/pam.d/system-auth
Note:
You are changing the min values to match the password policy you want to enforce. For additional information about this module and the different syntax, see the pam_passwdqc
man page./etc/pam.d/system-auth
file:chmod +t /etc/pam.d/system-auth
To modify these settings on an ESXi 5.x (including ESXi 5.0, 5.1 and 5.5) host:
/etc/pam.d/passwd
file.password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6
password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4
retry=3
: A user is allowed 3 attempts to enter a sufficient password.N0=12
: Passwords containing characters from one character class must be at least twelve characters long. For example: charsoftwareN1=10
: Passwords containing characters from two character classes must be at least ten characters long. For example: chars12345N2=8
: Passphrases must contain words that are each at least eight characters long. For example: softwareN3=8
: Passwords containing characters from all three character classes must be at least eight characters long. For example: CHars123N4=7
: Passwords containing characters from all four character classes must be at least seven characters long. For example: CHars1!Example:password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=
12,10,8,8,7Note: To force a specific password complexity and disable all others, replace the number with the word with disabled. For example,to force passwords containing characters from all four character classes:
password requisite
/lib/security/$ISA/pam_passwdqc.so retry=3 min= disabled,disabled,disabled,disabled,7For more information, see Password Requirements.