ESX 4.1 and ESXi 4.1 root passwords are authenticated up to only 8 characters
search cancel

ESX 4.1 and ESXi 4.1 root passwords are authenticated up to only 8 characters

book

Article ID: 341341

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

When you set a password in ESX/ESXi 4.1, the pam_passwdqc plug-in parameter max=nn sets the maximum length allowed for a password. The intended behavior is:
  • For all max values except 8, proposed passwords that exceed the given max value length are not accepted.
  • For the special value max=8, proposed passwords longer than 8 characters are not rejected, but passwords are truncated to 8 characters. After the password has been accepted and changed, a password submitted for authentication will also be truncated to 8 characters.
By default, no max value is configured for ESX/ESXi 4.1. The default max value for the plug-in is 40. This should be the operational max value for password submission. When the default configuration is used, passwords should not be truncated, either when setting them or when they are authenticated.

In ESX/ESXi 4.1, after a password is accepted by the pam_passwdqc plug-in, ESX/ESXi behaves as if the max value is 8. When a new password is submitted, the default 40-character maximum is enforced. Thereafter, password authentication behaves as if the max value is 8, and only the first 8 characters of the password are necessary for authentication.

Environment

VMware ESXi 4.1.x Installable
VMware ESXi 4.1.x Embedded
VMware ESX 4.1.x

Resolution

This issue is fixed with VMware ESX 4.1 Patch ESX410-201010414-SG for ESX systems and VMware ESXi 4.1 Patch ESXi410-201010401-SG for ESXi systems.
If you are not applying the patch to the ESX/ESXi systems, perform the following workaround steps to resolve the issue.

Note: The /etc/security/login.map file contains the authentication rules for ESX/ESXi to follow. Refer to this file to determine which file to edit in the workaround. For example, the file might contain the following rules:

vpxuser : system-auth-local
* : system-auth

In this case, use system-auth-local to authenticate vpxuser. Use system-auth to authenticate all other users. If system-auth is not present on the system, the /etc/security/login.map file typically lists system-auth.
  • Workaround for ESX:

    Add md5 to the file /etc/pam.d/system-auth.
    1. Log in to the service console and acquire root privileges.
    2. Change to the directory /etc/pam.d/.
    3. Use a text editor to open the file system-auth.
    4. Add md5 to the following line, as shown:
      password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow md5

      Optionally, you can use this sed command to accomplish this:
      sed -e '/password.*pam_unix.so/s/$/ md5/' -i /etc/pam.d/system-auth

    5. Reset the password. If you do not change the password, ESX continues to use the truncated password.
  • Workaround For ESXi:

    Add md5 to the file /etc/pam.d/system-auth.
    1. Access Tech Support Mode. For more information, see Using Tech Support Mode in ESXi 4.1 and ESXi 5.0 ( 1017910).
    2. Change to the directory /etc/pam.d/.
    3. Use a text editor to open the file system-auth.
    4. Add md5 to the following line, as shown:

      password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow md5

    5. (Optional) If you want the change to persist when you restart ESXi, you must add the following line to the file /etc/rc.local:

      sed -e ' /password.*pam_unix.so.* md5/q' -e ' /password.*pam_unix.so/s/$/ md5/' -i /etc/pam.d/system-auth

    6. Reset the password. If you do not change the password, ESXi continues to use the truncated password.

Additional Information

For translated versions of this article, see:
Powered by Wolken Software