VMware vSphere

Ladies and gentlemen,

I have been researching the password controls for the ESXi 4 server and have not been able to find a way to achieve what is required by my client.

The password policy states that user passwords on the ESXi operating system must meet the following requirements:

-have at least 14 characters

-have at least 2 upper case and 2 lower case characters

-have at least 2 numeric characters

-have at least 2 special characters

I know that I can dictate the length of the password from the common-password file with but I'm not certain how to do the rest. I haven't been able to find anything on the forums. Maybe it cannot be done? Perhaps someone can give me some guidance?

Thanks in advance for any help and let me know if you need any additional information.

Adam

Have you taken a look at this VMware KB? http://kb.vmware.com/kb/1012033

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

@William

I have looked at configuring pamwdqc but that only allows me to set the minimum length and to require at least 1 of each class. That's what I've implemented on the servers so far, but the requirement is to enforce at least 2 of each character class. I know when you work with pam_cracklib that you can enforce the number of required characters from each class but I haven't found a way to do it with pamwdqc.

@David

I was afraid of that. Do you know of any documentation that states this? I'd like to cite that in the documentation I provide the client.

Thanks to both of you for your help!

Adam

You can specify those things with cracklib but ESXi doesn't have it. I believe you are limited to specifying the minimum number of characters in the different complexity classes. The best you can do is use "disabled" for the lesser classes and the minimum value for the others. That would only specify that one character be required from each of the 3 or 4 classes.

pam_passwdqc.so retry=3 min=disabled,disabled,disabled,disabled,14

would require a minimum password of 14 characters with at least one character from the 4 classes.

Also watch out for a bug in 4.1 where you could end entering a 14 characters password but only the first 8 is actually saved and used for authentication..

http://kb.vmware.com/kb/1024500