VMware vSphere

Why can't I set a password of the form AA#Abbbb# ? A is capital letter, b is lowercase letter, # is a digit Note this is nine chars in length

I also couldn't set it to AAA#Abbbb# This one is 10 chars in length

I can set one like Abbb#Abb This one is 8 chars in length

Is there a maximum password length, and if so how do I change the system to allow decent length passwords?

On my ESXi 3 (or 3.5) I had set one to the first form above, but on my new ESXi 4 I can't do this.

What gives?

-g g

I don't have a test system at the moment, so I can't try what you see.

Maybe you want to take a look at "/etc/pam.d/common-password" and check the settings.

for details read http://www.vm-help.com/esx40i/password_complexity.php

André

see here too

http://kb.vmware.com/kb/1012033

Yeah, I've visited those, and as far as I can tell, my complexity meets the requirements. In fact, it more than meets the requirements. Note that the third example, which is less complex does sign in.

Those articles talk about minimums. I'm wondering about a maximum.

Eight characters is WAAAAAAYYYY to short.

-g g

ya mean nobody knows?

Maybe that's why I can't find doodle-squat on the internet.

-g

What's wrong with the KB article that Troy posted. It clearly shows maximums and descries changes you can make to pam configuration.

Well, just to be sure I revisited the link shown by Troy @ 3:

"see here too

http://kb.vmware.com/kb/1012033 "

And I still didn't see anything in it about maximums. I even reviewed the link from the reply @ 2.

I don't see anything about maximums in either of them. Could you, perhaps, paste the relevant parts into this topic since I can't seem to find it?

I see plenty about minimums, and even how to reduce the complexity, but I don't see anything about why a 10 character password (or longer) with 2 digits and 4 uppercase characters (leaving 4 lowercase characters) won't be accepted.

Perhaps I'm too stupid, but I just don't see it.

-g

My password varies between 21 and 24 characters. The KB article lists 26 as being the max for vCenter and a passphrase max of 40 characters. You have access to the pam configuration so you can make any modification you like. You can create certificates. I know Veeam uses a one time password scheme for fastscp so I guess you could add that if you wanted.

Humm,

I wonder if the problem is because the id I'm trying to change is 'root' (as in uid=0)? Is there something I need to restart after I make the edits?

What I did was this: Using the instructions referenced in @3 above

I edited: /etc/pam.d # vi common-password

changed

password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6

to

password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6 max=20

And saved: :wq

using vSphere Users & Groups, I then created a test user and was able to give it the longer password. I then tried to change the root password and go the same error message: "A general system error occurred: passwd: Authentication token manipulation error passwd:"

So I went back into common-password, removed the edit

and created another test user. It also took the longer password. Either I need to restart something or root has different password requirements or i-don't-have-any-idea.

BTW, I don't have vCenter, only ESXi 4

-greg

Max just means don't accept a password longer than 20 characters. Is this ESXi 4 or ESXi 4.1? If this is 4.1 then there is a problem.

Esxi 4u1 & later

I'm pretty sure the box I just built (2-3 days ago) is 4u2.

I ran the stand-alone updater and ran in all of the patches and the build # on both boxes here shows 261974

Another of my boxes with the same problem is Build # 208167

I no longer have a 3.5 system of any type. The one box that started as 3.5 allowed me to put in a longer pw when I set it up. I haven't tried to change that one. None of my scratch installed v4 boxes (all u1 or later) allowed me to put in the longer password.

-g

So, What is this problem with 4.1 ? Do you have any links about it?

-g

I wrote an article regarding the current issue with ESXi 4.1 password - http://www.virtuallyghetto.com/2010/07/esxi-41-major-security-issue.html

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

This has been talked about in great detial already as being a PAM issue. I am hoping to see hot fix for this sooner rather than later.

OK,

I found the problem. Was not a complexity problem, was a dictionary problem.

I was scrounging google and ran across a post where they were complaining the password that they had been using was no longer good on v4 and that the problem was that there was a word that was apparently recognized by something in the validation causing a reject. If they put in nonsense, but following the same pattern, their password worked. And it only affected the root password.

So, I just attempted to change my root password using the same pattern (the 10 char one) and it worked. So, the problem wasn't complexity, it was that a dictionary validation got snuk in between versions that I was unaware of.

Where might this dictionary check be located?

And to be clear, since I wasn't until lamw's excellent post, I am on 4.0, update 1 and update 2 (depending on machine). I do not have 4.1. I think I'll wait on that until the length problem is fixed.

Thank each and every one of you that have helped on this. It was driving me crazy!!

-greg

The correct answer wasn't directly given by anybody as I found it via google (Wish I could show the link, but I can't find it again). I document it in my reply for posterity. I gave helpful to the two that lead me to search for the correct parameters, but nobody said that a dictionary validation was implemented somewhere between 3.5 and 4.0.

Thank all of you again! I really appreciate it!

How should I proceed to close this question/discussion?