Password Policy for vSphere 6.0 Hosts

A complex password is a firstmost requirement for any system that simply uses username/password (no RSA, 2Factor authentication kinda thing) for authentication. For a windows or unix/linux based systems, system administrators used to push complex password requirements via AD/LDAP.

A complex password ensures that system is least vulnerable to any unauthorized attempt to login to your system and vSphere is no different than any other system in this regard. 

With release of vSphere 6, VMware enahnced their password policy and enforced to use more complex passwords with Esxi hosts and SSO. Esxi host enforces password requirements for direct access from the DCUI, Esxi Shell, SSH and vSphere web Client.  

ESXi uses the pam_passwdqc.so plug-in to set the password policy/rules. ESXi doesn’t place any complexity restrictions on the root account’s password. However, non-root accounts will be subject to the default rules defined in pam_passwdqc.so.

In previous release of vSphere, Esxi host password complexity changes were made by editing the /etc/pam.d/passwd file on each ESXi host. With vSphere 6.0 this is done by adding an entry “Security.PasswordQualityControl” in Host Advanced System Settings.

Password Policy with Esxi 6

When creating a password for an Esxi host, it should include certain complexity requirements including:

  • Passwords must contain characters from at least three character classes.
  • Passwords containing characters from three character classes must be at least seven characters long.
  • Passwords containing characters from all four character classes must be at least seven characters long.
  • An uppercase character that begins a password does not count toward the number of character classes used. 
  • A number that ends a password does not count toward the number of character classes used.
  • The password cannot contain a dictionary word or part of a dictionary word.  

To change the default required length and character class requirement we need to modify Security.PasswordQualityControl option on Esxi host via Web Client.

The default configuration ESXi 6 is : retry=3 min=disabled,disabled,disabled,7,7″

pp-1.PNG

What does retry=3 min=disabled,disabled,disabled,7,7 means anyway?

It means that passwords with one or two character classes and pass phases are not allowed, as indicated by the first three disabled items. Passwords from three and four character classes require seven characters. More information on this can be read from man page of pam_passwdqc

Lets break the string into a format which is simple to understand

retry=3. This setting dictates how many times Esx host will ask for a new password if the user fails to provide a strong password for the first time.

min=disabled This setting takes five positional parameters, each one representing a different kind of password complexity. The position reflects the level of complexity required, and the value reflects the length required:

  • N0 is used for passwords consisting of characters from one character class only. The character classes can be: digits, lower-case letters, upper-case letters and other characters.
  • N1 is used for passwords consisting of characters from two character classes that do not meet the requirements for a passphrase.
  • N2 is used for passphrases. ESXi requires three words for a passphrase. Each word in the passphrase must be 8-40 characters long.
  • N3 and N4 are used for passwords consisting of characters from three and four character classes, respectively.

How to change password complexity?

To change the password complexity requiremnts, we just need to edit the option Security.PasswordQualityControl from vSphere Web Client.

Here is an example where I changed the value to disabled,disabled,10,7,7

pp-2.PNG

If we check the /etc/pam.d/passwd file, we can confirm the updated value

[root@esxi04:~] cat /etc/pam.d/passwd
#%PAM-1.0
# Change only through host advanced option "Security.PasswordQualityControl".
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,10,7,7
password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512
password required /lib/security/$ISA/pam_deny.so

Changing password complexity via Power-CLI

Below simple script ( credit to Ivo Beerens) can be used to change password complexity on all Esxi host that is connected to a given vCenter

# Set the ESXi Password Policy by using PowerCLI for every ESXi host
# Default Password Policy ESXi 6 = retry=3 min=disabled, disabled, disabled, 7, 7
$PasswordPolicy = "retry=3 min=8,8,8,7,6"
$VMHosts = Get-VMHost | Where { $_.ConnectionState -eq "Connected" }
foreach ($VMHost in $VMHosts)
{
$VMHost | Get-AdvancedSetting -Name "Security.PasswordQualityControl" | Set-AdvancedSetting -Value $PasswordPolicy -Confirm:$false
}

ESXi Account Lockout Behavior

Starting with vSphere 6.0, account locking is supported for access through SSH and through the vSphere Web Services SDK. The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout.

By default, a maximum of ten failed attempts is allowed before the account is locked. The account is unlocked after two minutes by default. To change the lockout behaviour, we need to modify below configuration options via Web Client:

Security.AccountLockFailures: Maximum number of failed login attempts before a user’s account is locked. Zero disables account locking.

Security.AccountUnlockTime: Number of seconds that a user is locked out.

pp-3.PNG

Resetting your Failed Login Attempts with pam_tally2

Pam_tally2 is a simple but very effective tool to reset the failed login attempts and this tool is baked by default with ESXi installation.

The command to clear the lockout status and reset the count to zero for an account is:

[root@esxi04:~] /bin/pam_tally2 --user root --reset
Login Failures Latest failure From
root 0

I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂