Portal Home > Knowledgebase > VMware Knowledge Base > ESX and ESXi 4.x and 5.x password requirements and restrictions

ESX and ESXi 4.x and 5.x password requirements and restrictions

Symptoms

  • You are unable to set a password in ESX or ESXi 4.x or 5.x.
  • You see these VMware vSphere Client errors:

    • A general system error occurred: passwd: Authentication token manipulation error
    • An internal error has occurred, and the wizard is unable to store the Administrator password securely. The customization cannot proceed. Please contact VMware technical support for more information.

  • You see this console error:

    Weak password: not enough different characters or classes for this length.
    passwd: Authentication token manipulation error

Purpose

This article provides information about VMware ESX and ESXi 4.x and 5.x password requirements and restrictions.

Cause

This issue may occur if a password is invalid.

Resolution

A valid password requires a mix of upper and lower case letters, digits, and other characters. You can use a 7-character long password with characters from at least three of these four classes, or a 6-character long password containing characters from all the classes. A password that begins with an upper case letter and ends with a numerical digit does not count towards the number of character classes used. It is recommended that the password does not contain the username.

A passphrase requires at least 3 words, be 8 to 40 characters long, and must contain enough different characters.

Notes:

  • vCenter Server 4.0 can handle up to 26-character passwords.
  • In ESXi 4.x and 5.x, the password cannot contain the words admin, root, or administrator in any form.
  • The /etc/security/login.map file contains the authentication rules for ESX/ESXi. Refer to this file to determine which file to edit in the workaround. 

    Example: The file might contain these rules:

    vpxuser : system-auth-local
    * : system-auth-generic

    In this case, use system-auth-local to authenticate vpxuser. Use system-auth-generic to authenticate all other users. If system-auth-generic is not present on the system, the /etc/security/login.map file typically listssystem-auth.

Caution: Modifying password restrictions may reduce the security of your VMware environment.

ESX 4.0

VMware ESX 4.x uses the pam module pam_passwdqc.so. For additional information about this module and the different syntax, see the pam_passwdqc man page

Note: The preceding link was correct as of January 31, 2012 If you find the link is broken, provide feedback and a VMware employee will update the link.

To disable the restriction:

  1. Modify the /etc/pam.d/system-auth-generic file. Run the command:

    vi /etc/pam.d/system-auth-generic

  2. Change the line:

    password required /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6 similar=deny match=0

    to:

    password required /lib/security/$ISA/pam_passwdqc.so min=0,0,0,0,0 similar=deny match=0


    or

    password required pam_cracklib.so try_first_pass retry=3

  3. Save the changes and change the password.

ESXi 4.0 and ESXi/ESX 4.1

VMware ESXi/ESX 4.1 and ESXi 4.0 use the pam_passwdqc.so module to check for the password strength. By default, it uses these parameters:

pam_passwdqc.so retry=3 min=8,8,8,7,6

To modify these settings on an ESX/ESXi 4.1.x host:

  1. Connect to the host using SSH. For ESXi hosts, you must enable Tech Support Mode. 

    For more information on Tech Support Mode, see:

    • Tech Support Mode for Emergency Support (1003677)
    • Using Tech Support Mode in ESXi 4.1 and ESXi 5.0 (1017910)

  2. Open the /etc/pam.d/system-auth file using a text editor. For example, to open the file using a vi editor, run this command:

    vi /etc/pam.d/system-auth

  3. Change this line:

    password requisite /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6

    Note: You are changing the min values to match the password policy you want to enforce. For additional information about this module and the different syntax, see the pam_passwdqc man page.

  4. Save the changes and change the password.

Note: To ensure that changes to the file persist upon reboot, run this command before making edits to the/etc/pam.d/system-auth file:
 
chmod +t /etc/pam.d/system-auth

ESXi 5.0

To modify these settings on an ESXi 5.0 host:

  1. Enable technical support mode. For more information, see Using Tech Support Mode in ESXi 4.1 and ESXi 5.0 (1017910).
  2. Modify /etc/pam.d/passwd file.

    vi /etc/pam.d/passwd

  3. In the file, find this line:

    password requisite    /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6
    password requisite    /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4
     
    Note:   min=8,8,8,7,6 maps to  min=N0,N1,N2,N3,N4  in fhe following step.

  4. Using these switches, make your required changes and save the file:

    • retry=3: A user is allowed 3 attempts to enter a sufficient password.
    • N0=12: Passwords containing characters from one character class must be at least twelve characters long. 
      example: chars1234567

    • N1=10: Passwords containing characters from two character classes must be at least ten characters long. 
      example: CHars12345

    • N2=8: Passphrases must contain words that are each at least eight characters long.
      example: software

    • N3=8: Passwords containing characters from all three character classes must be at least eight characters long.
      example: CHars12

    • N4=7: Passwords containing characters from all four character classes must be at least seven characters long.
      example:  CHars1!

    • Example: password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min= 12,10,8,8,7

  5. Based on VMware KB 1012033

Also Read

Language: