A valid password requires a mix of upper and lower case letters, digits, and other characters. You can use a 7-character long password with characters from at least three of these four classes, or a 6-character long password containing characters from all the classes. A password that begins with an upper case letter and ends with a numerical digit does not count towards the number of character classes used. It is recommended that the password does not contain the username.
A passphrase requires at least 3 words, be 8 to 40 characters long, and must contain enough different characters.
/etc/security/login.mapfile contains the authentication rules for ESX/ESXi. Refer to this file to determine which file to edit in the workaround.
vpxuser : system-auth-local
* : system-auth-generic
system-auth-genericto authenticate all other users. If
system-auth-genericis not present on the system, the
/etc/security/login.mapfile typically lists
Caution: Modifying password restrictions may reduce the security of your VMware environment.
VMware ESX 4.x uses the pam module
pam_passwdqc.so. For additional information about this module and the different syntax, see the
pam_passwdqc man page.
Note: The preceding link was correct as of January 31, 2012 If you find the link is broken, provide feedback and a VMware employee will update the link.
To disable the restriction:
/etc/pam.d/system-auth-genericfile. Run the command:
password required /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6 similar=deny match=0
password required /lib/security/$ISA/pam_passwdqc.so min=0,0,0,0,0 similar=deny match=0
password required pam_cracklib.so try_first_pass retry=3
VMware ESXi/ESX 4.1 and ESXi 4.0 use the
pam_passwdqc.so module to check for the password strength. By default, it uses these parameters:
pam_passwdqc.so retry=3 min=8,8,8,7,6
To modify these settings on an ESX/ESXi 4.1.x host:
For more information on Tech Support Mode, see:
/etc/pam.d/system-authfile using a text editor. For example, to open the file using a vi editor, run this command:
Note:You are changing the min values to match the password policy you want to enforce. For additional information about this module and the different syntax, see the
chmod +t /etc/pam.d/system-auth
To modify these settings on an ESXi 5.0 host:
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6
password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4
retry=3: A user is allowed 3 attempts to enter a sufficient password.
N0=12: Passwords containing characters from one character class must be at least twelve characters long.
N1=10: Passwords containing characters from two character classes must be at least ten characters long.
N2=8: Passphrases must contain words that are each at least eight characters long.
N3=8: Passwords containing characters from all three character classes must be at least eight characters long.
N4=7: Passwords containing characters from all four character classes must be at least seven characters long.
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=12,10,8,8,7