Security – Part One: Enabling strong passwords and configuring password policies

By default, there are no restrictions set on the local root user account on an ESXi host system. However, the local non-root users must satisfy the requirements of the password compliance policy defined by the Pluggable Authentication Module (PAM). By default, the ESXi host system checks for password compliance using the PAM module.

The pam_passwdqc plug-in is inserted into the PAM stack so when a user creates a password rules are enforced on the password chosen for the local non–root user on the ESXi host system. The plug-in ensures that password requirements must be satisfied for all local non–root users.

In order to modify the password complexity you will be required to edit the ‘/etc/pam.d/passwd’ file, which by default contains the following:


password requisite /lib/security/$ISA/ retry=3 min=8,8,8,7,6
password sufficient /lib/security/$ISA/ use_authtok nullok shadow sha512
password required /lib/security/$ISA/

The syntax of the password file is as follows, where the last five numbers control the complexity of the password and refer to the four character classes (numbers, lowercase letters, uppercase letters and specical characters.

password requisite /lib/security/$ISA/ retry=n1 min=n2,n3,n4,n5,n6
  • n1 – The number of attempts the users is able to enter a strong password
  • n2 – Passwords containing at least one character classes must be a minimum of eight characters in length.
  • n3 – Passwords containing at least two character classes must be a minimum of eight characters in length.
  • n4 – Each word in the passphrase must be a minimum of eight characters in length.
  • n5 – Passwords containing at least three character classes must be a minimum of seven characters in length.
  • n6 – Passwords containing at all  character classes must be a minimum of six characters in length.

For Example, if we wanted to ensure that passwords containing at least one character classes must be a minimum of ten characters in length, I would modify the above line as follows:

password requisite /lib/security/$ISA/ retry=3 min=10,8,8,7,6

Following the above change, if I was to connect to an ESXi host system using the vSphere Client and create a user account where the password is eight characters in length and only contains one character class, I would receive the following error message:






The pam_passwdqc plug-in does not count uppercase letters used as the first character in the password and number used as the last character of a password when the number of character classes is being counted. If you were to configure any of the above requirements with the value ‘-1’ password complexity requirements will be ignored. The above change takes effect on saving the configuration changes to the ‘/etc/pam.d/passwd’ file to which local non–root users can change their passwords using the passwd utility.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s