The other week i was asked by a customer to change passwords for all service accounts in their environment and this includes but not limited to IPMI admin account, ESXi host root account, Nutanix Controller Virtual Machine (CVM) nutanix account vCenter Server administrator@vsphere.local account
Based on existing customer password requirements for ESXi hosts, 16 characters including only lower cases, i was unable to change the root password because it does not meet the password complexity enforced by the ESXi host. If trying to change it according to the customer requirements the below is what you’ll see in a SSH connection. Start the password change process by running the following command via SSH or you can use e.g. DCUI, vSphere Client.
passwd
The following prompt appears:
Changing password for root
You can now choose the new password.
A valid password should be a mix of upper and lower case letters,
digits, and other characters. You can use a 7 character long
password with characters from at least 3 of these 4 classes.
An upper case letter that begins the password and a digit that
ends it do not count towards the number of character classes used.
Alternatively, if noone else can see your terminal now, you can
pick this as your password: “ghan+qbpx*perrx”.
Enter new password:
The following prompt appeared:
eak password: not enough different characters or classes.
Try again.
You can now choose the new password.
A valid password should be a mix of upper and lower case letters,
digits, and other characters. You can use a 7 character long
password with characters from at least 3 of these 4 classes.
An upper case letter that begins the password and a digit that
ends it do not count towards the number of character classes used.
Alternatively, if noone else can see your terminal now, you can
pick this as your password: “fpbgpu+urry$znpeb”.
To password complexity requirements can be viewed from the /etc/pam.d/passwd file and the default configuration includes:
#%PAM-1.0
# Change only through host advanced option “Security.PasswordQualityControl”.
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,7,7
password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512
password required /lib/security/$ISA/pam_deny.so
The vSphere Client will also provide you with the password complexity requirements and to change the password complexity configuration i used the vSphere Client (yes the old one). The configuration is available in the “Advanced Settings” -> Security section in the vSphere Client Configuration tab
I temporarily used the following configuration during the password change.
retry=3 min=16,10,8,7,7
Yes i change the configuration back to the its original state when the password was changed meaning:
retry=3 min=disabled,disabled,disabled,7,7
The below is a breakdown of what the different 5 sections (after min=) actually means) so you can configure your own password complexity policies if needed.
X1 – Number of characters required when the password contains only one character class
X2 – Number of characters required when the password contains characters from two character classes
X3 – Number of characters required when the password contains contains a phrase
X4 – Number of characters required when the password contains characters from three character classes
X5 – Number of characters required when the password contains characters from four character classes
Changing the password complexity requirements to something weaker than default is not something i recommend, i’d rather change the customer password policy. However, this was not possible this time.
6 pings