Enable Strong Passwords and Configure Password Policies on ESXi

ESXi host password length and complexity rules are documented on page 90 of the vSphere Security Guide. As stated there, ESXi uses the pam_passwdqc.so plug-in, by default,  to set the password policy/rules. Out of the box, ESXi doesn’t place any complexity restrictions on the root account’s password. However, non-root user accounts will be subject to the default rules defined in pam_passwdqc.so. As described in the security guide, in order to configure password complexity you can change the following parameters:

  • retry is the number of times a user is prompted for a new password if the password candidate is not sufficiently strong.
  • N0 is the number of characters required for a password that uses characters from only one character class. For example, the password contains only lowercase letters.
  • N1 is the number of characters required for a password that uses characters from two character classes.
  • N2 is used for passphrases. ESXi requires three words for a passphrase. Each word in the passphrase must be 8-40 characters long.
  • N3 is the number of characters required for a password that uses characters from three character classes.
  • N4 is the number of characters required for a password that uses characters from all four character classes.
  • match is the number of characters allowed in a string that is reused from the old password. If the pam_passwdqc.so plug-in finds a reused string of this length or longer, it disqualifies the string from the strength test and uses only the remaining characters.

Setting any of  the parameters about to -1 directs the pam_passwdqc.so plug-in to ignore the requirement, whilst setting any of the parameters to disabled will disqualify any passwords that include that characteristic. In order to configure the plugin we need to edit the host’s passwd file, which is found in /etc/pam.d/. An example of the content of the passwd file is shown below:

/var/log # cat /etc/pam.d/passwd
#%PAM-1.0

password   requisite    /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6
password   sufficient   /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512
password   required     /lib/security/$ISA/pam_deny.so

It is the ‘password requisite’ line that we are interested in:

password   requisite    /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6

The line is constructed as follows:


password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4

In the example above we can determine that:

  • retry=3: A user is allowed 3 attempts to enter a sufficient password
  • N0=8: Passwords containing characters from one character class must be at least 8 characters long.
  • N1=8: Passwords containing characters from two character classes must be at least 8 characters long.
  • N2=8: Passphrases must contain words that are each at least 8 characters long.
  • N3=7: Passwords containing characters from three character classes must be at least 7 characters long.
  • N4=6: Passwords containing characters from all four character classes must be at least 6 characters long.

Related posts

VMware vSphere Virtual Machine Snapshots Explained

How to Enable SSH on All ESXi Hosts using PowerCLI

How to Install VMware Tools on Debian 11

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More