ESXi host password length and complexity rules are documented on page 90 of the vSphere Security Guide. As stated there, ESXi uses the pam_passwdqc.so plug-in, by default, to set the password policy/rules. Out of the box, ESXi doesn’t place any complexity restrictions on the root account’s password. However, non-root user accounts will be subject to the default rules defined in pam_passwdqc.so. As described in the security guide, in order to configure password complexity you can change the following parameters:
- retry is the number of times a user is prompted for a new password if the password candidate is not sufficiently strong.
- N0 is the number of characters required for a password that uses characters from only one character class. For example, the password contains only lowercase letters.
- N1 is the number of characters required for a password that uses characters from two character classes.
- N2 is used for passphrases. ESXi requires three words for a passphrase. Each word in the passphrase must be 8-40 characters long.
- N3 is the number of characters required for a password that uses characters from three character classes.
- N4 is the number of characters required for a password that uses characters from all four character classes.
- match is the number of characters allowed in a string that is reused from the old password. If the pam_passwdqc.so plug-in finds a reused string of this length or longer, it disqualifies the string from the strength test and uses only the remaining characters.
Setting any of the parameters about to -1 directs the pam_passwdqc.so plug-in to ignore the requirement, whilst setting any of the parameters to disabled will disqualify any passwords that include that characteristic. In order to configure the plugin we need to edit the host’s passwd file, which is found in /etc/pam.d/. An example of the content of the passwd file is shown below:
/var/log # cat /etc/pam.d/passwd #%PAM-1.0 password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6 password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 password required /lib/security/$ISA/pam_deny.so
It is the ‘password requisite’ line that we are interested in:
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6
The line is constructed as follows:
password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4
In the example above we can determine that:
- retry=3: A user is allowed 3 attempts to enter a sufficient password
- N0=8: Passwords containing characters from one character class must be at least 8 characters long.
- N1=8: Passwords containing characters from two character classes must be at least 8 characters long.
- N2=8: Passphrases must contain words that are each at least 8 characters long.
- N3=7: Passwords containing characters from three character classes must be at least 7 characters long.
- N4=6: Passwords containing characters from all four character classes must be at least 6 characters long.