In continuation to previous post on ESXi 6 password policy, Let us understand the changes (if any) in password policy in ESXi 6.5 and later. I have tried to simplify the ESXi password policy as much as possible.
ESXi uses the Linux PAM module pam_passwdqc for password management and control. We can change the required length, character class requirement, or allow pass phrases using the ESXi Advanced setting Security.PasswordQualityControl
I will be using ESXi 6.7 from my test lab for this discussion.
Default settings for Security.PasswordQualityControl in ESXi 6.7 is as below.
As you can see, it is similar to that of what we had in ESXi 6.0 and its predecessor’s as well.
retry=3 min=disabled,disabled,disabled,7,7
Above setting can also be written as
retry=3 min=8,8,8,7,7
The above statement also has the same meaning as first entry as
(disabled = 8).
In above setting, Minimum requirement for password is denoted by five place holders (after min=) namely disabled, disabled, disabled, 7, and 7.
What does these placeholders mean?
- disabled
- Number of minimum characters required if the password contains only one character class
- disabled
- Number of minimum characters required if the password contains characters from two character classes
- disabled
- Number of minimum characters required if the password contains a phrase
- 7
- Number of minimum characters required if the password contains characters from three character classes
- 7
- Number of characters required if the password contains characters from four character classes
So to put it in simple words, ESXi password cannot contain characters from only one class or only two classes. Also by default, pass phrases are disabled as in above format. That is what the meaning of first three disabled words.
Password is allowed to be created from either three character classes or four character classes. Thats fourth and fifth place holder respectively with below requirement of characters
Password from three character classes requires minimum character length of 7.
Password from four different character classes require minimum number of character required is same as that of three character classes i.e. 7.
What character classes are we referring to?
- Lowercase letters
- Uppercase letters
- Numbers
- Special characters (e.g. _ or -)
What are the default settings?
- By default, mix of characters from four character classes is used when creating a password.
- By default, password length should be more than 7 and less than 40.
- Passwords cannot contain a dictionary word or part of a dictionary word.
Other rules to be considered
- An uppercase character that begins a password does not count toward the number of character classes used.
- A number that ends a password does not count toward the number of character classes used.
I hope this clears on how ESXi password policy works. If still not clear check with below examples.
- Modify policy to allow passphrase with minimum of 10 characters along with other defaults.
retry=3 min=disabled,disabled,10,7,7
- Modify policy to allow password from two character classes with minimum character length of 14 along with other defaults.
retry=3 min=disabled,14,disabled,7,7
Feel free to comment if you still have any query.
Be social and share if you like the post.