VMware Cloud Community
LemonBrus
Contributor
Contributor
‎10-08-2009 04:10 AM
Jump to solution

complex passeword on ESX 4.0

Can someone tell me how to disable the complex password option on the ESX 4.0 hosts?

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
vlho
Hot Shot
Hot Shot
‎10-08-2009 08:07 AM
Jump to solution

sorry

you try modify file /etc/pam.d/system-auth-generic

from

password required /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6 similar=deny match=0

to

password required /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6 enforce=none

Parameter match. This is a case and direction insensitive substring-matching function that is used to determine if a substring is common. Passwords aren't rejected for having common substrings, the substring value is just removed from consideration when calculating the number of different character classes, just as leading capitals and trailing digits are.

Parameter similar, which can be either similar=permit or similar=deny. The default is deny, which means the new password isn't allowed to be similar to the old password. Passwords are subject to the common substring test from match, and rejected if they're too similar. This stops users from using passwords similar to ones that may have been compromised. So, if the user's previous password was "mypass1" they wouldn't be allowed to use "mypass2" as their next password.

Parameter eneforce can have a value of none, users, or everyone. The default is enforce=everyone. none will warn of weak passwords only, but not enforce their rejection. users will enforce the restrictions for all non-root users on the system. everyone will enforce the restrictions for all users, including root.

View solution in original post

0 Kudos
3 Replies
LemonBrus
Contributor
Contributor
‎10-08-2009 05:11 AM
Jump to solution

This instruction is for ESX4i. Is it the same for ESX4? I can't find the common-password in the /etc/pam.d folder in esx4 version...

0 Kudos
vlho
Hot Shot
Hot Shot
‎10-08-2009 08:07 AM
Jump to solution

sorry

you try modify file /etc/pam.d/system-auth-generic

from

password required /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6 similar=deny match=0

to

password required /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6 enforce=none

Parameter match. This is a case and direction insensitive substring-matching function that is used to determine if a substring is common. Passwords aren't rejected for having common substrings, the substring value is just removed from consideration when calculating the number of different character classes, just as leading capitals and trailing digits are.

Parameter similar, which can be either similar=permit or similar=deny. The default is deny, which means the new password isn't allowed to be similar to the old password. Passwords are subject to the common substring test from match, and rejected if they're too similar. This stops users from using passwords similar to ones that may have been compromised. So, if the user's previous password was "mypass1" they wouldn't be allowed to use "mypass2" as their next password.

Parameter eneforce can have a value of none, users, or everyone. The default is enforce=everyone. none will warn of weak passwords only, but not enforce their rejection. users will enforce the restrictions for all non-root users on the system. everyone will enforce the restrictions for all users, including root.

0 Kudos