6 Replies Latest reply on Oct 18, 2010 9:24 AM by LucD

    Change password polices on ESXi

    geirsjo Novice

      Hi

       

      Anyone who has a brilliant idea how to change /etc/pam.d/common-passwd file so password complexity, lenght  and reuse options can be changed from PowerCLI or other management utils ?

       

       

      /gekken

        • 1. Re: Change password polices on ESXi
          Dave.Mishchenko Guru
          User Moderators

          I don't beleive the file is exposed for changes through the API so you would have to use Tech Support Mode to change the file as described here - http://kb.vmware.com/kb/1012033.  If you had a number of hosts to do, you could enable Remote TSM with PowerCLI, then use plink to edit the file and restart the management services, and then use PowerCLI to disable TSM.




          Dave

          VMware Communities User Moderator

           

          Now available - vSphere Quick Start Guide

          Do you have a system or PCI card working with VMDirectPath?  Submit your specs to the Unofficial VMDirectPath HCL.

          • 2. Re: Change password polices on ESXi
            geirsjo Novice

            Hi Dave and thanks for the answer.  We have approx 200 hosts and they are running on ESXi 4.0 U2 and we are not allowed to upgrade and as far as I know TSM is a 4.1 feature :-(.

             

            I'm really hoping to get away wiht this without using the "unsupported" console option so if anyone has a solution it would be very appreciated.

             

            /gekken

            • 3. Re: Change password polices on ESXi
              LucD Guru
              User ModeratorsvExpertCommunity Warriors

              Provided the ESXi hosts are not in locked mode and provided the SSH service is started, you could use the pscp.exe command from the PuTTY suite to copy a modified system-auth (ESXi 4.1) or common-password (ESXi 4.0) file to the ESXi servers.

               

              $User = <account>
              $Pswd = <password>
              $hostName = <hostname>
              $pscp = "<PuTTY-directory>\pscp.exe"
              $sourceFile = "C:\Temp\system-auth"
              $targetDir = "/etc/pam.d/"
              $pscpoptions = " -scp -pw $Pswd"
              
              $sourceFile = "C:\Temp\system-auth"
              $targetDir = "/etc/pam.d/"
              $pscpoptions = " -scp -pw $Pswd"
              
              $remoteCommand = '"' + $cmd1 + '"'
              $command = $pscp + " " + $pscpoptions + " " + $sourceFile + " " + $User + "@" + $hostName + ":" + $targetDir
              
              Invoke-Expression -command $command
              
              

               

               

               

              ____________

              Blog: LucD notes

              Twitter: lucd22

              • 4. Re: Change password polices on ESXi
                LucD Guru
                Community WarriorsUser ModeratorsvExpert

                Just as a reminder, you can start the SSH service like this

                Get-VMHostService -VMHost (Get-VMHost mmmstv051*) | where {$_.Key -eq "TSM-SSH"} | Start-VMHostService -Confirm:$false
                

                Or you could even make it more intelligent like this

                $sshSrv = Get-VMHostService -VMHost (Get-VMHost mmmstv051*) | where {$_.Key -eq "TSM-SSH"}
                if($sshSrv.Running -eq $false){
                   Start-VMHostService -HostService $sshSrv -Confirm:$false
                }
                #
                # Do other stuff, like copy the file
                # 
                if($sshSrv.Running -eq $false){
                   Stop-VMHostService -HostService $sshSrv -Confirm:$false
                }
                

                Where you restore the state of the service to what is was before.

                 

                ____________

                Blog: LucD notes

                Twitter: lucd22

                • 5. Re: Change password polices on ESXi
                  geirsjo Novice

                  Hi and thaks for the replies..

                   

                  Just to be sure, the "TSM-SSH" service is not availiable on 4.0 U2 ?

                   

                  /gekken

                  • 6. Re: Change password polices on ESXi
                    LucD Guru
                    Community WarriorsvExpertUser Moderators

                    True, you will have to edit the /etc/inetd.conf file to enable ssh.

                    See Duncan's post for the details.

                     

                    And I'm afraid that file is not included in the firmware package that you can retrieve with the Set-VMHostFirmware cmdlet.

                     

                     

                     

                     

                     

                    ____________

                    Blog: LucD notes

                    Twitter: lucd22