VMware Cloud Community
geirsjo
Contributor
Contributor
‎10-18-2010 03:15 AM

Change password polices on ESXi

Hi

Anyone who has a brilliant idea how to change /etc/pam.d/common-passwd file so password complexity, lenght and reuse options can be changed from PowerCLI or other management utils ?

/gekken

Reply
0 Kudos
6 Replies
Dave_Mishchenko
Immortal
Immortal
‎10-18-2010 03:27 AM

I don't beleive the file is exposed for changes through the API so you would have to use Tech Support Mode to change the file as described here - http://kb.vmware.com/kb/1012033. If you had a number of hosts to do, you could enable Remote TSM with PowerCLI, then use plink to edit the file and restart the management services, and then use PowerCLI to disable TSM.




Dave

VMware Communities User Moderator

Now available - vSphere Quick Start Guide

Do you have a system or PCI card working with VMDirectPath? Submit your specs to the Unofficial VMDirectPath HCL.

Reply
0 Kudos
geirsjo
Contributor
Contributor
‎10-18-2010 03:46 AM

Hi Dave and thanks for the answer. We have approx 200 hosts and they are running on ESXi 4.0 U2 and we are not allowed to upgrade and as far as I know TSM is a 4.1 feature :-(.

I'm really hoping to get away wiht this without using the "unsupported" console option so if anyone has a solution it would be very appreciated.

/gekken

Reply
0 Kudos
LucD
Leadership
Leadership
‎10-18-2010 04:25 AM

Provided the ESXi hosts are not in locked mode and provided the SSH service is started, you could use the pscp.exe command from the PuTTY suite to copy a modified system-auth (ESXi 4.1) or common-password (ESXi 4.0) file to the ESXi servers.

$User = <account>
$Pswd = <password>
$hostName = <hostname>
$pscp = "<PuTTY-directory>\pscp.exe"
$sourceFile = "C:\Temp\system-auth"
$targetDir = "/etc/pam.d/"
$pscpoptions = " -scp -pw $Pswd"

$sourceFile = "C:\Temp\system-auth"
$targetDir = "/etc/pam.d/"
$pscpoptions = " -scp -pw $Pswd"

$remoteCommand = '"' + $cmd1 + '"'
$command = $pscp + " " + $pscpoptions + " " + $sourceFile + " " + $User + "@" + $hostName + ":" + $targetDir

Invoke-Expression -command $command

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
LucD
Leadership
Leadership
‎10-18-2010 04:34 AM

Just as a reminder, you can start the SSH service like this

Get-VMHostService -VMHost (Get-VMHost mmmstv051*) | where {$_.Key -eq "TSM-SSH"} | Start-VMHostService -Confirm:$false

Or you could even make it more intelligent like this

$sshSrv = Get-VMHostService -VMHost (Get-VMHost mmmstv051*) | where {$_.Key -eq "TSM-SSH"}
if($sshSrv.Running -eq $false){
   Start-VMHostService -HostService $sshSrv -Confirm:$false
}
#
# Do other stuff, like copy the file
# 
if($sshSrv.Running -eq $false){
   Stop-VMHostService -HostService $sshSrv -Confirm:$false
}

Where you restore the state of the service to what is was before.

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
geirsjo
Contributor
Contributor
‎10-18-2010 08:01 AM

Hi and thaks for the replies..

Just to be sure, the "TSM-SSH" service is not availiable on 4.0 U2 ?

/gekken

Reply
0 Kudos
LucD
Leadership
Leadership
‎10-18-2010 09:24 AM

True, you will have to edit the /etc/inetd.conf file to enable ssh.

See Duncan's post for the details.

And I'm afraid that file is not included in the firmware package that you can retrieve with the Set-VMHostFirmware cmdlet.

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos