VMware Cloud Community
Cyberfed27
Hot Shot
Hot Shot
‎07-15-2010 08:33 AM

Pasword history and Failed logon attempts - how to configure in vSphere 4

Hey folks,

I need some help, I am treading on new ground and need some hand holding Smiley Sad

I am trying to enable password history and failed logon attempts in a fresh vSphere install.

I am using the following PDF as my guide: "vSphere Hardening Guide April 2010"

Problem #1 ENABLE PASSWORD HISTORY

The PDF states to do the following:

Edit the /etc/pam.d/system-auth-generic file and add the string “remember=x” where x is the number of passwords toretain to the end of the following line:

“password sufficient /lib/security/$ISA/pam_unix.so”

However when I look at the system-auth-generic file there is no line that contains $ISA/pam_unix.so and the phrase "password sufficient" the only line i see even references $ISA is:

password required /lib/security/$ISA/pam_passwdqc.so min=disabled,disabled,disabled,12,8, similar=deny match=0

This is the only line that has "password sufficient" e in my sys-auth-generic file:

"password sufficient pam_unix.so try_first_pass use_authtok nullok md5"

so I added "_remember =10_" at the end of this line. is that correct??

i also performed the following commands as required:

touch /etc/security/opasswd

chmod 600 /etc/security/opasswd

chown root:root /etc/security/opasswd

PROBLEM 2 FAILED LOGON ATTEMPTS

the guide says to use the following command to set number of failed attempts:

esxcfg-auth --maxfailedattempts=3

this command is not recognized in vSphere 4....how can I set this up, what do i need to edit etc...???

Thanks guys I really appreciate it.

0 Kudos
2 Replies
6910p
Contributor
Contributor
‎10-27-2010 03:05 AM

Have the same problem with Establishing a password history, also new to all this and have linited lunix experience. Does anyone have an update...

should the line read

Password sufficient pam_unix.so try_first_pass use_auhtok nullok shadow md5 remember=x

x = whatever number u like

or should we write the line as the hardening document describes

Password sufficient /lib/security/$ISA/pam_unix try_first_pass use_auhtok nullok shadow md5 remember=x

A little help here please. Don't supose there is a discussion group about hardening ESX in general

0 Kudos
Texiwill
Leadership
Leadership
‎11-10-2010 07:59 AM

Hello,

Use the following line, note that it is slightly different as it uses .so at the end of pam_unix, where you typed it without the .so.

Password sufficient /lib/security/$ISA/pam_unix.so try_first_pass use_auhtok nullok shadow md5 remember=x

A little help here please. Don't supose there is a discussion group about hardening ESX in general

This is the proper forum for such discussions.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos