Our customer security policy is to set an age limit on ESXi user accounts. On ESX 4.0 I used esxcfg-auth --passmaxdays=40 but this command is no longer available in ESXi 5.0. Can anyone if there is a simple way to do it without messing about too much at a granular level? I'm really struggling to find this.
I know about Lockdown mode etc. It's a highly secure customer and they specifically want it set rather than rely on Lockdown.
Thanks
yes Currently password aging policy is not supported on eSXi 5 and no plans are currently on to support it.. You can send a feature request http://www.vmware.com/in/support/policies/feature.html
have a read of the following KB
Changing the default password expiration policy in ESX 4.x (1025642)
VMware KB: ESX and ESXi 4.x and 5.x password requirements and restrictions
Thanks Tom but these only refer to password complexity. I can't see anything advising how to change the password age policy.
Sorry Tom. I opened the wrong KB. I will give KB 1025642 a try.
Tom the /etc/login.defs is no longer available in ESXi 5.0. The KB 1025642 refers to an earlier version.
have you read the following:
Security Hardening on ESXi, not esx?
there is a answer from Texiwill that may help you. I am pretty certain that this in now longer possible, but due other safe guards put in place it is no longer a significant issue,
I mean it is not a real issue for any of the secure sites I have worked on.
it has been deprecated from vSphere 5
We know that, it is just that certain environment have policies regarding password expiration that ESXi is now in contravention off. So a blanket statement that it has been depreciated is not helping.
How can we replicate this feature without breaking supportability? that is the question
Do you happen to have any links confirming it has been depreciated in vSphere 5 to enable me to present it to my Security team?
Thanks
It may be worthwhile looking through the vSphere 5 Hardening Guide. there may be mitigation in there regarding defense in depth to cover the lack of password expiration.
Here is the answer to the blanket statement, since it does not make sense to have one, considering the security it has.. Security option is to enable Lockdown mode. Administration is then limited to vCenter and root access via the DCUI. The DCUI can then be further limited to personnel with access to the out-of-band management network (or disabled entirely) and/or physical access to the hardware...
Please see my original post. I'm fully familiar with Lockdown mode. Our security team want a specific setting. If it is no longer available as an option I will be required to provide evidence to that affect. Hence the reason I asked if you had a link to the statement.
cheers.
I'm actually creating an internal company hardening guide for our VMware support team to implement based on the VMware vSphere 5.0 hardening guide and local security requirements. Step 4 of the 'ESXi' section of the VMware guide specifically states if configuring a password ageing policy (which would suggest you can) make sure that it is greater than the 30 day ageing policy for the vpxuser.
which if you use lock down mode and configure users on your vCenter and iLO devices you can as your policy set a domain level will take precedence, you then protect your root password with physical security methods like a two user password creation policy.
ie user A enters half the password and writes it down and seals it in a envelope marks part one, user two then enters the 2nd half of the password, writes it down and seals in an envelope marked part two, this is then sealed in an third envelope called root password and the seals signed to prevent unauthorized access and placed in the company safe
Let me check internally and will keep you posted.. :)... Keep Cheering Tom 😉
Thanks
The response is currently we don't support password expiration in ESXi 5. Probably you need to open a SR with VMware support to get the reason.
Thanks for asking
Aakash, Thanks for this response. I'm not familiar with posting on this community (as may be obvious ) and I automatically assumed that posters were all 'users' like myself. Can I assume from your response "The response is currently we don't support password expiration in ESXi 5" that you are affiliated to VMware? If so, then your response would be sufficient for my requirements.