VMware Cloud Community
nirvy
Commander
Commander

ESXi 4.1 authentication bug?

Hi all

It seems that authentication only requires the first 8 characters to be correct. My root password is 11 characters long, but so long as the first 8 characters are correct, I can put whatever I like after that and it still authenticates me. Tested this on three ESXi boxes, all running 260247 (release)

It works (so far) on Local tech support login, and when adding host to vCenter inventory. Have not tested with ESX

Is this normal?

Reply
0 Kudos
25 Replies
J1mbo
Virtuoso
Virtuoso

Interesting - I've not been able to reproduce this on either 244038 or 261974 though.

http://blog.peacon.co.uk

Please award points to any useful answer.

Reply
0 Kudos
lamw
Community Manager
Community Manager

I've not been able to reproduce this either. I would just update your password to ensure you are in fact using 11 characters and not the 8 and see if you can re-produce it.

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
nirvy
Commander
Commander

Well, I've just logged in to SSH 6 times, each time using a different password string, that started with the first 8 digits of my original password.

I just changed the root password to VMware123, but I can login if I use VMware1234 or VMware123abc or VMware12, but anything less, like VMware1 doesn't work!

Reply
0 Kudos
lamw
Community Manager
Community Manager

I just did some testing and I think I see what you're saying ... though I have a theory. Need to run few more tests

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
lamw
Community Manager
Community Manager

Here's what I've found.

My setup was an upgrade from ESXi 4.0 Update 2 -> ESXi 4.1 which I did not have the issue. What I did for testing was go into DCUI and change my password and that is when I see the issue.

I'm not sure if this is expected or something change with the minimal password length being 8 ... if this is a bug, then it's a very bad one. I'm trying to see if there is a KB article mentioning this change and perhaps it a configuration somewhere to change it. Legacy systems did have this 8 character limit, so maybe that is what is going on.

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
lamw
Community Manager
Community Manager

So, not sure if this was always a default or was it changed recently: http://kb.vmware.com/kb/1012033

Though per the article, it looks like it's 8 characters by default. You would need to change that if you need it to be longer. I don't use ESXi on a regular or even semi-regular basis, so I don't know what the expectation should be or if this has changed over releases. I just know that I had started from GA build of ESXi 4.0 and went to Update 1 -> Update 2 -> 4.1 and changing my password from what it was initially set to hits the problem you are seeing.

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

DSTAVERT
Immortal
Immortal

I just tried this with a fresh install and it does just use the first 8 characters of a 20 character password..

-- David -- VMware Communities Moderator
Reply
0 Kudos
lamw
Community Manager
Community Manager

I'm more interested in the behavior prior to 4.1 ... I can see from my testing that 4.1 has implemented and following the 8 character rule.

In any case, I just rant a quick test, doing a clean installation of ESXi 4.0 Update2 and this issue does not arise even though /etc/pam.d/common-passwd has the following configured: retry=3 min=8,8,8,7,6

I'm guessing once you upgrade and you change your password, then you'll have to abide by the 8 character default for the password which can be unexpected. This looks to be the case while doing a clean installation of ESXi 4.1 as well

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
nirvy
Commander
Commander

I just tried it on ESXi 4.0.0 update 1 and it doesn't arise either. I wonder if ESX 4.1 exhibits the same problem, can anyone test?

Reply
0 Kudos
DSTAVERT
Immortal
Immortal

It looks like the /etc/pam.d/common-password may no longer be used. The /etc/pam.d/system-auth-generic is used like in ESX.

-- David -- VMware Communities Moderator
Reply
0 Kudos
lamw
Community Manager
Community Manager

Pre ESXi 4.1, this issue does not occur, if you upgrade to 4.1 and change password you'll be abiding by the new rule. If you do a clean installation of 4.1, you will be abiding by the 8 character limit

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
tietzjd25
Enthusiast
Enthusiast

I have not been able to find if that was intentional change our not. Just don't try edit those Pam files, well at least in my experience braking pam is bad thing. Smiley Happy

Joe Tietz VCAP-DCD Solutions Architect
Reply
0 Kudos
lamw
Community Manager
Community Manager

Yea it does look like it's using different pam.d entries which might actually be implementing the right ones in 4.1 which is enforcing the default 8 character limit. I'm surprised that in the 21st century we're still setting a default of 8 ... reminds me of the crypt des limitation back in the day

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
DSTAVERT
Immortal
Immortal

I just copied all the pam.d files from 4.0 to a 4.1 install and no change so it goes beyond just configuration entries. William do you have a 4.1 beta running and could you have a look there. I'll see if I can find a disk.

-- David -- VMware Communities Moderator
Reply
0 Kudos
lamw
Community Manager
Community Manager

I've just notified VMware of the issue, they'll get some engineering to take a look and provide either a clarification or KB

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
DSTAVERT
Immortal
Immortal

Was just about to do the same.

I wonder what affect there might be with AD.

-- David -- VMware Communities Moderator
Reply
0 Kudos
tietzjd25
Enthusiast
Enthusiast

I have not dove in too deep on the issue yet, but I sure VMware is using some kind of LUM (Linux Enable User) software with AD to function much like Edir LUM for SUSE form Novell. There was a lot of issues with LUM and PAM on Novell's 1st and even 2nd go around, I am hoping that VMware has better luck.

The way it is setup sounds to me like the feature is just pulling in LDAP information from AD.

Joe Tietz VCAP-DCD Solutions Architect
Reply
0 Kudos
maishsk
Expert
Expert

I can confirm the issue as well - I performed an upgrade from the RC build
Maish - VCP - vExpert 2010

VMware Communities User Moderator

Virtualization Architect & Systems Administrator

Twitter

Maish Saidel-Keesing • @maishsk • http://technodrone.blogspot.com • VMTN Moderator • vExpert • Co-author of VMware vSphere Design
Reply
0 Kudos
DSTAVERT
Immortal
Immortal

I can confirm the issue as well - I performed an upgrade from the RC build <br>Maish - VCP - vExpert 2010

Did you test this issue before you upgraded from GA?

-- David -- VMware Communities Moderator
Reply
0 Kudos