toob
Contributor
Contributor

Password Expiry vSphere 4.0.U2

Jump to solution

Hi

So I've created a password expiry policy in my ks via:

esxcfg-auth --passmaxdays=42

and a corresponding entry for minimum days before the change.

My questions are

1: I assume this does not apply the Root account?

2: Is there anyway to exclude a local account on the host from the policy?

For background, I could do with a pair of local accounts that never expire: one for logging on via console (root access to be disabled at console) and another one for our managment guys to connect with to interrogate log files.

I'd rather not go down the AD authentication route.

Your thoughts please

Thanks

0 Kudos
1 Solution

Accepted Solutions
jgaddi
VMware Employee
VMware Employee

1: I assume this does not apply the Root account?

No. using chage command you will see -1 set to root. This only applies to non-root users

# chage -l root

Last password change : Aug 31, 2010

Password expires : never

Password inactive : never

Account expires : never

Minimum number of days between password change : 0

Maximum number of days between password change : -1

Number of days of warning before password expires : 7

2: Is there anyway to exclude a local account on the host from the policy?

Based on my test server, this does not apply to users added before the change. Execute the command and use chage -l to show the max days. if you see 999999, that is the default. In case the change does reflect on local users, just use the command chage to change it to -1 to not expire.

hope this helps.

View solution in original post

0 Kudos
3 Replies
jgaddi
VMware Employee
VMware Employee

1: I assume this does not apply the Root account?

No. using chage command you will see -1 set to root. This only applies to non-root users

# chage -l root

Last password change : Aug 31, 2010

Password expires : never

Password inactive : never

Account expires : never

Minimum number of days between password change : 0

Maximum number of days between password change : -1

Number of days of warning before password expires : 7

2: Is there anyway to exclude a local account on the host from the policy?

Based on my test server, this does not apply to users added before the change. Execute the command and use chage -l to show the max days. if you see 999999, that is the default. In case the change does reflect on local users, just use the command chage to change it to -1 to not expire.

hope this helps.

View solution in original post

0 Kudos
toob
Contributor
Contributor

Thanks, thats usefull. However I've tested this on few machines and all accounts show -1

I've done a 'grep -i max_days /etc/login.defs' and this returns PASS_MAX_DAYS 42 as expected.

I wonder if the following is related:

(http://linux.about.com/library/cmd/blcmdl1_chage.htm)

"The chage program requires shadow password file to be available.

Its functionality is not available when passwords are stored in the passwd file."

There is a /etc/security/opasswd file in place on the servers - is that the same as a passwd file?

0 Kudos
jgaddi
VMware Employee
VMware Employee

Just clarification, old accounts that you have before you executed esxcfg-auth should not have the new pass max value. You can either have -1 (never expires) or 99999. The once you issue the esxcfg-auth command, you should change old accts using chage. Here is an example

# chage jjjj

Changing the aging information for jjjj

Enter the new value, or press ENTER for the default

Minimum Password Age :

Maximum Password Age : 24

Last Password Change (YYYY-MM-DD) :

Password Expiration Warning :

Password Inactive :

Account Expiration Date (YYYY-MM-DD) :

#

#

# chage -l jjjj

Last password change : Oct 01, 2010

Password expires : Oct 25, 2010

Password inactive : never

Account expires : never

Minimum number of days between password change : 0

Maximum number of days between password change : 24

Number of days of warning before password expires : 7

ESX (classic) uses /etc/shadow and /etc/passwd, we don't use /etc/security/opasswd