VMware Cloud Community
Chamon
Commander
Commander
‎06-29-2010 11:58 AM

Are these ESXi password complexity requirements even possible?

This is for ESXi 4 U1 specifically. If you could link me to some information that would be great. Or even let me know if ALL of the below are possible. From the links below I know that some of these are possible but I need a definitive answer for our security folks. And yes we are enabling Lockdown mode and not adding any other users to these systems. Except the vpxuser from VC. I also know this would not be a supported configuration due to the fact that we would need to log into the TechSupport mode without vmsupport on the line to do this.

Here are our requirements.

1. Enforce Password History: Set to remember a minimum of 24 passwords.

2. Maximum Password Age: Set to expire at least every 60 days.

3. Minimum Password Age: Set to allow changes in 1 day or more.

4. Minimum Password Length: Set to at least 12 characters in length.

5. Passwords must meet complexity requirements: Enabled

6. Passwords must contain characters from at least three of the following four classes:

• English Upper Case Letters (A, B, C, ...Z)

• English Lower Case Letters (a, b, c, ...z)

• Westernized Arabic Numerals (0, 1, 2, ...9)

• Non-alphanumeric, "Special characters" (!, @, #...^, *)

I have looked at the information on the following documents as well as others.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=101203...

http://linux.die.net/man/8/pam_passwdqc

0 Kudos
9 Replies
Chamon
Commander
Commander
‎06-30-2010 06:42 AM

Anyone? I don't think it is possable with ESXi to meet ALL of these. But I wanted to see if anyone could show me that I was wrong and that they all can be met with ESXi 4.

0 Kudos
Texiwill
Leadership
Leadership
‎07-07-2010 10:17 AM

Hello,

ESXi has limited PAM module support. So unless you can implement using pam_passwdqc you will not be able to implement it.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Chamon
Commander
Commander
‎07-07-2010 10:51 AM

Thanks. It looks like we can get most of the way there but not all of the way.

0 Kudos
Texiwill
Leadership
Leadership
‎07-07-2010 12:25 PM

Hello,

I would look at HyTrust as an option to get all the way there.... Just a thought.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
Chamon
Commander
Commander
‎07-07-2010 02:52 PM

I think we will wait for a release that will handle this for us instead of looking at purchasing a new 3rd party tool.

Thanks for the recommendation though.

0 Kudos
Texiwill
Leadership
Leadership
‎07-08-2010 05:56 AM

Hello,

Not sure there will be a release that handles this for you. ESXi is an appliance and it will get leaner not thicker. Then again, be sure to submit this as a Request for Improvement to VMware via your Sales or Support representative. VMware wants to reduce the console to just the required which generally does not include complex users.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
Chamon
Commander
Commander
‎07-08-2010 06:32 AM

We can hope then. We have made a request through our SE so maybe they will be able to work something out. If not the current capabilities will due.

0 Kudos
Texiwill
Leadership
Leadership
‎07-14-2010 01:15 PM

Hello,

ESXi 4.1 now includes the Likewise Open AD integration component which implies you do not need to set password complexity on the ESXi host directly but use AD for everything.

Perhaps that would suffice instead?


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
Chamon
Commander
Commander
‎07-14-2010 01:28 PM

Sure will. I was waiting for that.

0 Kudos