Hi,

I've trying to implement a change to disable certain types of passwords on ESXi Hosts as part of a security lockdown. I edit the /etc/pam.d/passwd file and change the default line as per KB1012033:

from:

password requisite    /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6
to:

password requisite    /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,8,disabled,8,8

This saves fine but I discovered it's not valid when my Virtual Center Appliance threw out it's SSL cert, I regenerated it and had to reconnect the ESXi Hosts. They refused to connect with an error about the password not meeting complexity requirements. I can generate a similar issue by using the command "passwd root" to force a change password on the root account and the modified passwd file does not work. I've narrowed it down to the N2 entry, if I use "disabled" on N2 it breaks the password policy:

password requisite    /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4

N0=12: Passwords containing characters from one character class must be at least twelve characters long. For example: charsoftware

N1=10: Passwords containing characters from two character classes must be at least ten characters long. For example: chars12345

N2=8: Passphrases must contain words that are each at least eight characters long. For example: software

N3=8: Passwords containing characters from all three character classes must be at least eight characters long. For example: CHars123

N4=7: Passwords containing characters from all four character classes must be at least seven characters long. For example:  CHars1!

I'm guessing that manipulating the N2 may conflict with the other policies but has anyone else got this to work? I've tested ESXi 5.1 & 5.5 with the same result.

Thanks

Mike