Hi,
I've trying to implement a change to disable certain types of passwords on ESXi Hosts as part of a security lockdown. I edit the /etc/pam.d/passwd file and change the default line as per KB1012033:
from:
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6
to:
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,8,disabled,8,8
This saves fine but I discovered it's not valid when my Virtual Center Appliance threw out it's SSL cert, I regenerated it and had to reconnect the ESXi Hosts. They refused to connect with an error about the password not meeting complexity requirements. I can generate a similar issue by using the command "passwd root" to force a change password on the root account and the modified passwd file does not work. I've narrowed it down to the N2 entry, if I use "disabled" on N2 it breaks the password policy:
password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4
N0=12
: Passwords containing characters from one character class must be at least twelve characters long. For example: charsoftware
N1=10
: Passwords containing characters from two character classes must be at least ten characters long. For example: chars12345
N2=8
: Passphrases must contain words that are each at least eight characters long. For example: software
N3=8
: Passwords containing characters from all three character classes must be at least eight characters long. For example: CHars123
N4=7
: Passwords containing characters from all four character classes must be at least seven characters long. For example: CHars1!
I'm guessing that manipulating the N2 may conflict with the other policies but has anyone else got this to work? I've tested ESXi 5.1 & 5.5 with the same result.
Thanks
Mike