Hi all
It seems that authentication only requires the first 8 characters to be correct. My root password is 11 characters long, but so long as the first 8 characters are correct, I can put whatever I like after that and it still authenticates me. Tested this on three ESXi boxes, all running 260247 (release)
It works (so far) on Local tech support login, and when adding host to vCenter inventory. Have not tested with ESX
Is this normal?
Interesting - I've not been able to reproduce this on either 244038 or 261974 though.
Please award points to any useful answer.
I've not been able to reproduce this either. I would just update your password to ensure you are in fact using 11 characters and not the 8 and see if you can re-produce it.
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
Well, I've just logged in to SSH 6 times, each time using a different password string, that started with the first 8 digits of my original password.
I just changed the root password to VMware123, but I can login if I use VMware1234 or VMware123abc or VMware12, but anything less, like VMware1 doesn't work!
I just did some testing and I think I see what you're saying ... though I have a theory. Need to run few more tests
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
Here's what I've found.
My setup was an upgrade from ESXi 4.0 Update 2 -> ESXi 4.1 which I did not have the issue. What I did for testing was go into DCUI and change my password and that is when I see the issue.
I'm not sure if this is expected or something change with the minimal password length being 8 ... if this is a bug, then it's a very bad one. I'm trying to see if there is a KB article mentioning this change and perhaps it a configuration somewhere to change it. Legacy systems did have this 8 character limit, so maybe that is what is going on.
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
So, not sure if this was always a default or was it changed recently: http://kb.vmware.com/kb/1012033
Though per the article, it looks like it's 8 characters by default. You would need to change that if you need it to be longer. I don't use ESXi on a regular or even semi-regular basis, so I don't know what the expectation should be or if this has changed over releases. I just know that I had started from GA build of ESXi 4.0 and went to Update 1 -> Update 2 -> 4.1 and changing my password from what it was initially set to hits the problem you are seeing.
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
I just tried this with a fresh install and it does just use the first 8 characters of a 20 character password..
I'm more interested in the behavior prior to 4.1 ... I can see from my testing that 4.1 has implemented and following the 8 character rule.
In any case, I just rant a quick test, doing a clean installation of ESXi 4.0 Update2 and this issue does not arise even though /etc/pam.d/common-passwd has the following configured: retry=3 min=8,8,8,7,6
I'm guessing once you upgrade and you change your password, then you'll have to abide by the 8 character default for the password which can be unexpected. This looks to be the case while doing a clean installation of ESXi 4.1 as well
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
I just tried it on ESXi 4.0.0 update 1 and it doesn't arise either. I wonder if ESX 4.1 exhibits the same problem, can anyone test?
It looks like the /etc/pam.d/common-password may no longer be used. The /etc/pam.d/system-auth-generic is used like in ESX.
Pre ESXi 4.1, this issue does not occur, if you upgrade to 4.1 and change password you'll be abiding by the new rule. If you do a clean installation of 4.1, you will be abiding by the 8 character limit
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
I have not been able to find if that was intentional change our not. Just don't try edit those Pam files, well at least in my experience braking pam is bad thing.
Yea it does look like it's using different pam.d entries which might actually be implementing the right ones in 4.1 which is enforcing the default 8 character limit. I'm surprised that in the 21st century we're still setting a default of 8 ... reminds me of the crypt des limitation back in the day
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
I just copied all the pam.d files from 4.0 to a 4.1 install and no change so it goes beyond just configuration entries. William do you have a 4.1 beta running and could you have a look there. I'll see if I can find a disk.
I've just notified VMware of the issue, they'll get some engineering to take a look and provide either a clarification or KB
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
Was just about to do the same.
I wonder what affect there might be with AD.
I have not dove in too deep on the issue yet, but I sure VMware is using some kind of LUM (Linux Enable User) software with AD to function much like Edir LUM for SUSE form Novell. There was a lot of issues with LUM and PAM on Novell's 1st and even 2nd go around, I am hoping that VMware has better luck.
The way it is setup sounds to me like the feature is just pulling in LDAP information from AD.
I can confirm the issue as well - I performed an upgrade from the RC build
Maish - VCP - vExpert 2010
VMware Communities User Moderator
Virtualization Architect & Systems Administrator
I can confirm the issue as well - I performed an upgrade from the RC build <br>Maish - VCP - vExpert 2010
Did you test this issue before you upgraded from GA?