VMware Cloud Community
eziemann
Enthusiast
Enthusiast
‎08-19-2008 09:46 AM
Jump to solution

Syntax of esxcfg-auth --usepamqc requires 6 args - no documentation

I am testing and trying to implement security on local passwords with esxcfg-auth --usepamqc option as suggested by CIS in section 11.1.1 of

Action: As root from the service console: esxcfg-auth --usepamqc=disabled disabled -1 12 8

However, the doc was written for ESX 3.0.x and we have installed 3.5 U2. I get the error: "esxcfg-auth: error: --usepamqc option requires 6 values" but I can't find any reference to 6 arguments anywhere.

man pam_passwdqc and esxcfg-auth --help only reference 5 arguments. I haven't been able to find anything on google either.

Has anyone else figured out the syntax?

0 Kudos
1 Solution

Accepted Solutions
kjb007
Immortal
Immortal
‎08-19-2008 04:44 PM
Jump to solution

Sorry, the last # is how many character matches you want performed to determine a weak password.

So, in your case, you want to use "8 -1 -1 8 -1 4"

You can also check your settings by typing 'esxcfg-auth --probe'

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB

View solution in original post

0 Kudos
4 Replies
kjb007
Immortal
Immortal
‎08-19-2008 11:56 AM
Jump to solution

Using the value below, your password has to be at least 8 characters, and can include characters from 4 diferent classes.

-KjB

--usepamqc

Enables the use of the pam_passwdqc PAM module for password com-

plexity checking. It can be configured by passing a 6 value tuple

as the value. The tuple is formed from the following information:

- minimum length of a single character class password

- minimum length of a password that has characters from 2

character classes

- minimum number of words in a passphrase

- minimum length of a password that has characters from 3

character classes

- minimum length of a password that has characters from 4

character classes

This does not fully expose the abilities of this powerful PAM

module. See the pam_passwdqc man page for more information on how

to use this PAM module to enforce password rules on the user's

password.

If you pass a value of -1 for any of the six tuple values,

that is understood as disable this option. An example of a tuple

is "8 -1 -1 -1 8 4".

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
0 Kudos
eziemann
Enthusiast
Enthusiast
‎08-19-2008 12:13 PM
Jump to solution

I saw that but it only references 5 options.

How would I get a policy of 8 characters from at least 3 groups?

0 Kudos
kjb007
Immortal
Immortal
‎08-19-2008 04:44 PM
Jump to solution

Sorry, the last # is how many character matches you want performed to determine a weak password.

So, in your case, you want to use "8 -1 -1 8 -1 4"

You can also check your settings by typing 'esxcfg-auth --probe'

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
0 Kudos
Texiwill
Leadership
Leadership
‎08-21-2008 03:15 AM
Jump to solution

Hello,

Documentation is at 'man pam_passwdqc' from the CLI of your ESX server.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill