I am testing and trying to implement security on local passwords with esxcfg-auth --usepamqc option as suggested by CIS in section 11.1.1 of
Action: As root from the service console: esxcfg-auth --usepamqc=disabled disabled -1 12 8
However, the doc was written for ESX 3.0.x and we have installed 3.5 U2. I get the error: "esxcfg-auth: error: --usepamqc option requires 6 values" but I can't find any reference to 6 arguments anywhere.
man pam_passwdqc and esxcfg-auth --help only reference 5 arguments. I haven't been able to find anything on google either.
Has anyone else figured out the syntax?
Sorry, the last # is how many character matches you want performed to determine a weak password.
So, in your case, you want to use "8 -1 -1 8 -1 4"
You can also check your settings by typing 'esxcfg-auth --probe'
-KjB
Using the value below, your password has to be at least 8 characters, and can include characters from 4 diferent classes.
-KjB
--usepamqc
Enables the use of the pam_passwdqc PAM module for password com-
plexity checking. It can be configured by passing a 6 value tuple
as the value. The tuple is formed from the following information:
- minimum length of a single character class password
- minimum length of a password that has characters from 2
character classes
- minimum number of words in a passphrase
- minimum length of a password that has characters from 3
character classes
- minimum length of a password that has characters from 4
character classes
This does not fully expose the abilities of this powerful PAM
module. See the pam_passwdqc man page for more information on how
to use this PAM module to enforce password rules on the user's
password.
If you pass a value of -1 for any of the six tuple values,
that is understood as disable this option. An example of a tuple
is "8 -1 -1 -1 8 4".
I saw that but it only references 5 options.
How would I get a policy of 8 characters from at least 3 groups?
Sorry, the last # is how many character matches you want performed to determine a weak password.
So, in your case, you want to use "8 -1 -1 8 -1 4"
You can also check your settings by typing 'esxcfg-auth --probe'
-KjB
Hello,
Documentation is at 'man pam_passwdqc' from the CLI of your ESX server.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization