Skip to content

esxi/password-policy

Set the ESXi software install acceptance level.

In ESXI 6 and beyond, the password security policy is controlled through the /etc/pam.d/passwd file.

The default file is specified as the default. This can be replaced by updating this parameter and running the esxi-password-security-policy task.

Password strength is specified on the pam_passwdqc.so line.

  • password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4

Example:

  • password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6

The parts are:

  • retry is the number of times a user is prompted for a new password if the password candidate is not sufficiently strong.
  • N0 is the number of characters required for a password that uses characters from only one character class. For example, the password contains only lowercase letters.
  • N1 is the number of characters required for a password that uses characters from two character classes.
  • N2 is used for passphrases. ESXi requires three words for a passphrase. Each word in the passphrase must be 8-40 characters long.
  • N3 is the number of characters required for a password that uses characters from three character classes.
  • N4 is the number of characters required for a password that uses characters from all four character classes.

For the N(0-3) fields, disabled may be specified to ignore that class type.

The Password history can also be modify by the following line:

  • password requisite /lib/security/$ISA/pam_pwhistory.so use_authtok enforce_for_root retry=2 remember=0

Adding this line will enforce a number of retries before failure and how often password can be reused.