Configure the root User Account Lockout Policy for vCenter Server
Set the maximum number of failed login attempts and the time that must pass before the account is automatically unlocked for the
root
local account in the vCenter Server appliances in VMware Cloud Foundation
.Setting | Default Value |
|---|---|
Maximum number of failed login attempts | 3 |
Unlock time for root | 300 seconds |
Unlock time | 900 seconds |
UI Procedure
- Log in to the vCenter Server appliance using SSH asroot.
- Enable shell access.shell
- Back up the authentication requirements for the appliance using the following command.cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth-`date +%F_%H:%M:%S`.back
- Change the maximum number of failed attempts using the following command.sed -i -E 's/deny=[-]?[0-9]+/deny=<your_value>/g' /etc/pam.d/system-auth
- Change the unlock time for therootaccount using the following command.sed -i -E 's/root_unlock_time=[-]?[0-9]+/root_unlock_time=<your_value>/g' /etc/pam.d/system-auth
- Change the unlock time for the root account using the following command.sed -i -E 's/unlock_time=[-]?[0-9]+/unlock_time=<your_value>/g' /etc/pam.d/system-auth
- Repeat this procedure for each VI workload domain vCenter Server.
PowerShell Procedure
- Start Windows PowerShell.
- Replace the values in the sample code and run the commands in the PowerShell console.$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "administrator@vsphere.local" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $maxFailures = "5" $unlockInterval = "900" $rootUnlockInterval = "300"
- Perform the configuration by running the command in the PowerShell console.Update-VcenterAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -failures $maxFailures -unlockInterval $unlockInterval -rootUnlockInterval $rootUnlockInterval
- Repeat this procedure for each VI workload domain vCenter Server.