Configure the Local User Password Complexity
Policy for vCenter Server
Define the password format requirements for the local users of the vCenter Server
appliances in
VMware Cloud Foundation
, such as
the root
account.Setting | Default
Value | Description |
|---|---|---|
minlen | 6 | Minimum password length |
lcredit | -1 | Maximum number of lowercase characters
that will generate a credit |
ucredit | -1 | Maximum number of uppercase characters
that will generate a credit |
dcredit | -1 | Maximum number of digits that will
generate a credit |
ocredit | -1 | Maximum number of other characters that
will generate a credit |
difok | 4 | Minimum number of characters that must
be different from the old password |
remember | 5 | Maximum number of passwords the system
remembers |
UI Procedure
- Log in to the vCenter Server appliance for a workload domain using SSH asroot.
- Enable shell access.shell
- Back up the password requirements for the appliance by using the following command.cp -p /etc/pam.d/system-password /etc/pam.d/system-password-`date +%F_%H:%M:%S`.back
- Verify that all settings for configuring password requirements for vCenter Server local users are added in the/etc/pam.d/system-passwordfile.# Begin /etc/pam.d/system-password # use sha512 hash for encryption, use shadow, and try to use any previously # defined authentication token (chosen password) set by any prior module password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root password required pam_pwhistory.so remember=5 retry=3 enforce_for_root use_authtok password required pam_unix.so sha512 use_authtok shadow try_first_pass # End /etc/pam.d/system-password
- If some settings are missing in the/etc/pam.d/system-passwordfile, add them manually.
- After all required settings are added in the/etc/pam.d/system-passwordfile, set their values according to the requirements of your organization using the following commands.sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/system-passwords sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password
- Repeat this procedure on the vCenter Server instances for the remaining workload domains.
PowerShell Procedure
- Start Windows PowerShell.
- Replace the values in the sample code and run the commands in the PowerShell console.$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "administrator@vsphere.local" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $minLength = "6" $minLowercase = "-1" $minUppercase = "-1" $minNumeric = "-1" $minSpecial = "-1" $minUnique = "4" $history = "5"
- Perform the configuration by running the command in the PowerShell console.Update-VcenterPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumeric -minSpecial $minSpecial -minUnique $minUnique -history $history
- Repeat this procedure for all VI workload domains.