Configure the Local User Password Complexity Policy for SDDC Manager
Define the password format requirements for local users of the SDDC Manager appliance.
Setting | Default Value | Description |
|---|---|---|
minlen | 15 | Minimum password length |
lcredit | -1 | Maximum number of lowercase characters that will generate a credit |
ucredit | -1 | Maximum number of uppercase characters that will generate a credit |
dcredit | -1 | Maximum number of digits that will generate a credit |
ocredit | -1 | Maximum number of other characters that will generate a credit |
minclass | 4 | Minimum number of character types that must be used (that is, uppercase, lowercase, digits, other) |
difok | 4 | Minimum number of characters that must be different from the old password |
retry | 3 | Maximum number of retries |
maxsequence | 0 | Maximum number of times a single character may be repeated |
remember | 5 | Maximum number of passwords the system remembers |
UI Procedure
- Log in to the SDDC Manager appliance using SSH asvcf.
- Change to therootuser.su -
- Back the password requirement using the following command.cp -p /etc/pam.d/system-password /etc/pam.d/system-password-`date +%F_%H:%M:%S`.back
- Verify that all settings for configuring password requirements for SDDC Manager users are added in the/etc/pam.d/system-passwordfile.# Begin /etc/pam.d/system-password password required pam_pwhistory.so remember=5 retry=5 enforce_for_root use_authtok password required pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=7 difok=4 minclass=4 maxsequence=0 enforce_for_root password required pam_unix.so sha512 shadow use_authtok # End /etc/pam.d/system-password
- If some settings are missing in the/etc/pam.d/system-passwordfile, add them manually.
- After all required settings are added in the/etc/pam.d/system-passwordfile, set their values according to the requirements of your organization using the following commands.sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password
PowerShell Procedure
- Start PowerShell.
- Replace the values in the sample code and run the commands in the PowerShell console.$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "administrator@vsphere.local" $sddcManagerPass = "VMw@re1!" # Replace with the name of your management domain $sddcDomainName = "sfo-m01" $rootPass = "VMw@re1!" $minLength = "15" $minLowercase = "-1" $minUppercase = "-1" $minNumerical = "-1" $minSpecial = "-1" $minUnique = "4" $minClass = "4" $maxSequence = "0" $history = "5" $maxRetry = "3"
- Perform the configuration by running the command in the PowerShell console.Update-SddcManagerPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -rootPass $rootPass -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -minClass $minClass -maxSequence $maxSequence -history $history -maxRetry $maxRetry