Chapter 14 Service Console Security

With this setting in effect, a user creating a password would never be able to set passwords that contain only one character class. The user needs to use at least 18 characters for a password with a two-character class, 12 characters for a three-character class password, and eight characters for four-character class passwords.

Attempts to create passphrases are ignored.

Configure a Password Reuse Rule

You can set the number of old passwords that are stored for each user.

Procedure

1 Log in to the service console and acquire root privileges.

2Change to the directory /etc/pam.d/.

3Use a text editor to open the system-auth-generic file.

4Locate the line that starts with password sufficient /lib/security/$ISA/pam_unix.so.

5Add the following parameter to the end of the line, where X is the number of old passwords to store for each user.

remember=X

Use a space between parameters.

6Save your changes and close the file.

7Change to the directory /etc/security/ and use the following command to make a zero (0) length file with opasswd as the filename.

touch opasswd

8Enter the following commands:

chmod 0600 opasswd

chown root:root /etc/security/opasswd

Using the pam_cracklib.so Authentication Plug-In

The default authentication plug-in for ESX is pam_passwdqc.so, which provides stringent password strength enforcement for most environments. If the plug-in is not appropriate for your environment, you can use the pam_cracklib.so plug-in instead.

The pam_cracklib.so plug-in checks all password change attempts to ensure that passwords meet the strength criteria.

nThe new password must not be a palindrome. A palindrome is a term where the characters mirror each other around a central letter, as in radar or civic.

nThe new password must not be the reverse of the old password.

nThe new password must not be a rotation. A rotation is a version of the old password in which one or more characters have been rotated to the front or back of the password string.

nThe new password must differ from the old password by more than a change of case.

nThe new password must differ from the old password by more than a few characters.

nThe new password must not have been used in the past. The pam_cracklib.so plug-in applies this criterion only if you have configured a password reuse rule.

By default, ESX does not enforce any password reuse rules, so the pam_cracklib.so plug-in never rejects a password change attempt on these grounds. However, you can configure a reuse rule to ensure that your users do not alternate between a few passwords.

ESX Configuration Guide

If you configure a reuse rule, old passwords are stored in a file that the pam_cracklib.so plug-in references during each password change attempt. The reuse rules determine the number of old passwords that ESX retains. When a user creates enough passwords to reach the value specified in the reuse rule, old passwords are removed from the file in age order.

nThe new password must be long enough and complex enough to meet the requirements of the plug-in. Configure these requirements by changing the pam_cracklib.so complexity parameters with the esxcfgauth command, which lets you set the number of retries, the minimum password length, and a variety of character credits.

To set password complexity with the pam_cracklib.so plug-in, you can assign values to the credit parameters for each of the following character classes:

nlc_credit represents lowercase letters

nuc_credit represents uppercase letters

nd_credit represents numbers

noc_credit represents special characters, such as underscore or dash

Credits add to a password's complexity score. A user's password must meet or exceed the minimum score, which you define using the minimum_length parameter.

NOTE The pam_cracklib.so plug-in does not accept passwords less than six characters, regardless of credits used and regardless of the value that you assign to minimum_length. In other words, if minimum_length is 5, users must still enter no fewer than six characters.

To determine whether or not a password is acceptable, the pam_cracklib.so plug-in uses several rules to calculate the password score.

nEach character in the password, regardless of type, counts as one against minimum_length.

nNonzero values in the credit parameters affect password complexity differently depending on whether negative or positive values are used.

n For positive values, add one credit for the character class, up to the maximum number of credits specified by the credit parameter.

For example, if lc_credit is 1, add one credit for using a lowercase letter in the password. In this case, one is the maximum number of credits allowed for lowercase letters, regardless of how many are used.

nFor negative values, do not add credit for the character class, but require that the character class is used a minimum number of times. The minimum number is specified by the credit parameter.

For example, if uc_credit is -1, passwords must contain at least one uppercase character. In this case, no extra credit is given for using uppercase letters, regardless of how many are used.

nCharacter classes with a value of zero count toward the total length of the password, but do not receive extra credit, nor are they required. You can set all character classes to zero to enforce password length without considering complexity.

For example, the passwords xyzpqets and Xyzpq3#s would each have a password score of eight.

Switch to the pam_cracklib.so Plug-In

Compared to pam_passwdqc.so, the pam_cracklib.so plug-in provides fewer options to fine-tune password strength and does not perform password strength tests for all users. However, if the pam_cracklib.so plug-in better suits your environment, you can switch from the default pam_passwdqc.so plug-in to pam_cracklib.so.

NOTE The pam_cracklib.so plug-in used in Linux provides more parameters than the parameters supported for ESX. You cannot specify these additional parameters in esxcfg-auth. For more information about this plugin, see your Linux documentation.