Password complexity and MOTD in ESX 3

Continuing the quest to install ESX 3.02, it came about that we need to enable some password security.  There is a couple things to do here, the first being to run the command “esxcfg-auth” – this command will bring up the list of commands available which include setting how long the password is valid, how often the password can be changed and when the warning will appear that the password for a given account is going to expire.

The meat of the password security is setting the password complexity rules setup.  I found that using the –usepamqc=values worked well.  Here is the verbose language:

Enables the use of the pam_passwdqc PAM module for password com-
plexity checking. It can be configured by passing a 6 value tuple
as the value. The tuple is formed from the following information:
– minimum length of a single character class password
– minimum length of a password that has characters from 2
character classes
– minimum number of words in a passphrase
– minimum length of a password that has characters from 3
character classes
– minimum length of a password that has characters from 4
character classes
This does not fully expose the abilities of this powerful PAM
module. See the pam_passwdqc man page for more information on how
to use this PAM module to enforce password rules on the user’s
If you pass a value of -1 for any of the six tuple values,
that is understood as disable this option. An example of a tuple
is “8 -1 -1 -1 8 4”.

That worked well (with some different values of course.)  The last number, not described above is the number of times a character can appear in the password.  In this case, that would mean any single character could appear four times.

To add the a nifty warning message when a user logs on, simply create a file titled “motd” in /etc and add your message.  Easy!


Leave a Reply

Your email address will not be published. Required fields are marked *