Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

ESX 4.1 and ESXi 4.1 root passwords are authenticated up to only 8 characters (1024500)

Details

When you set a password in ESX/ESXi 4.1, the pam_passwdqc plug-in parameter max=nn sets the maximum length allowed for a password. The intended behavior is: 
  • For all max values except 8, proposed passwords that exceed the given max value length are not accepted.
  • For the special value max=8, proposed passwords longer than 8 characters are not rejected, but passwords are truncated to 8 characters. After the password has been accepted and changed, a password submitted for authentication will also be truncated to 8 characters.
By default, no max value is configured for ESX/ESXi 4.1. The default max value for the plug-in is 40. This should be the operational max value for password submission. When the default configuration is used, passwords should not be truncated, either when setting them or when they are authenticated.

In ESX/ESXi 4.1, after a password is accepted by the pam_passwdqc plug-in, ESX/ESXi behaves as if the max value is 8. When a new password is submitted, the default 40-character maximum is enforced. Thereafter, password authentication behaves as if the max value is 8, and only the first 8 characters of the password are necessary for authentication.

Solution

This issue is fixed with VMware ESX 4.1 Patch ESX410-201010414-SG for ESX systems and VMware ESXi 4.1 Patch ESXi410-201010401-SG for ESXi systems.
 
If you are not applying the patch to the ESX/ESXi systems, perform the following workaround steps to resolve the issue.

Note: The /etc/security/login.map file contains the authentication rules for ESX/ESXi to follow. Refer to this file to determine which file to edit in the workaround. For example, the file might contain the following rules:

vpxuser : system-auth-local
*       : system-auth

In this case, use system-auth-local to authenticate vpxuser. Use system-auth to authenticate all other users. If system-auth is not present on the system, the /etc/security/login.map file typically lists system-auth.
  • Workaround for ESX:

    Add md5 to the file /etc/pam.d/system-auth.
    1. Log in to the service console and acquire root privileges.
    2. Change to the directory /etc/pam.d/.
    3. Use a text editor to open the file system-auth.
    4. Add md5 to the following line, as shown:
      password sufficient /lib/security/ $ISA/pam_unix.so use_authtok nullok shadow md5

      Optionally, you can use this sed command to accomplish this:
      sed -e ' /password.*pam_unix.so/s /$/ md5/' -i /etc/pam.d/system-auth

    5. Reset the password. If you do not change the password, ESX continues to use the truncated password.
  • Workaround For ESXi:

    Add md5 to the file /etc/pam.d/system-auth.
    1. Access Tech Support Mode. For more information, see Using Tech Support Mode in ESXi 4.1 and ESXi 5.0 ( 1017910).
    2. Change to the directory /etc/pam.d/.
    3. Use a text editor to open the file system-auth.
    4. Add md5 to the following line, as shown:

      password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow md5

    5. (Optional) If you want the change to persist when you restart ESXi, you must add the following line to the file /etc/rc.local:

      sed -e ' /password.*pam_unix.so.* md5/q' -e ' /password.*pam_unix.so/s/ $/ md5/' -i /etc/pam.d/system-auth

    6. Reset the password. If you do not change the password, ESXi continues to use the truncated password.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 21 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 21 Ratings
Actions
KB: