The default authentication plug-in for ESX is pam_passwdqc.so, which provides stringent password strength enforcement for most environments. If the plug-in is not appropriate for your environment, you can use the pam_cracklib.so plug-in instead.

The pam_cracklib.so plug-in checks all password change attempts to ensure that passwords meet the strength criteria.

The new password must not be a palindrome. A palindrome is a term where the characters mirror each other around a central letter, as in radar or civic.

The new password must not be the reverse of the old password.

The new password must not be a rotation. A rotation is a version of the old password in which one or more characters have been rotated to the front or back of the password string.

The new password must differ from the old password by more than a change of case.

The new password must differ from the old password by more than a few characters.

The new password must not have been used in the past. The pam_cracklib.so plug-in applies this criterion only if you have configured a password reuse rule.

By default, ESX does not enforce any password reuse rules, so the pam_cracklib.so plug-in never rejects a password change attempt on these grounds. However, you can configure a reuse rule to ensure that your users do not alternate between a few passwords.

If you configure a reuse rule, old passwords are stored in a file that the pam_cracklib.so plug-in references during each password change attempt. The reuse rules determine the number of old passwords that ESX retains. When a user creates enough passwords to reach the value specified in the reuse rule, old passwords are removed from the file in age order.

The new password must be long enough and complex enough to meet the requirements of the plug-in. Configure these requirements by changing the pam_cracklib.so complexity parameters with the esxcfg-auth command, which lets you set the number of retries, the minimum password length, and a variety of character credits.

To set password complexity with the pam_cracklib.so plug-in, you can assign values to the credit parameters for each of the following character classes:

lc_credit represents lowercase letters

uc_credit represents uppercase letters

d_credit represents numbers

oc_credit represents special characters, such as underscore or dash

Credits add to a password's complexity score. A user's password must meet or exceed the minimum score, which you define using the minimum_length parameter.

Note

The pam_cracklib.so plug-in does not accept passwords less than six characters, regardless of credits used and regardless of the value that you assign to minimum_length. In other words, if minimum_length is 5, users must still enter no fewer than six characters.

To determine whether or not a password is acceptable, the pam_cracklib.so plug-in uses several rules to calculate the password score.

Each character in the password, regardless of type, counts as one against minimum_length.

Nonzero values in the credit parameters affect password complexity differently depending on whether negative or positive values are used.

For positive values, add one credit for the character class, up to the maximum number of credits specified by the credit parameter.

For example, if lc_credit is 1, add one credit for using a lowercase letter in the password. In this case, one is the maximum number of credits allowed for lowercase letters, regardless of how many are used.

For negative values, do not add credit for the character class, but require that the character class is used a minimum number of times. The minimum number is specified by the credit parameter.

For example, if uc_credit is -1, passwords must contain at least one uppercase character. In this case, no extra credit is given for using uppercase letters, regardless of how many are used.

Character classes with a value of zero count toward the total length of the password, but do not receive extra credit, nor are they required. You can set all character classes to zero to enforce password length without considering complexity.

For example, the passwords xyzpqets and Xyzpq3#s would each have a password score of eight.