Compared to pam_passwdqc.so, the pam_cracklib.so plug-in provides fewer options to fine-tune password strength and does not perform password strength tests for all users. However, if the pam_cracklib.so plug-in better suits your environment, you can switch from the default pam_passwdqc.so plug-in to pam_cracklib.so.

Note

The pam_cracklib.so plug-in used in Linux provides more parameters than the parameters supported for ESX. You cannot specify these additional parameters in esxcfg-auth. For more information about this plug-in, see your Linux documentation.

1

Log in to the service console and acquire root privileges.

2

Run the following command.

esxcfg-auth --usecrack=retriesminimum_lengthlc_credituc_creditd_creditoc_credit

retries: number of retries users are allowed before they are locked out.

minimum_length: minimum password score, or effective length, after credits have been applied.

Note

The pam_cracklib.so plug-in does not accept passwords less than six characters, regardless of credits used and regardless of the value that you assign to minimum_length. In other words, if minimum_length is 5, users must still enter no fewer than six characters.

lc_credit: maximum number of credits allowed for lowercase letters.

uc_credit: maximum number of credits allowed for uppercase letters.

d_credit: maximum number of credits allowed for numbers.

oc_credit: maximum number of credits allowed for special characters, such as underscore or dash.

The password requirements for the plug-in are configured according to the parameters you entered.

esxcfg-auth --usecrack=3 9 1 -1 -1 1

Users are allowed three attempts to enter their password before they are locked out.

The password score must be nine.

Up to one credit is given for using lowercase letters.

At least one uppercase letter is required. No extra credit is given for this character type.

At least one number is required. No extra credit is given for this character type.

Up to one credit is given for using special characters.

Using these sample values, the password candidate xyzpqe# would fail:

(x + y + z + p +q + e + #) + (lc_credit + oc_credit) = 9

While the password score is nine, it does not contain the required uppercase letter and number.

The password candidate Xyzpq3# would be accepted:

(X + y + z + p +q + 3 + #) + (lc_credit + oc_credit) = 9

The password score for this example is also nine, but this password includes the required uppercase letter and number. The uppercase letter and number do not add extra credit.