Symptoms
- You are unable to set a password in ESX or ESXi 4.x or 5.x.
- You see these VMware vSphere Client errors:
- A general system error occurred: passwd: Authentication token manipulation error
- An internal error has occurred, and the wizard is unable to store the Administrator password securely. The customization cannot proceed. Please contact VMware technical support for more information.
- You see this console error:
Weak password: not enough different characters or classes for this length.
passwd: Authentication token manipulation error
Purpose
Cause
Resolution
A valid password requires a mix of upper and lower case letters, digits, and other characters. You can use a 7-character long password with characters from at least three of these four classes, or a 6-character long password containing characters from all the classes. A password that begins with an upper case letter and ends with a numerical digit does not count towards the number of character classes used. It is recommended that the password does not contain the username.
A passphrase requires at least 3 words, be 8 to 40 characters long, and must contain enough different characters.
Notes:
- vCenter Server 4.0 can handle up to 26-character passwords.
- In ESXi 4.x and 5.x, the password cannot contain the words admin, root, or administrator in any form.
- The
/etc/security/login.mapfile contains the authentication rules for ESX/ESXi. Refer to this file to determine which file to edit in the workaround.
Example: The file might contain these rules:vpxuser : system-auth-local* : system-auth-generic
In this case, usesystem-auth-localto authenticatevpxuser. Usesystem-auth-genericto authenticate all other users. Ifsystem-auth-genericis not present on the system, the/etc/security/login.mapfile typically listssystem-auth.
Caution: Modifying password restrictions may reduce the security of your VMware environment.
ESX 4.0
VMware ESX 4.x uses the pam module pam_passwdqc.so. For additional information about this module and the different syntax, see the pam_passwdqc man page.
Note: The preceding link was correct as of January 31, 2012 If you find the link is broken, provide feedback and a VMware employee will update the link.
To disable the restriction:
- Modify the
/etc/pam.d/system-auth-genericfile. Run the command:vi /etc/pam.d/system-auth-generic - Change the line:
password required /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6 similar=deny match=0
to:
password required /lib/security/$ISA/pam_passwdqc.so min=0,0,0,0,0 similar=deny match=0
or
password required pam_cracklib.so try_first_pass retry=3 - Save the changes and change the password.
ESXi 4.0 and ESXi/ESX 4.1
VMware ESXi/ESX 4.1 and ESXi 4.0 use the pam_passwdqc.so module to check for the password strength. By default, it uses these parameters:
pam_passwdqc.so retry=3 min=8,8,8,7,6
To modify these settings on an ESX/ESXi 4.1.x host:
- Connect to the host using SSH. For ESXi hosts, you must enable Tech Support Mode.
For more information on Tech Support Mode, see:
- Tech Support Mode for Emergency Support (1003677)
- Using Tech Support Mode in ESXi 4.1 and ESXi 5.0 (1017910)
- Open the
/etc/pam.d/system-authfile using a text editor. For example, to open the file using a vi editor, run this command:
vi /etc/pam.d/system-auth - Change this line:
password requisite /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6Note:You are changing the min values to match the password policy you want to enforce. For additional information about this module and the different syntax, see thepam_passwdqcman page. - Save the changes and change the password.
/etc/pam.d/system-auth file:chmod +t /etc/pam.d/system-authESXi 5.0
To modify these settings on an ESXi 5.0 host:
- Enable technical support mode. For more information, see Using Tech Support Mode in ESXi 4.1 and ESXi 5.0 (1017910).
- Modify
/etc/pam.d/passwdfile.
vi /etc/pam.d/passwd - In the file, find this line:
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6
password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4
Note: min=8,8,8,7,6 maps to min=N0,N1,N2,N3,N4 in fhe following step. - Using these switches, make your required changes and save the file:
retry=3: A user is allowed 3 attempts to enter a sufficient password.N0=12: Passwords containing characters from one character class must be at least twelve characters long.
example: chars1234567N1=10: Passwords containing characters from two character classes must be at least ten characters long.
example: CHars12345N2=8: Passphrases must contain words that are each at least eight characters long.
example: softwareN3=8: Passwords containing characters from all three character classes must be at least eight characters long.
example: CHars12N4=7: Passwords containing characters from all four character classes must be at least seven characters long.
example: CHars1!- Example:
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=12,10,8,8,7 - Based on VMware KB 1012033
