Sometimes you have a long enough password, that matches with the confirmation, but pressing “Enter” to continue gives “Password does not have enough character types”:
From [WayBack] Disable ESXi Password Complexity – Perfect Cloud:
A part of my job as a VMware Certified Instructor is to update our lab systems whenever new vSphere versions come out. After upgrading from 5.5 to 6.0 I decided we should change passwords, h…
This is the workflow:
- Make a backup of
/etc/pam.d/passwd.
- Use
vi to edit /etc/pam.d/passwd, and:
- Put a
# in front of the lines starting with password requisite
- Remove the
use_authtok bit of the line starting with password sufficient
- Put a
# in front of the line starting with password required
- Quit
vi while saving (press Esc, then enter :wq on the prompt)
- Change the password to a less secure one
- Restore the original
/etc/pam.d/passwd.
Via: esxi 6 force short password – Google Search
Working around this on during ESXi installation fails
I tried this:
- Press Alt-F1 to go from the installation screen to the console screen
- Logon as root, with no password at all to get to the command-prompt:
- Perform the
/etc/pam.d/passwd editing steps above
- Press Alt-F2 to go back to the install screen
- Enter root password
The password requirements stayed.
(more screenshots at [WayBack] ESXi 6.7 installation Guide – Let We-i Go)
Related
- [WayBack] passwdqc – password/passphrase strength checking and policy enforcement toolset for your servers and software
- [WayBack] installing ESXi 6.7, stuck on root password with this message :password must be at least 7 characters long : vmware
The default required password complexity changed between 6.5 and 6.7.
In addition to needing to be at least seven characters, the password must include at least three of the four character classes:
-
Upper case – exception: the first character being upper case does not count towards the class requirement
-
Lower case
-
Numbers – exception: the last character being a number does not count towards the class requirement
-
Symbols
Also, no dictionary words (whether spelt forwards or backwards).
- [WayBack] ESXi Passwords and Account Lockout
For ESXi hosts, you have to use a password with predefined requirements. You can change the required length and character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced option.
- “Security.PasswordQualityControl” – Google Search
- [WayBack] ESXi 6.x Password Calculator for Security.PasswordQualityControl | Virtually Blogging
- [WayBack] Virtual Maestro: VMware ESXi 6.X password policy
- [WayBack] VMware ESXi6 Password Policy – ivobeerens.nl
- [WayBack] Virtual Maestro: VMware ESXi 6.X password policy
- [Archive.is] vSphere Documentation Center
Example: Editing /etc/pam.d/passwd
password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4
values
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=12,9,8,7,6
With this setting in effect, the password requirements are:
- retry=3: A user is allowed 3 attempts to enter a sufficient password.
- N0=12: Passwords containing characters from one character class must be at least 12 characters long.
- N1=9: Passwords containing characters from two character classes must be at least nine characters long.
- N2=8: Passphrases must contain words that are each at least eight characters long.
- N3=7: Passwords containing characters from three character classes must be at least seven characters long.
- N4=6: Passwords containing characters from all four character classes must be at least six characters long.
- [WayBack] VMware:ESXi Kennwortsicherheit heruntersetzen oder ändern – znilwiki
Passwortklassen sind schlicht
Grossbuchstaben
Kleinbuchstaben
Zahlen
Sonderzeichen
wobei das erste Zeichen nicht zählt. Also gilt
dumpfbacke : 1 Passwortklasse
Dumpfbacke : 1 Passwortklasse
DumpfBacke : 2 Passwortklassen
DumpfBacke1 : 3 Passwortklassen
DumpfBacke1% : 4 Passwortklassen
Indem man alle Werte auf 0 setzt, also
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=0,0,0,0,0
schaltet man alle Anforderungen aus.
Alternativ geht das auch mit
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6 enforce=none
On my ESXI 6.5 system where the italic bit is removed, besides the two lines being commented out:
- original
/etc/pam.d/passwd:
#%PAM-1.0
# Change only through host advanced option "Security.PasswordQualityControl".
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,7,7
password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512
password required /lib/security/$ISA/pam_deny.so
- modified
/etc/pam.d/passwd:
#%PAM-1.0
# Change only through host advanced option "Security.PasswordQualityControl".
#password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,7,7
password sufficient /lib/security/$ISA/pam_unix.so nullok shadow sha512
#password required /lib/security/$ISA/pam_deny.so
On my ESXI 6.7 system (which adds the bold lines below):
- original
/etc/pam.d/passwd:
#%PAM-1.0
# Change only through host advanced option "Security.PasswordQualityControl".
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,7,7
# Change only through host advanced option "Security.PasswordHistory"
password requisite /lib/security/$ISA/pam_pwhistory.so use_authtok enforce_for_root retry=2 remember=0
password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512
password required /lib/security/$ISA/pam_deny.so
- modified
/etc/pam.d/passwd:
#%PAM-1.0
# Change only through host advanced option "Security.PasswordQualityControl".
#password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,7,7
# Change only through host advanced option "Security.PasswordHistory"
#password requisite /lib/security/$ISA/pam_pwhistory.so use_authtok enforce_for_root retry=2 remember=0
password sufficient /lib/security/$ISA/pam_unix.so nullok shadow sha512
#password required /lib/security/$ISA/pam_deny.so
–jeroen
Like this:
Like Loading...
The Wiert Corner - irregular stream of stuff 