vSphere 6: ESXi Password Policy

With vSphere 6, VMware introduced ESXi Account Lockout / ESXi Password Policy.
Two new settings are now available under the ESXi Host Advanced System Settings page:

  • Security.AccountLockFailures
    • Maximum allowed failed login attempts before locking out a user’s account.

  •  Security.AccountUnlockTime
    • Duration in seconds to lock out a user’s account after exceeding the maximum allowed failed login attempts.

Note: Both settings only affect SSH and the vSphere Web Services but not DCUI or the console shell.

Additionally, it is now possible to adjust the password complexity rules via the GUI.
Previously, you had to manually edit /etc/pam.d/passwd

The setting to adjust the password complexity can also be found the ESXi Host Advanced System Settings page:

  • Security.PasswordQualityControl
    • Raw options for pam_passwdqc PAM module. This value is used as is in PAM’s configuration file.

vSphere 6

Leave a Reply

Your email address will not be published. Required fields are marked *