Configuring Password Complexity Policies in VMware Cloud Foundation

A password complexity policy defines the minimum requirements for the definition of an account’s password. The settings are different according to the account type and component of the VMware Cloud Foundation instance.


Management Component	Password Complexity Settings	Scope
ESXi	Minimum length Minimum lowercase characters Minimum uppercase characters Minimum numeric characters Minimum special characters Minimum unique passwords before reuse	Local user
vCenter Single Sign-On	Minimum length Maximum length Minimum alphabetic characters Minimum lowercase characters Minimum uppercase characters Minimum numeric characters Minimum special characters Maximum consecutive identical characters Minimum unique passwords before reuse	vCenter Single Sign-On domain
vCenter Server	Minimum length Minimum lowercase characters Minimum uppercase characters Minimum numeric characters Minimum special characters Minimum unique passwords before reuse	Local user
NSX Manager	Minimum length Minimum lowercase characters Minimum uppercase characters Minimum numeric characters Minimum special characters Minimum characters different from the old password	Local user
NSX Edge	Minimum length Minimum lowercase characters Minimum uppercase characters Minimum numeric characters Minimum special characters Minimum characters different from the old password	Local user
SDDC Manager	Minimum length Minimum lowercase characters Minimum uppercase characters Minimum numeric characters Minimum special characters Minimum characters different from the old password Minimum unique passwords before reuse	Local user

Prerequisites

See Password Policy Configuration Prerequisites.

Configure the Local User Password Complexity Policy for ESXi

Define the requirements for local user passwords for the ESXi hosts in VMware Cloud Foundation including required password length, character class requirements, or allowing passphrases.


Setting	Default Value
Security.PasswordHistory	0
Security.PasswordQualityControl	retry=3 min=disabled,disabled,disabled,7,7

For information about the format of the Security.PasswordQualityControl settings, see ESXi Passwords and Account Lockout in the vSphere Security documentation.

UI Procedure

Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
In the Hosts and clusters inventory, navigate to and expand the first vSphere cluster.
Select the first ESXi host and click the Configure tab.
In the System section, click Advanced system settings.
On the Advanced system settings page, click Edit.
In the key filter text box, enter Security.PasswordHistory, configure the settings according to the requirements of your organization.
In the key filter text box, enter Security.PasswordQualityControl, enter values for the settings according to the requirements of your organization, and click OK.
Repeat this procedure on all remaining hosts in the cluster.
Repeat this procedure on all remaining clusters in the workload domain.
Repeat this procedure for all the other workload domains and their clusters.

PowerShell Procedure

Start PowerShell.

Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "[email protected]"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"
$cluster = "sfo-m01-cl01"

$policy = "retry=3 min=disabled,disabled,disabled,7,7”
$history = "3"

Perform the configuration by running the command in the PowerShell console.

Update-EsxiPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cluster $cluster -policy $policy -history $history

Repeat this procedure on all remaining clusters in the $sddcDomainName workload domain.
Repeat this procedure for all clusters in the remaining workload domains.

Configure the Password Complexity Policy for vCenter Single Sign-On

Define the password format requirements for the vCenter Single Sign-On built-in identity provider for VMware Cloud Foundation.

The password complexity policy applies only to user accounts in the vsphere.local domain of the vCenter Single Sign-On built-in identity provider. The policy does not apply to local system accounts and [email protected].


Setting	Default Value
Restrict reuse	5
Maximum length	20
Minimum length	8
Special characters	1
Alphabetic characters	2
Uppercase characters	1
Lowercase characters	1
Numeric characters	1
Identical adjacent characters	1

UI Procedure

Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
From the vSphere Client Menu, select Administration.
In the Single Sign On section, click Configuration.
On the Configuration page, click the Local accounts tab.
In the Password policy section, click Edit.
Modify the settings according to the requirements of your organization and click Save.

PowerShell Procedure

Start PowerShell.

Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "[email protected]"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$minLength = "8"
$maxLength = "20"
$minAlphabetic = "2"
$minLowercase = "1"
$minUppercase = "1"
$minNumerical = "1"
$minSpecial = "1"
$maxIdenticalAdjacent = "1"
$history = "5"

Perform the configuration by running the command in the PowerShell console.

Update-SsoPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -maxLength $maxLength -minAlphabetic $minAlphabetic -minLowercase $minLowercase -minUppercase $minUppercase -minNumeric $minNumerical -minSpecial $minSpecial -maxIdenticalAdjacent $maxIdenticalAdjacent -history $history

Configure the Local User Password Complexity Policy for vCenter Server

Define the password format requirements for the local users of the vCenter Server appliances in VMware Cloud Foundation, such as the root account.


Setting	Default Value	Description
minlen	6	Minimum password length
lcredit	-1	Maximum number of lowercase characters that will generate a credit
ucredit	-1	Maximum number of uppercase characters that will generate a credit
dcredit	-1	Maximum number of digits that will generate a credit
ocredit	-1	Maximum number of other characters that will generate a credit
difok	4	Minimum number of characters that must be different from the old password
remember	5	Maximum number of passwords the system remembers

UI Procedure

Log in to the vCenter Server appliance for a workload domain using SSH as root.
Enable shell access.
```
shell
```

Back up the password requirements for the appliance by using the following command.

cp -p /etc/pam.d/system-password /etc/pam.d/system-password-`date +%F_%H:%M:%S`.back

Verify that all settings for configuring password requirements for vCenter Server local users are added in the /etc/pam.d/system-password file.

# Begin /etc/pam.d/system-password

# use sha512 hash for encryption, use shadow, and try to use any previously
# defined authentication token (chosen password) set by any prior module
password  requisite   pam_pwquality.so  dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root
password  required    pam_pwhistory.so  remember=5 retry=3 enforce_for_root use_authtok
password  required    pam_unix.so       sha512 use_authtok shadow try_first_pass
# End /etc/pam.d/system-password

If some settings are missing in the /etc/pam.d/system-password file, add them manually.

After all required settings are added in the /etc/pam.d/system-password file, set their values according to the requirements of your organization using the following commands.

sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/system-passwords
sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password

Repeat this procedure on the vCenter Server instances for the remaining workload domains.

PowerShell Procedure

Start Windows PowerShell.

Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "[email protected]"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$minLength = "6"
$minLowercase = "-1"
$minUppercase = "-1"
$minNumeric = "-1"
$minSpecial = "-1"
$minUnique = "4"
$history = "5"

Perform the configuration by running the command in the PowerShell console.

Update-VcenterPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumeric -minSpecial $minSpecial -minUnique $minUnique -history $history

Repeat this procedure for all VI workload domains.

Configure the Local User Password Complexity Policy for NSX Manager

Define the password format requirements for local users of the NSX Manager appliances in VMware Cloud Foundation.


Setting	Default Value	Description
minlen	12	Minimum password length Note: If your password policy requires setting the minimum password length to a value greater than 20, you cannot use password rotation in SDDC Manager.
lcredit	-1	Maximum number of lowercase characters that will generate a credit
ucredit	-1	Maximum number of uppercase characters that will generate a credit
dcredit	-1	Maximum number of digits that will generate a credit
ocredit	-1	Maximum number of other characters that will generate a credit
difok	0	Minimum number of characters that must be different from the old password
MAX_PASSWORD_LEN	128	Maximum Password Length
maxrepeat	0	Maximum number of consecutive characters allowed
maxsequence	0	Maximum number of times a single character may be repeated
remember	0	Maximum number of passwords the system remembers
hash_algorithm	sha512	Hash algorithm

UI Procedure

Log in to vCenter Server at https://<vcenter_server_fqdn>/ui as [email protected].
Expand the VM folder containing the NSX Manager cluster for the management domain.
Select the first node of the NSX Manager cluster and click Launch web console.
Log in to the NSX Manager node as admin.
Start changing the password complexity policy by running the set password-complexity command.

In the prompt, set interactively the password complexity settings according to the requirements of your organization.

Minimum password length (leave empty to not change): <your_value>
Maximum password length (leave empty to not change): <your_value>
Lower characters (leave empty to not change): <your_value>
Upper characters (leave empty to not change): <your_value>
Numeric characters (leave empty to not change): <your_value>
Special characters (leave empty to not change): <your_value>
Minimum unique characters (leave empty to not change): <your_value>
Allowed similar consecutives (leave empty to not change): <your_value>
Allowed monotonic sequence (leave empty to not change): <your_value>
Hash algorithm (leave empty to not change): <your_value>
Password remembrance (leave empty to not change): <your_value>

Repeat this procedure on the remaining NSX Local Manager nodes for the management domain.
Repeat this procedure on the NSX Local Manager clusters for all VI workload domains.
Repeat this procedure on all NSX Global Manager nodes.

PowerShell Procedure

Start PowerShell.

Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "[email protected]"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$minLength = "12"
$minLowercase = "-1"
$minUppercase = "-1"
$minNumerical = "-1"
$minSpecial = "-1"
$minUnique = "0"
$maxLength = "128"
$maxRepeats = "0"
$maxSequence = "0"
$history = "0"
$hashAlgorithm = "sha512"

Perform the configuration by running the command in the PowerShell console.

Update-NsxtManagerPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -maxLength $maxLenth -maxRepeats $maxRepeats -maxSequence $maxSequence -history $history -hash_algorithm $hashAlgorithm

Repeat this procedure on the NSX Local Manager clusters for all VI workload domains.
Configure the password complexity policies on all NSX Global Manager clusters manually in the appliance console of each node.

Configure the Local User Password Complexity Policy for NSX Edge

Define the password format requirements for local users on the NSX Edge appliance in VMware Cloud Foundation.


Setting	Default Value	Description
minlen	15	Minimum password length Note: If your password policy requires setting the minimum password length to a value greater than 20, you cannot use password rotation in SDDC Manager.
lcredit	-1	Maximum number of lowercase characters that will generate a credit
ucredit	-1	Maximum number of uppercase characters that will generate a credit
dcredit	-1	Maximum number of digits that will generate a credit
ocredit	-1	Maximum number of other characters that will generate a credit
difok	0	Minimum number of characters that must be different from the old password
retry	3	Maximum number of retries

UI Procedure

If you are configuring an NSX Edge virtual appliance, open the appliance console by using the Web console in the vSphere Client.
1. Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
2. In the VMs and templates inventory, navigate to and expand the VM folder containing the NSX Edge cluster for the workload domain.
3. Select the first node of the NSX Edge cluster and click Launch web console.
If you are configuring a bare-metal NSX Edge appliance, open the appliance console by using an out-of-band management interface, such as iLO or iDRAC.
Log in to the NSX Edge node as root.

Back up the password requirements for the appliance using the following command.

cp -p /etc/pam.d/common-password /etc/pam.d/common-password-`date +%F_%H:%M:%S`.back

Verify that all settings for configuring password requirements for SDDC Manager users are added in the /etc/pam.d/common-password file.

#
# /etc/pam.d/common-password - password-related modules common to all services
#

# here are the per-package modules (the "Primary" block)
password requisite pam_cracklib.so retry=3 minlen=12 difok=0 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
password required pam_pwhistory.so use_authtok enforce_for_root remember=0
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

If some settings are missing in the /etc/pam.d/common-password file, add them manually.

Set these settings according to the requirements of your organization using the following commands.

sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/common-password

Repeat this procedure on the remaining NSX Edge cluster nodes in the workload domain.
Repeat this procedure on all NSX Edge clusters in the remaining workload domains.

PowerShell Procedure

You can use the PowerShell command for configuring the password complexity policies only on the NSX Edge nodes in VMware Cloud Foundation that are deployed by using SDDC Manager. For NSX Edge virtual appliances that are deployed manually and for bare-metal NSX Edge appliances, configure the policies manually according to the NSX documentation.

Start PowerShell.

Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "[email protected]"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$minLength = "15"
$minLowercase = "-1"
$minUppercase = "-1"
$minNumerical = "-1"
$minSpecial = "-1"
$minUnique = "0"
$maxRetry = "3"

Perform the configuration by running the command in the PowerShell console.

Update-NsxtEdgePasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -maxRetry $maxRetry

Repeat this procedure for all NSX Edge clusters in the remaining workload domains.

Configure the Local User Password Complexity Policy for SDDC Manager

Define the password format requirements for local users of the SDDC Manager appliance.


Setting	Default Value	Description
minlen	8	Minimum password length
lcredit	-1	Maximum number of lowercase characters that will generate a credit
ucredit	-1	Maximum number of uppercase characters that will generate a credit
dcredit	-1	Maximum number of digits that will generate a credit
ocredit	-1	Maximum number of other characters that will generate a credit
minclass	4	Minimum number of character types that must be used (that is, uppercase, lowercase, digits, other)
difok	4	Minimum number of characters that must be different from the old password
retry	3	Maximum number of retries
maxsequence	0	Maximum number of times a single character may be repeated
remember	5	Maximum number of passwords the system remembers

UI Procedure

Log in to the SDDC Manager appliance using SSH as vcf.
Change to the root user.
```
su -
```

Back the password requirement using the following command.

cp -p /etc/pam.d/system-password /etc/pam.d/system-password-`date +%F_%H:%M:%S`.back

Verify that all settings for configuring password requirements for SDDC Manager users are added in the /etc/pam.d/system-password file.

# Begin /etc/pam.d/system-password

password   required pam_pwhistory.so remember=5 retry=5 enforce_for_root use_authtok
password   required pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=7 difok=4 minclass=4 maxsequence=0 enforce_for_root
password   required pam_unix.so sha512 shadow use_authtok

# End /etc/pam.d/system-password

If some settings are missing in the /etc/pam.d/system-password file, add them manually.

After all required settings are added in the /etc/pam.d/system-password file, set their values according to the requirements of your organization using the following commands.

sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password

PowerShell Procedure

Start PowerShell.

Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "[email protected]"
$sddcManagerPass = "VMw@re1!"

# Replace with the name of your management domain
$sddcDomainName = "sfo-m01"

$rootPass = "VMw@re1!"
$minLength = "6"
$minLowercase = "-1"
$minUppercase = "-1"
$minNumerical = "-1"
$minSpecial = "-1"
$minUnique = "4"
$minClass = "4"
$maxSequence = "0"
$history = "5"
$maxRetry = "3"

Perform the configuration by running the command in the PowerShell console.

Update-SddcManagerPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -rootPass $rootPass -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -minClass $minClass -maxSequence $maxSequence -history $history -maxRetry $maxRetry