Password policies include password expiration policy, password complexity policy, and account lockout policy.

For the Site Protection and Disaster Recovery for VMware Cloud Foundation validated solution, you configure the password policies for the local users of the vSphere Replication and Site Recovery Manager appliances.
  • Password expiration policy defines the length of time a credential’s password is valid before the system forces a password change.
  • Password complexity policy defines the minimum requirements surrounding the definition of an account’s password.
  • Account lockout policy defines the behavior of the system when incorrect credentials are used for authenticating to the system.

Configure the Local User Password Expiration Policy for Site Protection and Disaster Recovery for VMware Cloud Foundation

For local users of the vSphere Replication and the Site Recovery Manager appliances, you configure the password expiration policy on a per-user basis.

Table 1. Default Password Expiration Policy for vSphere Replication and Site Recovery Manager

Local User

Setting

Default

Description

root

maxdays

99999

Maximum number of days between password change

mindays

0

Minimum number of days between password change

warndays

7

Number of days of warning before a password expires

Procedure

  1. Log in to the vSphere Replication appliance by using a Secure Shell (SSH) client at <vrms_fqdn>:22 as root.
  2. Change the value of the maximum number of days between password change by running the following command.
    chage --maxdays <your_value> root
  3. Change the value of the minimum number of days between password change by running the following command.
    chage --mindays <your_value> root
  4. Change the value of the number of days of warning before the password expires by running the following command.
    chage --warndays <your_value> root
  5. Verify the configuration of the desired values by running the following command.
    chage --list root

  6. Repeat the procedure for the admin user and the remaining vSphere Replication appliances.

  7. Repeat the procedure for the Site Recovery Manager appliance.

Configure the Local User Password Complexity Policy for Site Protection and Disaster Recovery for VMware Cloud Foundation

The password complexity policy for local users of the vSphere Replication and the Site Recovery Manager appliances determines the password format requirements on the basis of an account-specific set of rules. Some settings are present by default while others must be configured.

Table 2. Default Password Complexity Policy for vSphere Replication and Site Recovery Manager
Setting Default Description

minlen

8

Minimum password length (number of characters)

minclass

4

Minimum number of character types that must be used (for example, uppercase, lowercase, digits, and so on)

difok

4

Minimum number of characters that must be different from the old password

maxsequence

0

Maximum number of times a single character can be repeated

retry

3

Maximum number of retries

remember

5

Maximum number of passwords the system remembers
Table 3. Additional Password Complexity Policy Settings for vSphere Replication and Site Recovery Manager
Setting Sample Value Description
dcredit -1

Maximum number of digits that generate a credit
ucredit -1

Maximum number of uppercase characters that generate a credit
lcredit -1

Maximum number of lowercase characters that generate a credit
ocredit -1

Maximum number of other characters that generate a credit

Procedure

  1. Log in to the vSphere Replication appliance by using a Secure Shell (SSH) client at <vrms_fqdn>:22 as root.
  2. Back up the /etc/pam.d/system-password file for the appliance.
    cp -p /etc/pam.d/system-password /etc/pam.d/system-password-`date +%F_%H:%M:%S`.back
  3. Configure the settings according to the requirements of your organization.
    sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/minclass=[-]?[0-9]+/minclass=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/maxsequence=[-]?[0-9]+/maxsequence=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password
sed -i -E '/pam_pwquality.so/ s/$/ lcredit=<your_value>/' /etc/pam.d/system-password
sed -i -E '/pam_pwquality.so/ s/$/ ocredit=<your_value>/' /etc/pam.d/system-password
sed -i -E '/pam_pwquality.so/ s/$/ dcredit=<your_value>/' /etc/pam.d/system-password
sed -i -E '/pam_pwquality.so/ s/$/ ucredit=<your_value>/' /etc/pam.d/system-password
  4. Verify the values.
    cat /etc/pam.d/system-password

5. Repeat the procedure for the remaining vSphere Replication appliances.

6. Repeat the procedure for the Site Recovery Manager appliance.

Configure the Local User Account Lockout Policy for Site Protection and Disaster Recovery for VMware Cloud Foundation

To configure the account lockout policy for the local accounts for the vSphere Replication and the Site Recovery Manager appliances, decide on certain policy settings.

Table 4. Default Account Lockout Policy for vSphere Replication and Site Recovery Manager

Setting

Default

Description

deny

5

Maximum number of authentication failures before the account is locked

unlock_time

1800

Amount of time in seconds that the account remains locked

root_unlock_time

1800

Amount of time in seconds that the root account remains locked

Procedure

  1. Log in to the vSphere Replication appliance by using a Secure Shell (SSH) client at <vrms_fqdn>:22 as root.
  2. Back up the /etc/pam.d/system-auth file for the appliance by running the following command.
    cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth-`date +%F_%H:%M:%S`.back
  3. Configure the maximum number of failed log-in attempts.
    sed -i -E 's/deny=[-]?[0-9]+/deny=<your_value>/g' /etc/pam.d/system-auth
  4. Configure the unlock time for the root account.
    sed -i -E 's/root_unlock_time=[-]?[0-9]+/root_unlock_time=<your_value>/g' /etc/pam.d/system-auth
  5. Configure the unlock time for all other local accounts.
    sed -i -E 's/unlock_time=[-]?[0-9]+/unlock_time=<your_value>/g' /etc/pam.d/system-auth
  6. Verify the values.
    cat /etc/pam.d/system-auth

  7. Repeat the procedure for the remaining vSphere Replication appliances.

  8. Repeat the procedure for the Site Recovery Manager appliance.