Cannot change password on ESXi 6.7 after modifiying “Security.PasswordQualityControl”

pamvmware-esxivmware-vsphere

See edit below for a workaround and possible explanation

According to the VMware documentation (as well as the documentation for pam_passwdqc) I should be able edit the Security.PasswordQualityControl setting to allow different password complexity types. So for example, I would try to use the following string to allow a password with 1 chartype with minimum length of 20:

retry=3 min=20,16,disabled,16,16

The problem is that after I make this change, I can no longer change any password for any user. When attempting a password change, I always receive the following error:

Failed to set the password. It is possible that your password does not meet the complexity criteria set by the system.

Furthermore, in the log is the actual error:

Failed – A general system error occurred: passwd: Critical error – immediate abort

Note that this is NOT the standard password complexity warning. The usual warning is something like Weak password: too short.. I expected that I had a typo in my setting string, but after poring over the docs I am convinced that the parameters are correct.

The odd part is that I can modify the last 2 parameters (for 3 and 4 chartype passwords) to my heart's content without issue. For example min=disabled,disabled,disabled,4,4 is fine and would allow me to use 4 character passwords. But as soon as I attempt to modify the first 2 parameters, I get an critical error no matter whose password I try to change and no matter whether or no I meet the complexity requirements. It's as if changing those first 2 numbers breaks something.

Does anyone have any idea how I can change this setting without breaking PAM?

EDIT: I found a workaround for the moment but I believe that this behaviour is due to a bug in the pam_passwdqc module.

The man page mentions the following:

Each subsequent number is required to be no larger than the preceding one.

It seems like the module considers a value of "disabled" to be equal to 0, therefore causing the above check to fail in my case. Since the above line specifically says "numbers" and it seems logical to be able to disable passphrase use (the 3rd number) while enabling the rest, the behaviour described in the man page is inconsistent with the program's behaviour and I consider this to be a bug.

So in short, the following will work:

min=disabled,20,20,12,12

But the following will not:

min=30,20,disabled,12,12

Best Answer

This finding might be wrong.
I had similar issues and finally found out, my changes to /etc/pam.d/passwd have been wrong.

Correctly applied and working example for ESXi 6.x:

password   requisite    /lib/security/$ISA/pam_passwdqc.so retry=3 min=1,1,1,1,1
password   sufficient   /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512
password   required     /lib/security/$ISA/pam_deny.so
Related Topic