Main menu

VSICM55 - Slide 02-41 - Configuring ESXi: root Access



1. Room for improvement

It is possible to change the default password complexity.

1. Info

By default, ESXi uses the pam_passwdqc.so plug-in to set the rules that users must observe when creating passwords and to check password strength.

The pam_passwdqc.so plug-in lets you determine the basic standards that all passwords must meet. By default, ESXi imposes no restrictions on the root password. However, when non-root users attempt to change their passwords, the passwords they choose must meet the basic standards that pam_passwdqc.so sets.

A valid password should contain a combination of as many character classes as possible. Character classes include lowercase letters, uppercase letters, numbers, and special characters such as an underscore or dash.

Note: When the number of character classes is counted, the plug-in does not count uppercase letters used as the first character in the password and numbers used as the last character of a password.

1. Source

Instructions about how to configure ESXi hosts minimum password complexity requirements can be found in the VMware Knowledge Base article number 1012033, available at http://kb.vmware.com/kb/1012033.



2. Room for improvement

Effects of the Lockdown Mode enforcement and of the DCUI Access privilege.

2.a. Info

In the "vSphere Security" guide - "Securing ESXi Hosts" chapter - "Lockdown Mode" paragraph you read:

When a host is in lockdown mode, you cannot run vSphere CLI commands from an administration server, from a script, or from vMA against the host. External software or management tools might not be able to retrieve or modify information from the ESXi host.
Note: Users can be assigned DCUI access privileges explicitly via the DCUI Access advanced configuration option. The option has DCUI.Access as the key, and a comma-separated list of ESXi users as the value. Users in the list which can access the DCUI at any time, even if these users are not administrators (Admin role), and even when the host is in lockdown mode.
Note: If you enable or disable lockdown mode using the Direct Console User Interface (DCUI), permissions for users and groups on the host are discarded. To preserve these permissions, you must enable and disable lockdown mode using the vSphere Client connected to vCenter Server.
2.a. Source

vSphere 5.5 Documentation Center.


2.b. Info

In the "vSphere Security" guide - "Securing ESXi Hosts" chapter - "Assigning Permissions for ESXi" paragraph - "Specify Users with DCUI Access in Lockdown Mode" topic you read:

In versions of vSphere earlier than vSphere 5.1, the root user can log into the DCUI on a host that is in lockdown mode. In vSphere 5.1, you can specify which local ESXi users are allowed to log in to the DCUI when the host is in lockdown mode. These special users do not need to have full administrative privileges on the host. Specifying users other than the anonymous root user allows you to log which users have performed operations on the host while it is in lockdown mode.
Important: When you disable lockdown mode using the DCUI, all users with the DCUI Access privilege are granted the Administrator role on the host.
By default, the root user is specified. You can remove root from the list of DCUI access users, as long as you specified at least one other user.
2.b. Source

vSphere 5.5 Documentation Center.


Last modified onThursday, 12 December 2013 20:05
Rate this item
(0 votes)
back to top