ESX/ESXi 4.1 password flaw

All,

Thanks to JustinC71 for pointing this out in the forums.

VMware ESX and ESXi 4.1 contain a flaw that means that only the first eight characters of the root password are processed.  As long as those first eight characters match what the user is typing, the login will succeed.  Obviously, for organizations that use passwords that exceed eight characters in length, this could be considered a significant security issue.  VMware has created Knowledge Base article 1024500 to address this issue and to provide mitigation instructions for both ESX and ESXi.

The Knowledge Base article indicates that the company intends to correct this flaw at which point you should remove the temporary workarounds.

To make life a little easier for you, I’ve pasted VMware’s workaround instructions below.

For ESX:
Add md5 to the file /etc/pam.d/system-auth.

   1. Log in to the service console and acquire root privileges.
   2. Change to the directory /etc/pam.d/.
   3. Use a text editor to open the file system-auth.
   4. Add md5 to the following line, as shown:
      password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow md5

      Optionally, you can use the following sed command to accomplish this:
      sed -e /password.*pam_unix.so/s/$/ md5/ -i /etc/pam.d/system-auth

   5. Reset the password. If you do not change the password, ESX continues to use the truncated password.

For ESXi:
Add md5 to the file /etc/pam.d/system-auth.

   1. Access Tech Support Mode. (See KB 1017910.)
   2. Change to the directory /etc/pam.d/.
   3. Use a text editor to open the file system-auth.
   4. Add md5 to the following line, as shown:
      password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow md5
   5. (Optional) If you want the change to persist when you restart ESXi, you must add the following line to the file /etc/rc.local:
      sed -e ‘/password.*pam_unix.so.* md5/q’ -e ‘/password.*pam_unix.so/s/$/ md5/’ -i /etc/pam.d/system-auth
   6. Reset the password. If you do not change the password, ESXi continues to use the truncated password.

—–

Follow me on Twitter: @otherscottlowe

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top