• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

virtuallyGhetto

  • About
  • Privacy
  • VMware Cloud
  • Home Lab
  • Nested Virtualization
  • Automation
    • VMware Kickstart
    • VMware API/SDK/CLI
    • VMware vMA/VIMA
    • VMware OVF / OVFTOOL
  • Apple Mac
  • VCSA
  • VSAN
You are here: Home / VCSA / Administrator password expiration in new VCSA 5.5

Administrator password expiration in new VCSA 5.5

09/05/2013 by William Lam 4 Comments

A new security enhancement that you should be aware of when deploying the new vCenter Server Appliance (VCSA) 5.5 is that there is now a password expiration that is enabled for the administrator account (root) after powering on the VCSA. By default, the password will expire 90 days after and if the password is not changed before the expiration, the account will be locked out of the VAMI interface and the SSH console. From a security point of view, this is a nice feature to have to ensure administrative passwords are automatically rotated, however this can also be an administrative challenge if you are not aware of this new change and you suddenly notice you can no longer login after 90 days.

You can find the password expiration settings under the Admin tab of the VAMI interface. You have the ability to enable or disable the feature as well as change the number of days the password is valid for. If you decide to change the default number of days, you will be required to enter an email address which will be used to email you 7 days prior to expiration which is the default.

In addition to using the VAMI interface to configure these settings, I was also interested to see if these settings can be automated through the command-line and with a bit of digging, these options can be completely controlled through the CLI!

We will be using the chage utility which manages user account expiry. To view the default settings for the root account or any other account, run the following command:

chage -l root

We can see from the screenshot above, the maximum days before expiration is 90 and the number of days to warn before expiration is 7 which matches the VAMI UI.

Lets say we want to change the maximum days before expiration to 120 and instead of warning 7 days before expiration, we want to change it to 12, you can do so by running the following command:

chage -M 120 -W 12 root

If you wish to completely disable account password expiry, you can do so by running the following command:

chage -M -1 -E -1 root

You can also configure the email address through the command-line which is used to warn X days before password expiry. To add or update the email address, you will need to create a file called /etc/vmware-vpx/root.email that contains the email address.

From an operational perspective, you will want to ensure you configure an SMTP server in your vCenter Server after deploying the VCSA and ensure you add an email address so you can be notified before the root account password expires. You should also configure the maximum number of days before the password expire and the number of days to warn to match your internal security policies.

In the event that you lock yourself out, how do you go about recovering from this since you will not be able to login to the VAMI interface nor the SSH console? I have purposely configured one of my VCSA to expire the password in 1 day, so stay tune for a future article on how to recover from this.

Here is How to recover VCSA 5.5 from an expired administrator account article.

More from my site

  • How to recover VCSA 5.5 from an expired administrator account?
  • New vCenter Server Simulator 2.0 enhancements in VCSA 5.5
  • Automating SSL Certificate Regeneration in VCSA 5.1 & 5.5 (vCenter Server Appliance)
  • Dude, Where’s My vCenter Server 5.1 Components Installed At?
  • Automating VCSA Network Configurations For Greenfield Deployments
Share this...
  • Twitter
  • Facebook
  • Linkedin
  • Reddit
  • Pinterest

Filed Under: VCSA, vSphere 5.5 Tagged With: chage, lockout, password, security, vami, vcenter, vcsa, vcva, vSphere 5.5

Reader Interactions

Comments

  1. Greg Smith says

    12/18/2013 at 2:35 am

    Great article. Thanks for the help!

    Reply
  2. Ravinder Kumar says

    01/19/2014 at 9:07 am

    You save my day, thanks for sharing this article.

    Reply
  3. Adam Lenke says

    06/17/2016 at 10:17 am

    We accidentally changed our root password and we had several services utilizing that password. How many passwords until you can reuse?

    Reply

Trackbacks

  1. VMware Link Collection | Life says:
    10/31/2014 at 4:15 am

    […] first! (Viktorious.nl) VMware vCenter Server 5.5: Installable vs Appliance (Virtual To The Core) Administrator password expiration in new VCSA 5.5 (Virtually Ghetto) vPostgres Database Backup in vCSA 5.5 (vNinja) What’s New in vCloud Suite 5.5: […]

    Reply

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Services Business Unit (CSBU) at VMware. He focuses on Automation, Integration and Operation for the VMware Cloud Software Defined Datacenters (SDDC)

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Sponsors

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy