Saturday, August 14, 2010

KB Article from Vmware for Security bug in ESX 4.1 and ESX4.1

ESX 4.1 and ESXi 4.1 root passwords are authenticated up to only 8 characters

Details

When you set a password in ESX/ESXi 4.1, the pam_passwdqc plug-in parameter max=nn sets the maximum length allowed for a password. The intended behavior is:  

  • For all max values except 8, proposed passwords that exceed the given max value length are not accepted.
  • For the special value max=8, proposed passwords longer than 8 characters are not rejected, but passwords are truncated to 8 characters. After the password has been accepted and changed, a password submitted for authentication will also be truncated to 8 characters.
By default, no max value is configured for ESX/ESXi 4.1. The default max value for the plug-in is 40. This should be the operationalmax value for password submission. When the default configuration is used, passwords should not be truncated, either when setting them or when they are authenticated.

In ESX/ESXi 4.1, after a password is accepted by the pam_passwdqc plug-in, ESX/ESXi behaves as if the 
max value is 8. When a new password is submitted, the default 40-character maximum is enforced. Thereafter, password authentication behaves as if the max value is 8, and only the first 8 characters of the password are necessary for authentication.

Solution

For ESX:
Add 
md5 to the file /etc/pam.d/system-auth.
1.     Log in to the service console and acquire root privileges.
2.     Change to the directory /etc/pam.d/.
3.     Use a text editor to open the file system-auth.
4.     Add md5 to the following line, as shown:
password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow md5
Optionally, you can use the following sed command to accomplish this:
sed -e '/password.*pam_unix.so/s/$/ md5/' -i /etc/pam.d/system-auth
5.     Reset the password. If you do not change the password, ESX continues to use the truncated password.
For ESXi:
Add 
md5 to the file /etc/pam.d/system-auth.
1.     Access Tech Support Mode. (See KB 1017910.)
2.     Change to the directory /etc/pam.d/.
3.     Use a text editor to open the file system-auth.
4.     Add md5 to the following line, as shown:
password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow md5
5.     (Optional) If you want the change to persist when you restart ESXi, you must add the following line to the file/etc/rc.local:
sed -e '/password.*pam_unix.so.* md5/q' -e '/password.*pam_unix.so/s/$/ md5/' -i /etc/pam.d/system-auth
6.     Reset the password. If you do not change the password, ESXi continues to use the truncated password.
VMware expects to release a permanent solution to this issue sometime in the future. We recommend that you remove the workaround from ESXi systems when you install the permanent solution.