ESXI-65-000032 - The ESXi host must prohibit the reuse of passwords within five iterations.

Information

If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.

Solution

From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in '/etc/pam.d/passwd':

password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-5_Y23M07_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(e), CAT|II, CCI|CCI-000200, Rule-ID|SV-207633r378763_rule, STIG-ID|ESXI-65-000032, STIG-Legacy|SV-104097, STIG-Legacy|V-94011, Vuln-ID|V-207633

Plugin: Unix

Control ID: 635eaab79c717bcc5ee6509708de1b618c172347011a67bb7316d6d6f12529e9