vSphere ESXi 4.1 Password Policy Does Not Persist Across Reboot
Stumbled upon an issue with the latest release of vSphere ESXi 4.1 Update 1 (fully patched) where following VMware KB 1032666 to modify ESXi default password hashing from MD5 to something stronger such as SHA-256 or SHA-512. Some federal government agencies cannot use MD5 for password hashing since it considered cracked (see wikipedia MD5). Tried two different “approved” ways to edit the system-auth PAM file. One, use [#chmod 644 system-auth] to set permissions on the file so that it is user editable (or just use :wq! after editing). Two, use [#chmod +t system-auth] before editing. Unfortunately, after a reboot the system-auth file returns back to its pre-edited version.
I opened an SR with VMware and they in turn opened a PR and shortly thereafter confirmed the issue is not by design and in-fact is a bug. VMware estimates that this issue will be resolved in the Update 2 release of vSphere ESXi 4.1. Haven’t had a chance to see if the issue is present in vSphere ESXi 5.0.
