With the release of NSX-T 2.4.0 a new feature was introduced that improves the security of user accounts out of the box by:
1. Enforcing password complexity requirements
VMware password complexity requirements:
- At least 12 characters
- At least one lower-case letter
- At least one upper-case letter
- At least one digit
- At least one special character
- At least five different characters
- No dictionary words
- No palindromes
- More than four monotonic character sequence is not allowed
2. Setting a default password expiry of 90 days for all local accounts (i.e. root, admin and audit).
The feature is outlined in the NSX-T 2.4.0 Release Notes.
“Password Policy Enhancements: Enforces minimum password length of 12 characters for default passwords. Introduces ability to set password expiration times and generates alarms when password is about to expire. By default, passwords expire after 90 days.”VMware NSX-T Data Center 2.4 Release Notes
With adding a ‘default’ password expiry of 90 days we are going to cover how to view, edit and remove the password expiration settings. It is important to know how to modify this value to conform to your company’s password policies and avoid account lockout due to password expiration.
- Login to the NSX-T manager CLI either via SSH or through the console with the ‘admin’ account.
To view the current password expiry for a given local account, run the following command.
get user admin password-expiration
nsxt-1> get user admin password-expiration Password expires 90 days after last change
This can be run for all three of the local NSX manager user accounts. admin, audit and root.
To change the password expiration time for a local user account simply run the following command with the number of days appended to the end of the command. In this example we will be changing the password expiration for the admin account to 120 days.
set user admin password-expiration 120
To confirm the password expiration duration changed successfully, simply run the previous command above.
If you want to remove the password expiration policy on any or all of the NSX manager local accounts you can with the following command.
clear user admin password-expiration
To confirm the password expiration policy has been removed we can run the get user admin password-expiration command again. The output will look like this.
nsxt-1> get user admin password-expiration Password expiration not configured for this user