WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / How to check the number of days before ESXi password expires?

How to check the number of days before ESXi password expires?

08.08.2023 by William Lam // 4 Comments

Local user accounts created in ESXi including the root user has a default password expiration of 99999 days before administrators need to change the password. Users can control the password expiry by modifying the following ESXi Advanced Setting called Security.PasswordMaxDays which is also referenced in the ESXi Security Documentation along with other advanced configurations.

Password rotation or updates are typically managed by an organizations password management solution which is responsible keeping track and notifying when local passwords are about to expire. With that said, not everyone has a password management solution and how do you quickly check how many days left before an account password expires on an ESXi host? I initially thought this should be pretty simple to figure out, especially with utilities like chage but the version that ESXi ships is a stripped down version via Busybox and it did not provide any expiry details like the typical chage version might.

This meant, that the password expiry would need to be calculated manually and luckily, this is not a new concept. The answer lies in the /etc/shadow file which contains a number of fields that can then be used to figure out the number of days left before an account expires or if has already expired. I will not bore you with the details, but you can create the following shell script which can run in the ESXi Shell to provide you with the answer.

#!/bin/ash
# Created from https://stackoverflow.com/a/14407682

set -euo pipefail

USERNAME="root"

MaxPasswordAge=$(grep "^${USERNAME}:" /etc/shadow | cut -d: -f5)

if [ ${MaxPasswordAge} -eq 0 ]; then
        echo -e "\nPassword for ${USERNAME} user does not expire\n"
        exit 0
fi

PasswordLastChangeDate=$(grep "^${USERNAME}:" /etc/shadow | cut -d: -f3)
CurrentDay=$(date "+%s")

EVAL1=$((${MaxPasswordAge}+${PasswordLastChangeDate}))
EVAL2=$((${CurrentDay}/86400))
EVAL=$((${EVAL1}-${EVAL2}))

echo -e "\nDays left until ${USERNAME} user password expires: ${EVAL}\n"

For testing purposes, I manually set the password expiry to 60 days using the chage utility, which is also used when configuring the ESXi Advanced Setting for password expiry. I then changed the root password and then two days later, I ran the shell script above and as expected, it states that I have 58 days before the root password expires.


To further operationalize this script, you could setup a cronjob that would run on a weekly basis and based on some % threshold and notify you such as leveraging the ESXCLI syslog "mark" command to add a specific message which you can consume external to the ESXi host. Heck, you can even use netcat (nc) to do something interesting but I will leave that as an exploration for the reader.

More from my site

  • Recovering ESXi 7.x & 8.x host after forgetting or losing root password
  • Programmatically accessing the Broadcom Compatibility Guide (BCG)
  • Supported chipsets for the USB Network Native Driver for ESXi Fling
  • Quick Tip - Auditing ESXi boot firmware type
  • ESXi on ASUS NUC 14 Performance (Scorpion Canyon)

Categories // Automation, ESXi, Security Tags // ESXi, expiry, password

Comments

  1. *protectedClaudio says

    08/08/2023 at 10:13 am

    Great script!
    But I'm scratching my head... does line 9 override line 8?

    Reply
  2. William Lam says

    08/08/2023 at 3:53 pm

    Yes! Sorry, that was some testing I was doing but must have forgotten to remove during my copy/paste. Its updated now

    Reply
  3. *protectedAbbed Sedkaoui says

    08/09/2023 at 3:09 am

    For folks in VCF environnement, we can get a nice HTML report for expired password and much more using a powershell module called PowerValidatedSolutions by Gary Blake i found in this blog article:

    https://blogs.vmware.com/cloud-foundation/2023/01/31/vmware-validated-solutions-jan-2023-update/

    The article reference version 2.0.0 but i reported issues using it and 2.0.1 came to light, i was using VCF 4.5 at the time.

    https://github.com/vmware/power-validated-solutions-for-cloud-foundation/releases/tag/v2.0.1

    The command i was using from the help example:
    ```Invoke-PasswordPolicyManager -sddcManagerFqdn vcf-m01-sddcm01.my.fqdn -sddcManagerUser *protected email* -sddcManagerPass VMware1! -sddcRootPass VMw@re123!VMw@re123! -reportPath K:\Reporting -darkMode -allDomains```

    It might be worth also trying the latest:

    https://www.powershellgallery.com/packages/PowerValidatedSolutions/2.5.0.1010

    Reply
  4. *protectedAlex says

    03/06/2024 at 2:11 am

    Great script William, with Security.PasswordMaxDays, once enforced, will it actually expire the password for DCUI account? I know it's acts as an agent for the direct console and cannot be modified or used by interactive users.

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...