Local user accounts created in ESXi including the root user has a default password expiration of 99999 days before administrators need to change the password. Users can control the password expiry by modifying the following ESXi Advanced Setting called Security.PasswordMaxDays which is also referenced in the ESXi Security Documentation along with other advanced configurations.
Password rotation or updates are typically managed by an organizations password management solution which is responsible keeping track and notifying when local passwords are about to expire. With that said, not everyone has a password management solution and how do you quickly check how many days left before an account password expires on an ESXi host? I initially thought this should be pretty simple to figure out, especially with utilities like chage but the version that ESXi ships is a stripped down version via Busybox and it did not provide any expiry details like the typical chage version might.
This meant, that the password expiry would need to be calculated manually and luckily, this is not a new concept. The answer lies in the /etc/shadow file which contains a number of fields that can then be used to figure out the number of days left before an account expires or if has already expired. I will not bore you with the details, but you can create the following shell script which can run in the ESXi Shell to provide you with the answer.
#!/bin/ash
# Created from https://stackoverflow.com/a/14407682
set -euo pipefail
USERNAME="root"
MaxPasswordAge=$(grep "^${USERNAME}:" /etc/shadow | cut -d: -f5)
if [ ${MaxPasswordAge} -eq 0 ]; then
echo -e "\nPassword for ${USERNAME} user does not expire\n"
exit 0
fi
PasswordLastChangeDate=$(grep "^${USERNAME}:" /etc/shadow | cut -d: -f3)
CurrentDay=$(date "+%s")
EVAL1=$((${MaxPasswordAge}+${PasswordLastChangeDate}))
EVAL2=$((${CurrentDay}/86400))
EVAL=$((${EVAL1}-${EVAL2}))
echo -e "\nDays left until ${USERNAME} user password expires: ${EVAL}\n"
For testing purposes, I manually set the password expiry to 60 days using the chage utility, which is also used when configuring the ESXi Advanced Setting for password expiry. I then changed the root password and then two days later, I ran the shell script above and as expected, it states that I have 58 days before the root password expires.
To further operationalize this script, you could setup a cronjob that would run on a weekly basis and based on some % threshold and notify you such as leveraging the ESXCLI syslog "mark" command to add a specific message which you can consume external to the ESXi host. Heck, you can even use netcat (nc) to do something interesting but I will leave that as an exploration for the reader.
Great script!
But I'm scratching my head... does line 9 override line 8?
Yes! Sorry, that was some testing I was doing but must have forgotten to remove during my copy/paste. Its updated now
For folks in VCF environnement, we can get a nice HTML report for expired password and much more using a powershell module called PowerValidatedSolutions by Gary Blake i found in this blog article:
https://blogs.vmware.com/cloud-foundation/2023/01/31/vmware-validated-solutions-jan-2023-update/
The article reference version 2.0.0 but i reported issues using it and 2.0.1 came to light, i was using VCF 4.5 at the time.
https://github.com/vmware/power-validated-solutions-for-cloud-foundation/releases/tag/v2.0.1
The command i was using from the help example:
```Invoke-PasswordPolicyManager -sddcManagerFqdn vcf-m01-sddcm01.my.fqdn -sddcManagerUser *protected email* -sddcManagerPass VMware1! -sddcRootPass VMw@re123!VMw@re123! -reportPath K:\Reporting -darkMode -allDomains```
It might be worth also trying the latest:
https://www.powershellgallery.com/packages/PowerValidatedSolutions/2.5.0.1010
Great script William, with Security.PasswordMaxDays, once enforced, will it actually expire the password for DCUI account? I know it's acts as an agent for the direct console and cannot be modified or used by interactive users.