WilliamLam.com

How to check the number of days before ESXi password expires?

by // 4 Comments

Local user accounts created in ESXi including the root user has a default password expiration of 99999 days before administrators need to change the password. Users can control the password expiry by modifying the following ESXi Advanced Setting called Security.PasswordMaxDays which is also referenced in the ESXi Security Documentation along with other advanced configurations.

Password rotation or updates are typically managed by an organizations password management solution which is responsible keeping track and notifying when local passwords are about to expire. With that said, not everyone has a password management solution and how do you quickly check how many days left before an account password expires on an ESXi host? I initially thought this should be pretty simple to figure out, especially with utilities like chage but the version that ESXi ships is a stripped down version via Busybox and it did not provide any expiry details like the typical chage version might.

This meant, that the password expiry would need to be calculated manually and luckily, this is not a new concept. The answer lies in the /etc/shadow file which contains a number of fields that can then be used to figure out the number of days left before an account expires or if has already expired. I will not bore you with the details, but you can create the following shell script which can run in the ESXi Shell to provide you with the answer.

[Read more...]

Using PowerCLI to automate the retrieval of VCSA Password Policies

by // Leave a Comment

I hope that every vSphere administrator or operator by now is familiar with the extremely powerful vSphere Guest Operations API functionality (details here and here), which can easily be consumed using PowerCLI's Invoke-VMScript cmdlet. If not, highly recommend you check out the links referenced. I know the GuestOps API is certainly my top favorite with sending VM keystrokes capability a very close second!

Not only does the GuestOps API unlock functionality that simply may not be possible (e.g. there's no API or automation interface) but it also enables automation within a VM without requiring any type of remote management services enabled (e.g. SSH or WinRM) or even networking to the VM for that matter!

The reason I am bringing all this up is that although there is not an API for managing and retrieving vCenter Single Sign-On (SSO) configurations which includes password policies, there is a way in which customers can still automate and retrieve this and other information by leveraging the GuestOps API. In fact, back in 2015 I demonstrated on how you can retrieve VCSA SSO password policy and configurations and we can simply apply the GuestOps API to help us automate this task. In addition, most customers do not enable SSH by default and we can still apply the GuestOps API technique and perform automation tasks to VSCSA without requiring SSH as described in this blog post back in 2016.

[Read more...]

Is vCenter Server & ESXi hosts using VMware Certificate Authority (VMCA) or custom CA certificates?

by // 3 Comments

Customers have two primary methods of managing TLS certificates for their ESXi hosts, they can either use the built-in VMware Certificate Authority (VMCA) which is part of vCenter Server or Custom CA Certificates. I will not go into the gory details, but you can read more about the options here in our documentation.

A question that I had received recently was whether you can determine the type of certificate an ESXi host was provisioned with and whether this could be programmatically retrieved using the vSphere API? The answer is yes. In vSphere 6.0, we introduced a CertificateInfo property which contains a number of fields including status, issuer, expiry and subject details and by inspecting either the issuer or subject property, you can determine the type of certificate on the ESXi host.

Here is a screenshot of the data using the vSphere MOB for an ESXi host that has VMCA-based certificate:


Here is a screenshot of the data using the vSphere MOB for an ESXi host that has custom CA certificate:


As you can see, for VMCA-based certificate the issuer's OU will have value of "VMware Engineering" and subject's emailAddress will have value of "*protected email*".

[Read more...]