WilliamLam.com

How to check the number of days before ESXi password expires?

by // 3 Comments

Local user accounts created in ESXi including the root user has a default password expiration of 99999 days before administrators need to change the password. Users can control the password expiry by modifying the following ESXi Advanced Setting called Security.PasswordMaxDays which is also referenced in the ESXi Security Documentation along with other advanced configurations.

Password rotation or updates are typically managed by an organizations password management solution which is responsible keeping track and notifying when local passwords are about to expire. With that said, not everyone has a password management solution and how do you quickly check how many days left before an account password expires on an ESXi host? I initially thought this should be pretty simple to figure out, especially with utilities like chage but the version that ESXi ships is a stripped down version via Busybox and it did not provide any expiry details like the typical chage version might.

This meant, that the password expiry would need to be calculated manually and luckily, this is not a new concept. The answer lies in the /etc/shadow file which contains a number of fields that can then be used to figure out the number of days left before an account expires or if has already expired. I will not bore you with the details, but you can create the following shell script which can run in the ESXi Shell to provide you with the answer.

[Read more...]

Monitoring vSphere account password & permission changes 

by // Leave a Comment

If it is not clear by now, I REALLY love the power of vSphere Events and all the use cases it can enable, especially when used with our VMware Event Broker Appliance (VEBA) solution to enable easy Event-Driven Automation.

Over the past month or so, I have noticed a series of questions from our field and customers across a number of topics pertaining to vSphere accounts including vSphere Single Sign-On (SSO) users. My response to each of these questions all point back to a leveraging specific vSphere Events and I thought I share some of use cases in which vSphere Events can help

  • When was the last time a vSphere SSO user (e.g. *protected email*) password was changed?
  • How much time left (expiry) before the vSphere SSO user password must be changed?
  • Audit of all password changes for an vSphere SSO user (e.g. *protected email*)?
  • Who recently updated the password for a vSphere SSO user (e.g. *protected email*)?
  • When was the last time a vSphere SSO user (e.g. *protected email*) password was reseted?
  • Who recently added new permission to a vSphere user?
  • Who recently removed a permission from a vSphere user?
  • Who recently updated vSphere Role with additional permissions?
  • Who recently updated vSphere Role and removed permissions?

[Read more...]

Quick Tip - Pre-filled credentials in the vSphere 6.0 Web Client

by // 17 Comments

This past weekend I was finishing up a couple of demo recordings for my VMworld sessions in case the live demos fail for whatever reason, which has happened to me in the past. A few of the demos involve the vSphere Web Client UI and I thought instead of wasting time and potentially fat fingering credentials up on stage, I would try to do everything I can to remove any potential hiccups. In vSphere 6.0, the vCenter Single Sign-On page is now completely in HTML and this not only means you can customize the UI as I have shown here but you can also do some other neat tricks with it.

I decided to update the HTML page to automatically pre-fill both the SSO username and password, so that when I need to login to the vSphere Web Client, I just have to hit the tab key and then click on the login button.

prefilled-credentials
Disclaimer: Outside of a home lab or demo purposes, there is really no good reason for this. I can already hear Mike Foley sighing right now 😉 This also means that anyone who knows the address of your vSphere Web Client can just login, so you may want to only pre-fill the username and still type out the password in case you are concerned with that.

To pre-fill the value for the SSO username and/or password, you will need to edit the following file:

  • Windows VC: C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\webapps\websso\WEB-INF\views\unpentry.jsp
  • VCSA: /usr/lib/vmware-sso/vmware-sts/webapps/websso/WEB-INF/views/unpentry.jsp

For pre-filling the username, you will need to add a "value" property along with its actual value in the following section:

<input id="username" class="margeTextInput" type="text" value="*protected email*"/>

For pre-filling the password, you will need to add a "value" property along with its actual value in the following section:

<input id="password" class="margeTextInput" type="password" value="VMware1!"/>

Once you have saved your changes, you can then reload the browser and you should see that the vSphere Web Client now has both the username and password automatically pre-filled when the webpage loads.