How to change VCSA root password and bypass BAD PASSWORD: it is based on a dictionary word for vCenter VCSA root account warning

Posted on by VirtuallyThatGuy

This is a quick blog post on how to bypass BAD PASSWORD: it is based on a dictionary word for vCenter VCSA root account. You will need SSH for this. 

New password:
BAD PASSWORD: it is based on a dictionary word
passwd: Authentication token manipulation error
passwd: password unchanged

The bypass was actually easy. Presumably you’re already SSH’d in as root, so you just need to edit /etc/pam.d/system-password so ssh to the VCSA and type vi  /etc/pam.d/system-password 

# Begin /etc/pam.d/system-password
 
# use sha512 hash for encryption, use shadow, and try to use any previously
# defined authentication token (chosen password) set by any prior module
password  requisite   pam_cracklib.so   dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root
password  required    pam_pwhistory.so  debug use_authtok enforce_for_root remember=5
password  required    pam_unix.so       sha512 use_authtok shadow try_first_pass
# End /etc/pam.d/system-password

Remove enforce_for_root from the first line with pam_cracklib.so. Save the file, no need to restart any services, and retry passwd. Line 5

New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: password updated successfully

After that, re-added enforce_for_root back on line 5. enjoy

2 thoughts on “How to change VCSA root password and bypass BAD PASSWORD: it is based on a dictionary word for vCenter VCSA root account warning

  1. Hi VirtuallyThatGuy,

    The above solution no longer seems to work with vCenter 8.x and higher. Do you know if there is another way to bypass the password policy?

    Reply

  2. this was annoying but I think I figured it out. Posting it here to hopefully help someone else. It seems in vCenter 8.x photon has moved from using pam_cracklib over to pam_pwquality. Luckily pwquality has a configuration file you can customize to fit your needs under /etc/security/pwquality.conf. Change these parameters:
    dictcheck = 0
    enforcing = 0
    save and exit
    now you can change your password to anything you like.

    after you change password, you should go back to the config file and change those back to their default value.

    anyways, hope that helps. this has wasted so much of my time that I can only hope it’ll save someone else the trouble.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *