Details
If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user’s password until it was guessed correctly.
Solution
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in ‘/etc/pam.d/passwd’:
password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Unix.
References
- 800-53|IA-5(1)(e)
- CAT|II
- CCI|CCI-000200
- Rule-ID|SV-207633r378763_rule
- STIG-ID|ESXI-65-000032
- STIG-Legacy|SV-104097
- STIG-Legacy|V-94011
- Vuln-ID|V-207633