使用 SDDC Manager 中的“密码管理”功能可以统一管理 VCF 环境中组件的用户密码,比如更新(Update)、轮换(Rotate)以及修复(Remediate)组件的密码等,您还可以创建密码轮换调度任务,以防止因遗忘或其他原因导致密码过期及组件中断,进而影响业务。
使用 SoS 实用程序可以检查 VCF 环境中组件的用户密码状态,比如最后一次修改日期、过期日期以及过期剩余时间等,如下所示。
vcf@vcf-mgmt01-sddc01 [ ~ ]$ sudo /opt/vmware/sddc-support/sos --password-health
[sudo] password for vcf
Welcome to Supportability and Serviceability(SoS) utility!
Performing SoS operation for vcf-mgmt01 domain components
Health Check : /var/log/vmware/vcf/sddc-support/healthcheck-2024-12-07-12-29-31-149728
Health Check log : /var/log/vmware/vcf/sddc-support/healthcheck-2024-12-07-12-29-31-149728/sos.log
NOTE : The Health check operation was invoked without --skip-known-host-check, additional identity checks will be included for Connectivity Health, Password Health and Certificate Health Checks because of security reasons.
SDDC Manager : vcf-mgmt01-sddc01.mulab.local
+-------------------------+-----------+
| Stage | Status |
+-------------------------+-----------+
| Bringup | Completed |
| Management Domain State | Completed |
+-------------------------+-----------+
+--------------------+---------------+
| Component | Identity |
+--------------------+---------------+
| SDDC-Manager | 192.168.32.70 |
| Number of Servers | 4 |
+--------------------+---------------+
Password Expiry Status : GREEN
+-----+-----------------------------------------+---------------------------+-------------------+--------------+-----------------+-------+
| SL# | Component | User | Last Changed Date | Expiry Date | Expires in Days | State |
+-----+-----------------------------------------+---------------------------+-------------------+--------------+-----------------+-------+
| 1 | ESXI : vcf-mgmt01-esxi01.mulab.local | svc-vcf-vcf-mgmt01-esxi01 | Dec 02, 2024 | Never | Never | GREEN |
| | | root | Dec 02, 2024 | Never | Never | GREEN |
| 2 | ESXI : vcf-mgmt01-esxi02.mulab.local | svc-vcf-vcf-mgmt01-esxi02 | Dec 02, 2024 | Never | Never | GREEN |
| | | root | Dec 02, 2024 | Never | Never | GREEN |
| 3 | ESXI : vcf-mgmt01-esxi03.mulab.local | svc-vcf-vcf-mgmt01-esxi03 | Dec 02, 2024 | Never | Never | GREEN |
| | | root | Dec 02, 2024 | Never | Never | GREEN |
| 4 | ESXI : vcf-mgmt01-esxi04.mulab.local | svc-vcf-vcf-mgmt01-esxi04 | Dec 02, 2024 | Never | Never | GREEN |
| | | root | Dec 02, 2024 | Never | Never | GREEN |
| 5 | NSX : vcf-mgmt01-nsx01.mulab.local | admin | Dec 07, 2024 | Mar 07, 2025 | 90 days | GREEN |
| | | root | Dec 07, 2024 | Mar 07, 2025 | 90 days | GREEN |
| | | audit | Dec 07, 2024 | Mar 07, 2025 | 90 days | GREEN |
| 6 | SDDC : vcf-mgmt01-sddc01.mulab.local | vcf | Dec 07, 2024 | Dec 07, 2025 | 365 days | GREEN |
| | | root | Dec 07, 2024 | Mar 07, 2025 | 90 days | GREEN |
| | | backup | Dec 07, 2024 | Dec 07, 2025 | 365 days | GREEN |
| 7 | vCenter : vcf-mgmt01-vcsa01.mulab.local | root | Dec 07, 2024 | Mar 07, 2025 | 89 days | GREEN |
+-----+-----------------------------------------+---------------------------+-------------------+--------------+-----------------+-------+
Legend:
GREEN - No attention required, health status is NORMAL
YELLOW - May require attention, health status is WARNING
RED - Requires immediate attention, health status is CRITICAL
Health Check completed successfully for : [VCF-SUMMARY, PASSWORD-CHECK]
vcf@vcf-mgmt01-sddc01 [ ~ ]$根据上面所输出的结果,能够很清楚的了解各个组件用户密码的状态,不过,你可能想知道我能不能重新调整一下这些组件的默认“密码策略”?比如密码过期、密码复杂度以及账户锁定等。答案是肯定的!首先,让我们参考《Information Security and Access of Identity and Access Management for VMware Cloud Foundation》产品文档,先来了解一下 VCF 环境中组件的默认密码策略。
一、密码过期策略#
| 组件 | 级别 | 参数设置 | 默认 | 描述 | 备注 |
| ESXi 主机 | 本地用户 | Security.PasswordMaxDays | 99999 (never) | 设置多少天密码过期。 | 您可以使用 vSphere Client 或 Host Client 中的高级系统设置按主机管理密码过期策略。您可以修改每个 ESXi 主机上的配置设置,以优化设置并遵守组织的策略和法规标准。 |
| vCenter Server | 全局 | Maximum (days) | <