By default, a 4.1 ESX server denies logins of standard users, while root access via ssh is enabled without problems. This has changed from 4.0 and has caused many headaches for those systems upgraded to 4.1.
Obviously, this is a security problem and something we do not want.
To protect your ESX server and restore standard user access, you have to replace the system-auth config file. In this event, an older 4.0 version of the file will do the job. Always remember to make a backup just in case something goes wrong (if it does and you don’t notice..you’re screwed, so pay attention)
#vi /etc/pam.d/system-auth
paste this content inside the file:
#%PAM-1.0
# Autogenerated by esxcfg-authaccount   required   /lib/security/$ISA/pam_unix.so
auth         required   /lib/security/$ISA/pam_env.so
auth         sufficient          /lib/security/$ISA/pam_unix.so       likeauth nullok
auth         required   /lib/security/$ISA/pam_deny.sopassword   requisite    pam_cracklib.so try_first_pass retry=3 dcredit=-1 ucredit=0 ocredit=-1 lcredit=-1 minlen=8
password          required   /lib/security/$ISA/pam_cracklib.so           retry=3
password          sufficient          /lib/security/$ISA/pam_unix.so       nullok use_authtok md5 shadow
password          required   /lib/security/$ISA/pam_deny.sosession     required   /lib/security/$ISA/pam_limits.so
session     required   /lib/security/$ISA/pam_unix.so
You can now login to your 4.1 ESX server using standard login. Now go and harden your server!