WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / Automation / Quick Tip - What hashing algorithm is supported for ESXi Kickstart password?

Quick Tip - What hashing algorithm is supported for ESXi Kickstart password?

05.21.2018 by William Lam // 2 Comments

I had a question the other day asking whether the encrypted password which can be specified within an ESXi Kickstart file (denoted by the --isencrypted flag) can use a different hashing algorithm other than MD5? The answer is absolutely yes. In fact, MD5 as a default hashing algorithm has NOT been used for a number of releases, probably dating back to classic ESX (you know, the version that had the Service Console).

For all recent releases of ESXi including 5.5 to 6.7, the default hashing algorithm has been SHA512 for quite some time now. Below are two ways in which you can check which default hashing algorithm is currently being used:

Option 1 - SSH to ESXi host and take a look at /etc/pam.d/passwd


Option 2 - SSH to ESXi host and take a look at /etc/shadow and look at the field prior to the salt.

As a reference:

  • $1$ - MD5
  • $5$ - SHA256
  • $6$ - SHA512

More from my site

  • Quick Tip - Automating ESXi local user passwords using SHA512 encrypted hashes
  • Quick Tip - Using ESXi Scripted Installation (kickstart) to configure IPv6 networking
  • Configuring dnsmasq as PXE Server for ESXi 
  • How to prevent physical CD-ROM from ejecting after installing or upgrading ESXi?
  • Automated ESXi Installation to USB using Kickstart

Categories // Automation, ESXi, Security, vSphere 5.5, vSphere 6.0, vSphere 6.5, vSphere 6.7 Tags // ESXi, kickstart, md5, sha256, SHA512

Comments

  1. krishnaprasad says

    01/21/2019 at 4:31 am

    Hello, On a 6.7 U1 host, openssl shows the below error while trying to generated a crypted password. Any tips to overcome this?

    :~] openssl passwd -1
    Password:
    Verifying - Password:
    fips_md.c(146): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
    Aborted

    Reply
  2. elnemesisdivina says

    02/18/2019 at 6:35 pm

    In the example you have the password hashed with sha-512 but also salted how do you handle to create the first time password? I mean you use the same word to produce the same hash always or what is the default word for salt password plus hash to generate same result? in my mind is more secure to generate salt plus hash but at the end will be not the same result and consequently this will be store and then when compare will be wrong correct?

    thxs

    Reply

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC) across Private, Hybrid and Public Cloud

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • Converting VirtualBox VDI (Virtual Disk Image) to VMDK for use with ESXi 8.x 05/31/2023
  • Quick Tip - How to monitor when ESXi filesystem and partitions are filling up? 05/30/2023
  • DDR5 SODIMM capable kits for ESXi 05/30/2023
  • ESXi on ASUS PN64-E1 05/24/2023
  • vSphere Pods using VDS based Supervisor in vSphere with Tanzu? 05/23/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023

 

Loading Comments...