WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / Automation / Quick Tip - Automating ESXi local user passwords using SHA512 encrypted hashes

Quick Tip - Automating ESXi local user passwords using SHA512 encrypted hashes

01.17.2023 by William Lam // Leave a Comment

For those that automate their ESXi installations using Kickstart aka ESXi scripted installation should be quite familiar with the ability to configure the root password as part of the installation. As described in the official ESXi documentation, the --rootpw option can either contain a plain text password (not recommended) or with the use of the additional --iscrypted option, a SHA512 hash of the password can also be used, which is definitely recommended and more secure.

However, when managing additional local users via ESXCLI system account, which I recently blogged about here, I noticed that you can only provide a plain text password either on the command-line (not recommended) or interactively, which prevents this process from being automated. As mentioned in the blog post, you could store the password and the commands into another script file and this will at least hide the password from being stored in the ESXi Shell log file (/var/log/shell.log) but this is far from ideal.

While sharing this feedback with Engineering as part of a feature enhancement request, I came to learn about a nice little utility that can be used with both ESXi 7.x and 8.x that can update local user by simply providing the encrypted SHA512 hash.

The utility is called chpw and accepts the local ESXi user which you wish to update the password and the SHA512 hash which is read from stdin, so using simple "echo" command would suffice.

Here is an example, assuming your SHA512 hash is stored in the $HASH variable and local username is admin321, you can update user password hash by running the following command:

echo $HASH | /usr/lib/vmware/auth/bin/chpw admin321


As you see, this can easily be integrated into your existing ESXi kickstart and is more secure and a pretty common method for adding additional local users by specifying the encrypted hash rather than using a plaintext password.

Note: There are a number of different ways of generating the SHA512 encrypted hash (quick search online will yield multiple options), but the easiest method is to manually configure a password for an account and then copy out the hash from the /etc/shadow file.

More from my site

  • Update on ESXi on Apple Mac Mini 2018 & Mac Pro 2019
  • Automating SSL Certificate Regeneration in VCSA 5.1 & 5.5 (vCenter Server Appliance)
  • How to Automate the Deployment & Configuration of vShield Manager 5
  • Useful M.2 NVMe accessories for vSphere (VSAN/VMFS) Home Labs
  • Custom script bundle is now possible with Auto Deploy in vSphere 6.5

Categories // Automation, ESXi

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native technologies, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC)

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • Blocking vSphere HTML5 VM Console and allowing only Standalone VM Remote Console (VMRC)? 02/08/2023
  • Quick Tip - Inventory core count for vSphere+, vSAN+ & VCF+ Cloud Service 02/07/2023
  • How to automate adding a license into vCenter Server with custom label?  02/06/2023
  • Automated ESXi Installation with a USB Network Adapter using Kickstart 02/01/2023
  • How to bootstrap ESXi compute only node and connect to vSAN HCI Mesh? 01/31/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023

 

Loading Comments...