SHA512

Quick Tip - Automating ESXi local user passwords using SHA512 encrypted hashes

01.17.2023 by William Lam // Leave a Comment

For those that automate their ESXi installations using Kickstart aka ESXi scripted installation should be quite familiar with the ability to configure the root password as part of the installation. As described in the official ESXi documentation, the --rootpw option can either contain a plain text password (not recommended) or with the use of the additional --iscrypted option, a SHA512 hash of the password can also be used, which is definitely recommended and more secure.

However, when managing additional local users via ESXCLI system account, which I recently blogged about here, I noticed that you can only provide a plain text password either on the command-line (not recommended) or interactively, which prevents this process from being automated. As mentioned in the blog post, you could store the password and the commands into another script file and this will at least hide the password from being stored in the ESXi Shell log file (/var/log/shell.log) but this is far from ideal.

While sharing this feedback with Engineering as part of a feature enhancement request, I came to learn about a nice little utility that can be used with both ESXi 7.x and 8.x that can update local user by simply providing the encrypted SHA512 hash.

[Read more...]

Quick Tip - What hashing algorithm is supported for ESXi Kickstart password?

05.21.2018 by William Lam // 2 Comments

I had a question the other day asking whether the encrypted password which can be specified within an ESXi Kickstart file (denoted by the --isencrypted flag) can use a different hashing algorithm other than MD5? The answer is absolutely yes. In fact, MD5 as a default hashing algorithm has NOT been used for a number of releases, probably dating back to classic ESX (you know, the version that had the Service Console).

For all recent releases of ESXi including 5.5 to 6.7, the default hashing algorithm has been SHA512 for quite some time now. Below are two ways in which you can check which default hashing algorithm is currently being used:

Option 1 - SSH to ESXi host and take a look at /etc/pam.d/passwd

Option 2 - SSH to ESXi host and take a look at /etc/shadow and look at the field prior to the salt.

As a reference:

$1$ - MD5
$5$ - SHA256
$6$ - SHA512

Quick Tip - Connect-OMServer throws The request was aborted: Could not create SSL/TLS secure channel.

02.23.2017 by William Lam // 3 Comments

While doing some work with PowerCLI and vRealize Operations Manager (vROps), I ran into the following error message when trying to connect to my vROps instance using PowerCLI:

Connect-OMServer : 2/17/2017 5:27:50 AM Connect-OMServer The request was aborted: Could not create SSL/TLS secure channel.
At line:1 char:1
+ Connect-OMServer -Server vrops.primp-industries.com -User admin -Password VMware ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (VMware.VimAutom...tionServiceImpl:OMConnectionServiceImpl) [Connect-OMServer], OMException
+ FullyQualifiedErrorId : OM_ConnectivityServiceImpl_ConnectOMServer_ByUserNameAndPassword_ConnectError,VMware.VimAutomation.vROps.Commands.Cmdlets.ConnectOMServer

Although there were some hits on Google, none of the suggestions has worked. I had also found that this issue was only happening in one of my lab environments which was running Windows 2008 R2, for my other system which had Windows 8.1, the issue was not observed.

I had reached out to the PowerCLI Engineering team and it looks like the issue is due to a change in the hashing algorithm (SHA512) that vROps uses for its SSL Certificates. When using TLS 1.2, SHA512 is not supported by default. The fix is to simply install the following patch here which will resolve the problem.