Dear All,
I am keen to know if it is possible to force SHA1-2 scheme to store password in ESXi host. I am aware that with current ESXi4.1 there exist a workaround to enforce MD5 scheme but could not find any details about using SH1-2.
Please let me know if there exist any such method to enable SHA scheme in ESXi 4.1.
Thanks in advance!
Regards,
Ata
On host ESX 4.1 you can use hash functions sha256 or sha512 instead of sha1. They have a more modern version of hash algorithm sha, with hash length 256 or 512 bit instead of 160 bit for sha1.
Can you provide some details it terms of the settings to force using SHA 512 or SHA 256, as said I know the workaround for MD5, is it the same place but change of algorithms "string" ?
Yes, method is very similar :
1. Enable SSH access to ESXi host
2. Make backup /etc/shadow, /etc/pam.d/system-auth
3. Make system-auth editable
cd /etc/pam.d chmod 644 system-auth
4. Edit /etc/pam.d/system-auth
vi system-auth
change line
password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow
to
password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512
5. Restore rights
chmod 444 system-auth
6. Change hash for root
passwd root
7. Check hash algorithm
cat /etc/shadow
You should see the hash beginning at $6$ (for example root:$6$zE....)
Thanks for such a good explanation.
It might be little more to ask, but I am giving a try.
Is there a way, I can configure my ESXi to use either SHA 512 or MD5 hashing scheme at a time. As all methods require editing the file, one way would be to follows the sequence every time, but what I am trying to get is that I edit the file with both schemes and switch it based on some configruation parameter.
Just to make it clear, I am trying to use vSphere API to log to ESXi servers and authenticate user credentials.
Thanks!
Ata
If i understand you correctly, you are trying to configure ESXi authentication scheme so that it will be possible to switch hash algorithms by means of "some configruation parameter". It is impossible.
ESXi authentication scheme is able to work with only one hash algorithm. After you have changed it, you have to renew password hash for users (command passwd). So you can create a set of configuration files for both configurations and change hash algorithm by copying the set of files to the host and setting the necessary rights.
As this operation can lead to unavailability of the host, I can recommend you to think over whether you really need this. It would be just enough if you change the algorithm once (md5 or sha512)