VMware Cloud Community
dude1382
Contributor
Contributor

SHA password hash setting for ESXi host?

Dear All,

I am keen to know if it is possible to force SHA1-2 scheme to store password in ESXi host. I am aware that with current ESXi4.1 there exist a workaround to enforce MD5 scheme but could not find any details about using SH1-2.

http://deinoscloud.wordpress.com/2010/07/18/esxi-4-1-major-security-issue-the-sequel-and-the-workaro...

Please let me know if there exist any such method to enable SHA scheme in ESXi 4.1.

Thanks in advance!

Regards,

Ata

Reply
0 Kudos
5 Replies
VTsukanov
Virtuoso
Virtuoso

On host ESX 4.1 you can use hash functions sha256 or sha512 instead of sha1. They have a more modern version of hash algorithm sha, with hash length 256 or 512 bit instead of 160 bit for sha1.

Reply
0 Kudos
dude1382
Contributor
Contributor

Can you provide some details it terms of the settings to force using SHA 512 or SHA 256, as said I know the workaround for MD5, is it the same place but change of algorithms "string" ?

Reply
0 Kudos
VTsukanov
Virtuoso
Virtuoso

Yes, method is very similar :

1. Enable SSH access to ESXi host

2. Make backup /etc/shadow, /etc/pam.d/system-auth

3. Make system-auth editable

cd /etc/pam.d
chmod 644 system-auth

4. Edit /etc/pam.d/system-auth

vi system-auth

change line

password   sufficient   /lib/security/$ISA/pam_unix.so use_authtok nullok shadow

to

password   sufficient   /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512

5. Restore rights

chmod 444 system-auth

6. Change hash for root

passwd root

7. Check hash algorithm

cat /etc/shadow

You should see the hash beginning at $6$ (for example root:$6$zE....)

dude1382
Contributor
Contributor

Thanks for such a good explanation.

It might be little more to ask, but I am giving a try.

Is there a way, I can configure my ESXi to use either SHA 512 or MD5 hashing scheme at a time. As all methods require editing the file, one way would be to follows the sequence every time, but what I am trying to get is that I edit the file with both schemes and switch it based on some configruation parameter.

Just to make it clear, I am trying to use vSphere API to log to ESXi servers and authenticate user credentials.

Thanks!

Ata

Reply
0 Kudos
VTsukanov
Virtuoso
Virtuoso

If i understand you correctly, you are trying to configure ESXi authentication scheme so that it will be possible to switch hash algorithms by means of "some configruation parameter". It is impossible.

ESXi authentication scheme is able to work with only one hash algorithm. After you have changed it, you have to renew password hash for users (command passwd). So you can create a set of configuration files for both configurations and change hash algorithm by copying the set of files to the host and setting the necessary rights.

As this operation can lead to unavailability of the host, I can recommend you to think over whether you really need this. It would be just enough if you change the algorithm once (md5 or sha512)