Hash root's Password in RHEL and CentOS Kickstart Profiles

Monday, February 3, 2014

root’s password can easily be set in RHEL and CentOS Kickstart Profiles with the following command:

rootpw "password here"

However, anyone using the Kickstart Profile will see the root password in plain text.

It is possible to hash root’s password in the Kickstart Profile with the following command:

rootpw --iscrypted password_hash

But, how do you generate the password hash? Depending on your authconfig configuration, there are several different ways to do this.

md5

If your authconfig configuration is authconfig --enableshadow --enablemd5 you can use openssl passwd, grub-crypt, or python to hash your password.

Using openssl passwd:

openssl passwd -1 "password here"

Using grub-crypt (you will be prompted to enter a password after running the command):

grub-crypt --md5

Using python, replace 8_CHARACTER_SALT_HERE with 8 characters of random data (you will be prompted to enter a password after running the command):

echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$1$8_CHARACTER_SALT_HERE")' | python -

sha256

If your authconfig configuration is authconfig --enableshadow --passalgo=sha256 you can use grub-crypt or python to hash your password. You cannot use openssl passwd because it does not currently support sha256.

Using grub-crypt (you will be prompted to enter a password after running the command):

grub-crypt --sha-256

Using python, replace 16_CHARACTER_SALT_HERE with 16 characters of random data (you will be prompted to enter a password after running the command):

echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$5$16_CHARACTER_SALT_HERE")' | python -

sha512

If your authconfig configuration is authconfig --enableshadow --passalgo=sha512 you can use grub-crypt or python to hash your password. Once again, you cannot use openssl passwd because it does not currently support sha512.

Using grub-crypt (you will be prompted to enter a password after running the command):

grub-crypt --sha-512

Using python, replace 16_CHARACTER_SALT_HERE with 16 characters of random data (you will be prompted to enter a password after running the command):

echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$6$16_CHARACTER_SALT_HERE")' | python -

References

CentOS kickstart files: encrypting the root password



comments powered by Disqus