Hash root's Password in RHEL and CentOS Kickstart Profiles

• Updated September 5, 2020


The root user’s password can be set in RHEL and CentOS Kickstart Profiles with the following command:

rootpw "password here"

However, anyone using the Kickstart Profile will see the root password in plain text.

To prevent this, hash the root user’s password in the Kickstart Profile with the following command:

rootpw --iscrypted password_hash

But, how do you generate the password hash? Depending on your authconfig configuration, there are several different ways to do this.

md5

If your authconfig configuration is authconfig --enableshadow --enablemd5, you can use openssl passwd, grub-crypt, or python to hash your password.

Using openssl passwd (you will be prompted to enter a password after running the command):

openssl passwd -1

Using grub-crypt (you will be prompted to enter a password after running the command):

grub-crypt --md5

Using python, replace 8_CHARACTER_SALT_HERE with 8 characters of random data (you will be prompted to enter a password after running the command):

echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$1$8_CHARACTER_SALT_HERE")' | python -

sha256

If your authconfig configuration is authconfig --enableshadow --passalgo=sha256, you can use openssl passwd, grub-crypt or python to hash your password.

Using openssl passwd (you will be prompted to enter a password after running the command):

openssl passwd -5

Using grub-crypt (you will be prompted to enter a password after running the command):

grub-crypt --sha-256

Using python, replace 16_CHARACTER_SALT_HERE with 16 characters of random data (you will be prompted to enter a password after running the command):

echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$5$16_CHARACTER_SALT_HERE")' | python -

sha512

If your authconfig configuration is authconfig --enableshadow --passalgo=sha512, you can use openssl passwd, grub-crypt or python to hash your password.

Using openssl passwd (you will be prompted to enter a password after running the command):

openssl passwd -6

Using grub-crypt (you will be prompted to enter a password after running the command):

grub-crypt --sha-512

Using python, replace 16_CHARACTER_SALT_HERE with 16 characters of random data (you will be prompted to enter a password after running the command):

echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$6$16_CHARACTER_SALT_HERE")' | python -

References