Hash root's Password in RHEL and CentOS Kickstart Profiles

• Updated September 5, 2020


The root user’s password can be set in RHEL and CentOS Kickstart Profiles with the following command:

rootpw "password here"

However, anyone using the Kickstart Profile will see the root password in plain text.

To prevent this, hash the root user’s password in the Kickstart Profile with the following command:

rootpw --iscrypted password_hash

But, how do you generate the password hash? Depending on your authconfig configuration, there are several different ways to do this.

md5

If your authconfig configuration is authconfig --enableshadow --enablemd5, you can use openssl passwd, grub-crypt, or python to hash your password.

Using openssl passwd (you will be prompted to enter a password after running the command):

openssl passwd -1

Using grub-crypt (you will be prompted to enter a password after running the command):

grub-crypt --md5

Using python, replace 8_CHARACTER_SALT_HERE with 8 characters of random data (you will be prompted to enter a password after running the command):

echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$1$8_CHARACTER_SALT_HERE")' | python -

sha256

If your authconfig configuration is authconfig --enableshadow --passalgo=sha256, you can use openssl passwd, grub-crypt or python to hash your password.

Using openssl passwd (you will be prompted to enter a password after running the command):

openssl passwd -5

Using grub-crypt (you will be prompted to enter a password after running the command):

grub-crypt --sha-256

Using python, replace 16_CHARACTER_SALT_HERE with 16 characters of random data (you will be prompted to enter a password after running the command):

echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$5$16_CHARACTER_SALT_HERE")' | python -

sha512

If your authconfig configuration is authconfig --enableshadow --passalgo=sha512, you can use openssl passwd, grub-crypt or python to hash your password.

Using openssl passwd (you will be prompted to enter a password after running the command):

openssl passwd -6

Using grub-crypt (you will be prompted to enter a password after running the command):

grub-crypt --sha-512

Using python, replace 16_CHARACTER_SALT_HERE with 16 characters of random data (you will be prompted to enter a password after running the command):

echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$6$16_CHARACTER_SALT_HERE")' | python -

References

If you found this post useful and would like to help support this site - and get something for yourself - sign up for any of the services listed below through the provided links.

The following links are part of affiliate programs, and I will receive a referral payment from any of the services you sign-up for.

  • Get Faster Shipping: About to order some stuff on Amazon but want to get more value out of the money you would normally pay for shipping? Sign-up for a free, 30-day trial of Amazon Prime to get free two-day shipping, access to thousands of movies and TV shows, and more.
  • Start Investing Now: Looking to start investing some of your saved income? Get started by opening an account with Webull, where upon sign-up and opening a brokerage account with an initial deposit of $100 or more you will receive free stock(s). The promotions are always changing, so be sure to click the link to see the latest.

Thanks for reading and take care.