ThorneLabs

Hash root's Password in RHEL and CentOS Kickstart Profiles

• Updated September 5, 2020


The root user’s password can be set in RHEL and CentOS Kickstart Profiles with the following command:

rootpw "password here"

However, anyone using the Kickstart Profile will see the root password in plain text.

To prevent this, hash the root user’s password in the Kickstart Profile with the following command:

rootpw --iscrypted password_hash

But, how do you generate the password hash? Depending on your authconfig configuration, there are several different ways to do this.

md5

If your authconfig configuration is authconfig --enableshadow --enablemd5, you can use openssl passwd, grub-crypt, or python to hash your password.

Using openssl passwd (you will be prompted to enter a password after running the command):

openssl passwd -1

Using grub-crypt (you will be prompted to enter a password after running the command):

grub-crypt --md5

Using python, replace 8_CHARACTER_SALT_HERE with 8 characters of random data (you will be prompted to enter a password after running the command):

echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$1$8_CHARACTER_SALT_HERE")' | python -

sha256

If your authconfig configuration is authconfig --enableshadow --passalgo=sha256, you can use openssl passwd, grub-crypt or python to hash your password.

Using openssl passwd (you will be prompted to enter a password after running the command):

openssl passwd -5

Using grub-crypt (you will be prompted to enter a password after running the command):

grub-crypt --sha-256

Using python, replace 16_CHARACTER_SALT_HERE with 16 characters of random data (you will be prompted to enter a password after running the command):

echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$5$16_CHARACTER_SALT_HERE")' | python -

sha512

If your authconfig configuration is authconfig --enableshadow --passalgo=sha512, you can use openssl passwd, grub-crypt or python to hash your password.

Using openssl passwd (you will be prompted to enter a password after running the command):

openssl passwd -6

Using grub-crypt (you will be prompted to enter a password after running the command):

grub-crypt --sha-512

Using python, replace 16_CHARACTER_SALT_HERE with 16 characters of random data (you will be prompted to enter a password after running the command):

echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$6$16_CHARACTER_SALT_HERE")' | python -

References

If you found this post useful and would like to help support this site - and get something for yourself - sign up for any of the services listed below through the provided affiliate links. I will receive a referral payment from any of the services you sign-up for.

Get faster shipping and more with Amazon Prime: About to order something from Amazon but want to get more value out of the money you would normally pay for shipping? Sign-up for a free 30-day trial of Amazon Prime to get free two-day shipping, access to thousands of movies and TV shows, and more.

Thanks for reading and take care.