Preparing an encrypted root password hash for an ESXi install script

This weekend I have been messing about with automating the installation and configuration of ESXi for an upcoming project. I got stuck on a particular aspect of this so through it was worth posting about.

One of the commands available in the custom configuration file used for ESXi installation is to set the root password. There are two options available, leave the password in plain text or provide an encrypted hash. As the configuration file is an unencrypted plain text file likely to end up on a web server during the deployment phase I wanted to use the encrypted option by passing the –iscrypted parameter to the rootpw command and entering the hash.

After some quick googling I found a couple of web sites that provided a method for generating the required hash using openssl on a linux box .

openssl passwd -1

Unfortunately it didn’t seem to be working and I was unable to login to my ESXi server after the installation process had completed. After some more google-fu I discovered that since ESXi5.5, the password hashing algorithm has changed from MD5 to SHA-512. The instructions I had been following were to generate an MD5 hash. Well there’s your problem!

To generate the hash using the correct algorithm I needed to use the mkpasswd utility that is included in the whois package.

sudo apt install whois
mkpasswd --method=sha-512

I entered the hash into my configuration file, ran the install again and I was able to log in successfully!

2 Comments on "Preparing an encrypted root password hash for an ESXi install script"

  1. Question?:

    the password should be something like this:
    rootpw –iscrypted 9c544798bab29af2187c0f922674d201d51d42df32cd8a6887432557a1b7ecbeca6ccd268bab8c7a63ea923acb0b6975257a51a1645f594e75ff376de7ba762e

    or do we have to enter as :
    rootpw –iscrypted $6$9c544798bab29af2187c0f922674d201d51d42df32cd8a6887432557a1b7ecbeca6ccd268bab8c7a63ea923acb0b6975257a51a1645f594e75ff376de7ba762e


    1. Hey Raymundo

      The output from the mkpasswd command should resemble something like
      and should be entered exactly like that.
      The value between the first two $ denotes the encryption type (e.g. $1$ for md5, $5$ for sha256, $6$ for sha512), the value between the second and third $ is the salt value used in the hashing algorithm and the remainder is the actual password hash.




Leave a Reply

Your email address will not be published. Required fields are marked *