Preparing an encrypted root password hash for an ESXi install script

This weekend I have been messing about with automating the installation and configuration of ESXi for an upcoming project. I got stuck on a particular aspect of this so through it was worth posting about.

One of the commands available in the custom configuration file used for ESXi installation is to set the root password. There are two options available, leave the password in plain text or provide an encrypted hash. As the configuration file is an unencrypted plain text file likely to end up on a web server during the deployment phase I wanted to use the encrypted option by passing the –iscrypted parameter to the rootpw command and entering the hash.

After some quick googling I found a couple of web sites that provided a method for generating the required hash using openssl on a linux box .

openssl passwd -1

Unfortunately it didn’t seem to be working and I was unable to login to my ESXi server after the installation process had completed. After some more google-fu I discovered that since ESXi5.5, the password hashing algorithm has changed from MD5 to SHA-512. The instructions I had been following were to generate an MD5 hash. Well there’s your problem!

To generate the hash using the correct algorithm I needed to use the mkpasswd utility that is included in the whois package.

sudo apt install whois

mkpasswd --method=sha-512

I entered the hash into my configuration file, ran the install again and I was able to log in successfully!