Anaconda Kickstart – Using Rootpw Option in RHEL6 and Scientific Linux

anacondakickstartrhel6scientific-linux

I've tried a few different methods of generating an encrypted password on SL 6.5, but nothing seems to work for me. I'm not finding any errors anywhere in the various /var/log/anaconda* files, but I can't log in so it's obviously not working.

The original auto-created file at /root/anaconda-ks.cfg I used as a template looked like this:

rootpw  --iscrypted $6$...(about 100 characters)
authconfig --enableshadow --passalgo=sha512

Next I tried openssl passwd -1 which gave me:

rootpw  --iscrypted $1$...(about 30 characters)
authconfig --enableshadow --passalgo=sha512

I realized that wasn't SHA-512 so I tried a Python one-liner I found repeated in a few places:

rootpw  --iscrypted $6...(about 10 characters)
authconfig --enableshadow --passalgo=sha512

Nothing works; I can't log in and I end up having to reset the root password in single-user mode.

Best Answer

Make sure you have shadow and passalgo=sha512 on a machine, set the root pass to whatever password you want on that machine and take it from /etc/shadow and put it in the kickstart. This is not advisable for production use.

To do it programmatic, use the crypt library of your chosen language that generates the kickstart file:

RUBY:

'password'.crypt('$6$' + (Base64.encode64(6.times.map{ Random.rand(256).chr }.join)).strip)

PHP:

crypt ('password', '$6$' . base64_encode (openssl_random_pseudo_bytes(6)));

Perl:

crypt ('password', '$6$' . encode_base64 (join '' => map chr (rand (256)), 0..5))

Python:

crypt.crypt('password', '$6$' + base64.b64encode(os.urandom(6)))

It is highly advisable that you use a random salt each time, like I did here, specially if you use the same password on all servers.

EDIT: Python 3:

crypt.crypt("password", crypt.mksalt())

Replaces the call to os.random with the crypt specific mksalt.

See Python Standard Library: crypt: crypt.mksalt() : "Return a randomly generated salt of the specified method. If no method is given, the strongest method available as returned by methods() is used"

EDIT:

1) '$6$' is for SHA512. You would need to replace it with the encryption type of your choice.

2) You can transform any of these into one liners too in order to do it from bash.

EDIT (to have a complete answer, thanks to miken32 and dawud):

3) BSD crypt is a different implementation comparing to the GNU one so they are not compatible. If you want to use this on BSD systems (like OSX), you can use the PHP (with PHP version > 5.3.0) version as it implements its own crypt() function.

Another alternative on the mac is to use passlib:

python -c 'import getpass; import passlib.hash; h=passlib.hash.sha512_crypt.hash(getpass.getpass()); print(h if (passlib.hash.sha512_crypt.verify(getpass.getpass("Confirm:"), h)) else "")'

or, with glibc's default no. of rounds (5000):

python -c 'import getpass; import passlib.hash; h=passlib.hash.sha512_crypt.using(rounds=5000).hash(getpass.getpass()); print(h if (passlib.hash.sha512_crypt.verify(getpass.getpass("Confirm:"), h)) else "")'
Related Topic