UCF STIG Viewer Logo

The password hashes stored on the ESXi host must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.


Overview

Finding ID Version Rule ID IA Controls Severity
V-239288 ESXI-67-000033 SV-239288r674793_rule Medium
Description
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.
STIG Date
VMware vSphere 6.7 ESXi Security Technical Implementation Guide 2022-01-05

Details

Check Text ( C-42521r674791_chk )
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command:

# grep -i "^password" /etc/pam.d/passwd | grep sufficient

If sha512 is not listed, this is a finding.
Fix Text (F-42480r674792_fix)
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in “/etc/pam.d/passwd”:

password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5