UCF STIG Viewer Logo

The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.


Overview

Finding ID Version Rule ID IA Controls Severity
V-63235 ESXI-06-000033 SV-77725r1_rule Medium
Description
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.
STIG Date
VMware vSphere ESXi 6.0 Security Technical Implementation Guide 2019-01-04

Details

Check Text ( C-63969r1_chk )
To verify the password hash setting, run the following command:

# grep -i "^password" /etc/pam.d/passwd | grep sufficient

If sha512 is not listed, this is a finding.
Fix Text (F-69153r1_fix)
To set the remember option, add or correct the following line in "/etc/pam.d/passwd":

password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5