ESXI-67-000033 - The password hashes stored on the ESXi host must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.


Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.


From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in '/etc/pam.d/passwd':

password sufficient /lib/security/$ISA/ use_authtok nullok shadow sha512 remember=5

See Also

Item Details


References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-239288r674793_rule, STIG-ID|ESXI-67-000033, Vuln-ID|V-239288

Plugin: Unix

Control ID: 6c312fb84799a6169b3d7aab7a91454e4954fac31c4097113c193499ef8edaff