ESXI-65-000033 - The password hashes stored on the ESXi host must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.

Information

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.

Solution

From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in '/etc/pam.d/passwd':

password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-5_Y20M04_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CAT|II, CCI|CCI-000366, Rule-ID|SV-104099r1_rule, STIG-ID|ESXI-65-000033, Vuln-ID|V-94013

Plugin: Unix

Control ID: 7ea452aeb8f487e9baa31f1aa24b77ad9bbbc50aa759a5e2d93f0ea6e42d94ca