Project

General

Profile

Bug #23621

fips mode breaks ESXi deployment

Added by Jeff Sparrow 4 months ago. Updated 2 months ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Security
Target version:
Difficulty:
easy
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

It would seem that due to http://projects.theforeman.org/issues/21875 - the md5 option for password hashing is no long available. This ends up breaking ESXi provisioning (at least until I can find a work around).
The kickstart installer for ESX does not seem to understand anything but md5. Yes, there is probably some way to get it to understand SHA256/512, but there is no documentation for this, and even the folks over in irc #vmware dont know how to do it. After 3-4 days of attempts I have given up.

It would also appear that there is no way to disable password hashing for an OS in foreman. So as it is now, it would appear there is no longer a way to provision ESX.

I've marked this as urgent as there is no current workaround and completely renders the ability to provision ESX useless in Foreman, which has worked for the last 5 years. :(


Related issues

Related to Foreman - Feature #21875: Add support for sha512 grub passwords to provisioning templatesClosed2017-12-05

Associated revisions

Revision aa797c6b (diff)
Added by Timo Goebel 4 months ago

fixes #23621 - passwords can be md5 hashed

History

#1 Updated by Timo Goebel 4 months ago

  • Related to Feature #21875: Add support for sha512 grub passwords to provisioning templates added

#2 Updated by Timo Goebel 4 months ago

  • Legacy Backlogs Release (now unused) set to 360

I think we should re-add this in 1.17.2.

#3 Updated by Jeff Sparrow 4 months ago

  • Legacy Backlogs Release (now unused) deleted (360)
  • Priority changed from Urgent to High

Havent had enough coffee. There is a work around - I can remove the <root_password> call in the provision script, and then manually enter in a non-hashed password. This removes the ability to allow users to set their own passwords, but at least allows us to keep provisioning ESX with foreman.

#4 Updated by Jeff Sparrow 4 months ago

  • Legacy Backlogs Release (now unused) set to 360

#5 Updated by The Foreman Bot 4 months ago

  • Assignee set to Timo Goebel
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/5578 added

#6 Updated by Ivan Necas 4 months ago

  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF