Skip to main content

Using hashed passwords for authentication

Use the information in this topic to understand how to use hashed passwords for authentication.

Aside from the use of passwords and LDAP/AD user accounts, the XClarity Controller also supports third-party hashed passwords for authentication. The special password uses a one-way hash (SHA256) format and is supported by the XClarity Controller web, OneCLI, and CLI interfaces. However, please note that authentication of XCC SNMP, IPMI and CIM interfaces do not support third-party hashed passwords. Only the OneCLI tool and XCC CLI interface can create a new account with a hashed password or perform a hashed password update. The XClarity Controller also allows the OneCLI tool and XClarity Controller CLI interface to retrieve the hashed password if the capability of reading hashed password is enabled.

Setting hashed password via XClarity Controller web

Click Security under BMC Configuration, and scroll to the Security Password Manager section to enable or disable the Third-party Password function. If enabled, a third-party hashed password is employed for log-in authentication. Retrieval of the third-party hashed password from the XClarity Controller can also be enabled of disabled.
Note
By default, the Third-party Password and Allow Third-party Password Retrieval functions are disabled.
To check if the user password is Native or a Third-party Password, click User/LDAP under BMC Configuration for details. The information will be under the Advanced Attribute column.
Note

  • Users will not be able to change a password if it is a third-party password, and the Password and Confirm password fields have been greyed out.

  • If the third-party password has expired, a warning message will be shown during the user login process.

Setting hashed password via OneCLI function

  • Enabling feature

    $ sudo OneCli config set IMM.ThirdPartyPassword Enabled

  • Creating hashed password ( No Salt ). The following shows an example logging to the XClarity Controller using the password123 password.

    $ pwhash = `echo -n password123 | openssl dgst -sha256 | awk '{print $NF}'`

    $ echo $pwhash 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

    $ sudo OneCli config set IMM.Loginid.2 admin

    $ sudo OneCli config set IMM.SHA256Password.2 $pwhash

    $ sudo OneCli config set IMM.SHA256PasswordSalt.2 ""

  • Creating user with hashed password ( With Salt ). The following shows an example logging to the XClarity Controller using the password123 password. Salt=abc.

    $ pwhash = `echo -n password123abc | openssl dgst -sha256 | awk '{print $NF}'`

    $ echo $pwhash 292bcbc41bb078cf5bd258db60b63a4b337c8c954409442cfad7148bc6428fee

    $ sudo OneCli config set IMM.Loginid.3 Admin

    $ sudo OneCli config set IMM.SHA256Password.3 $pwhash

    $ sudo OneCli config set IMM.SHA256PasswordSalt.3 'abc'

  • Retrieving the hashed password and salt.

    $ sudo OneCli config set IMM.ThirdPartyPasswordReadable Enabled

    $ sudo OneCli config show IMM.SHA256Password.3

    $ sudo OneCli config show IMM.SHA256PasswordSalt.3

  • Deleting the hashed password and salt.

    $ sudo OneCli config set IMM.SHA256Password.3 ""

    $ sudo OneCli config set IMM.SHA256PasswordSalt.3 ""

  • Setting the hashed password to an existing account.

    $ sudo OneCli config set IMM.Loginid.2 admin

    $ sudo OneCli config set IMM.Password.2 Passw0rd123abc

    $ sudo OneCli config set IMM.SHA256Password.2 $pwhash

    $ sudo OneCli config set IMM.SHA256PasswordSalt.2 ""

    Note
    While the hashed password is being set, this password will immediately take effect. The original standard password will no longer be effective. In this example, the original standard password Passw0rd123abc cannot be used anymore until the hashed password is deleted.

Setting hashed password via CLI function

  • Enabling feature

    > hashpw -sw enabled

  • Creating hashed password ( No Salt ). The following shows an example logging to the XClarity Controller using the password123 password.

    $ pwhash = `echo -n password123 | openssl dgst -sha256 | awk '{print $NF}'`

    5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

    > users -2 -n admin -shp 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 -a super

  • Creating user with hashed password ( With Salt ). The following shows an example logging to the XClarity Controller using the password123 password. Salt=abc.

    $ pwhash = `echo -n password123abc | openssl dgst -sha256 | awk '{print $NF}'`

    $ echo $pwhash 292bcbc41bb078cf5bd258db60b63a4b337c8c954409442cfad7148bc6428fee

    > users -3 -n Admin -shp 292bcbc41bb078cf5bd258db60b63a4b337c8c954409442cfad7148bc6428fee -ssalt 'abc' -a super

  • Retrieving the hashed password and salt.

    > hashpw -re enabled

    > users -3 -ghp -gsalt

  • Deleting the hashed password and salt.

    > users -3 -shp "" -ssalt ""

  • Setting the hashed password to an existing account.

    > users -2 -n admin -p Passw0rd123abc -shp 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 -a super

    Note
    While the hashed password is being set, this password will immediately take effect. The original standard password will no longer be effective. In this example, the original standard password Passw0rd123abc cannot be used anymore until the hashed password is deleted.

After the hashed password has been set up, remember you do not used this to login to the XClarity Controller. When logging in, you will need to use the plaintext password. In the example shown below, the plaintext password is “password123”.

$ pwhash = ‘echo —n password123 | openssl dgst —sha256 | awk '{print $NF}'’

5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

> users -2 -n admin -shp 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 -a super