It can only work for the root passwd. You can take the value in /etc/shadow and copy it in verbatim instead of the plain value. Root password can be non-recoverably encrypted (you only need to tell the nodes how to prove someone knows a password, not actually know the password itself). For things like IPMI, the password must be known by xCAT, and for such passwords there's no encryption available.
For IPMI, if wanting to have an encrypted storage of the password, you can skip xCAT configuration and use confluent which does have support for recoverable encryption, though the default behavior has decryption key in the clear, and if the user wants to protect the decryption key, the functionality exists but is not documented (it requires the user either type a password or chain it to a key of their choosing). There has been plans to be able to bind copies of the crypto keys to system TPMs, but so far no one has actually asked for that. From: Christian Caruthers <ccaruth...@lenovo.com> Sent: Wednesday, November 28, 2018 8:50 AM To: xCAT Users Mailing list (xcat-user@lists.sourceforge.net) <xcat-user@lists.sourceforge.net> Subject: [External] [xcat-user] Encrypted passwords in passwd table Looking to set up encrypted passwords, and the only documentation I see it on the old SF site: https://sourceforge.net/p/xcat/wiki/Encrypted_root_password_in_passwd.tab/ Is there any newer documentation? I didn't see it on the readthedocs site. Also, does this only work for the root password, or can it also be used for IPMI? Regards, Christian Caruthers Lenovo Professional Services Mobile: 757-289-9872
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
