According to the documentation, one can store encrypted password in the passwd table. The provided example (using openssl passwd -1 generates password hashes using md5.

Now, with #2168, the default crypt method for passwords in the passwd table seem to be sha256, which is a first problem. The documentation should probably be updated to mention that, and give an example to generate a sha256 encrypted password hash.

Now, looking at #2168 in more details, especially https://github.com/xcat2/xcat-core/pull/2168/files?diff=unified#diff-97ef2682510dad0de95d0570c8f81106, and unless I missed something, I think there's been a major regression in functionality.

Before, the value stored in the passwd table was checked to see if it started with $1, $5$ or $6$ (the identifiers for md5, sha256 and sha512 respectively). If it started with one of those, it was recognized as being already hashed, and was returned as-is by the crydb() function. If it did not, it was then hashed with crypt() function.

Now, it looks to me that the value from the passwd table is crypted no matter what, even if it already is. So as a result, if I store a hashed value in passwd, it gets hashed again, and the resulting hash in /etc/passwd doesn't correspond to anything anymore, meaning that I can't use the password I chose to authenticate as root.

I believe this is also the case for the stateless and statelite cases (xCAT-server/lib/xcat/plugins/packimage.pm and xCAT-server/lib/xcat/plugins/statelite.pm).

Could you please restore the previous behavior? We need to be able to store encrypted root passwords in the passwd table.