AFF, NVMe, EF-Series, and SolidFire Discussions

HCI account password policy

chinchillaking

Hi All,

 

Due to security, may we know below account password policy? Refer root account, could change?

 

console root account

cluster admin account

IPMI ADMIN account

 

BTW, could change policy, e.g. complexity, length, history and lockout ..............?

 

 

Best regards,

 

Chung

3 REPLIES 3

Re: HCI account password policy

elementx

console root account - I don't know if it's available to anyone in field. SSH service on storage cluster (reverse SSH tunnel to NetApp) can be enabled for NetApp Support, but generally SSH isn't available for remote access anyway.

 

cluster admin account - there's no lockout, but you can make the password very complex (e.g. 20 characters), and also you can eliminate the use of local cluster admin:

a) create a AD group, connect cluster to AD, add an admin group account as cluster admin, and then set vCenter plugin and other accounts to use that AD account.

b) block network access to cluster Management IP and VIP (normally it's blocked by default if you keep cluster management network on separate VLAN where only mNode and vCenter have access to, but if the case you have not implemented networking that way, then you could limit access to the IPs mNode, vCenter and perhaps 1-2 other hosts

 

IPMI ADMIN account - you can check in the IPMI UI (create a test account and try?), I don't remember this detail now (and there may be slight differences between different hardware models, e.g. H600 vs. H300 vs. H410, and IPMI f/w versions). As far as I know (I may be wrong), the only time IPMI admin account is used is when mNode/HCC upgrades BIOS and firmware, so if you don't have it on a secure network, you could probably enable this on demand (for f/w upgrades with HCC) and keep it disabled at other times.

Re: HCI account password policy

chinchillaking

Hi Elementx,

 

The root account, it was "Textual User Interface (TUI)", could it change with complexity?

 

 

Best regards,

 

Chung

Re: HCI account password policy

elementx

Hi

 

- In mNode TUI, you can set "admin" account for mNode. Of course, later you can login to shell and as sudoer change the root password for mNode. You can disable SSH service on this node using standard Linux commands.

 

- But in storage node you can only set local cluster admin account. Bootstrap OS (before SolidFire cluster is formed, also used to update firmware) boots from the first disk (Disk 0) and has its own root password (I don't know what it is), but once cluster is configured, you boot nodes to Disk 1 where SolidFire (Element OS) is installed and like with Bootstrap OS we don't have root access (or any shell access) to that OS. You can get to TUI (not a shell) with cluster admin password, but that's all. If/when remote support is required, you can enable Reverse SSH (whereby Cluster Manager or individual storage Node connects to NetApp Support who can perform reverse access and log with SSH). If you don't ever want to enable reverse SSH that's fine as well, then you'd use desktop screen sharing app and let NetApp support use your SSH client to login to nodes for troubleshooting.

In field we don't have root passwords for storage OS and there's no remote access to it, unless you enable it (reverse SSH tunnel only).

View solution in original post

Earn Rewards for Your Review!
GPI Review Banner
All Community Forums
Public