ONTAP Discussions

Disabling All Password Policies Temporarily

TMADOCTHOMAS
2,654 Views

Is there a way in cdot to disable all password policies temporarily? I know there was a way in 7-mode because I did it a few times, but can't find the equivalent in cdot. Use case is simple: I have a local account set up on all of our clusters that already has a secure password. On ONE of those clusters I need to 'change' the password to upgrade from MD5 to SHA512, but I don't want to actually change it. Problem is the "disallowed-reuse" setting under security login role config modify has a MINIMUM of 6, so the only way around it is to disable all policies, make the change, then re-enable.

1 ACCEPTED SOLUTION

Mjizzini
2,537 Views

I dont think that we can disable the password policies. Maybe deleting it then recreating it again.

Enforcing SHA-2 on administrator account passwords

View solution in original post

3 REPLIES 3

Mjizzini
2,538 Views

I dont think that we can disable the password policies. Maybe deleting it then recreating it again.

Enforcing SHA-2 on administrator account passwords

TMADOCTHOMAS
2,527 Views

Okay thanks @Mjizzini !

dirvine
876 Views

You can change the policy temporarily - set the password back to original and then change it back:

 

sec login role config modify -vserver <vserver> -role admin -disallowed-reuse 1
sec login password -vserver <vserver> -username <username>
sec login role config modify -vserver <vserver> -role admin -disallowed-reuse 6
As long as you first use password is different to what it is now - this will work. 

Public