Field CTO, Hybrid Data Center
In the ever-evolving landscape of IT security, managing passwords across various platforms can be a daunting task. However, Nutanix has released a Centralized Local Password Management feature designed to centralize password management, ensuring a more secure and standardized approach for organizations. We’ll dive into how this feature can simplify your password management strategy and bolster your security posture.
Before we explore the solution, it’s essential to understand the problem. Managing local account passwords across multiple systems and platforms can be chaotic. Without a centralized management system, organizations often face:
Let’s explore some of the minimum requirements and current limitations of this feature, so we have a good baseline to start.
Before you can use this feature, you will need to makes sure that you are on a supported software version for both AOS (PE) and Prism Central (PC).
For AOS, the required minimum version is AOS 6.7.1 or above, and the PC version is pc.2023.4 or above. Note that if you meet the minimum PC version but NOT the AOS version, this won’t work—and vice versa.
The current limitations probably won’t be a huge impact to most folks, but because there are limitations, let’s still call them out.
Nutanix has introduced a feature that allows organizations to manage local account passwords centrally across Prism Element and Prism Central. Here’s how this powerful capability can transform your password management:
To leverage Centralized Management of Prism Element and Prism Central local passwords, other than ensuring you’re currently on the minimum versions, there’s nothing else to enable. Per Nutanix, “The centralized management of passwords ensures enhanced account security by providing a direct view of the status of passwords (default or secure) and the ability to change the passwords of both individual accounts and the accounts that are grouped based on the cluster, controller VM, or Prism Central scope.” This is a great feature to see if accounts are using the defaults, but also when they were last changed.
So let’s take a look at this feature live. In my lab, I’ve got a 4-node Nutanix cluster running AOS 6.8.0.5 and PC 2024.1.0.1, the latest release available for each. This is a newly deployed cluster and a standalone PC instance, with no configs other than changing the default admin password for each and onboarding the cluster to PC.
Note: this features does NOT handle changing the default passwords for the AHV and ESXi local accounts, specifically the root, admin, and nutanix users for AHV, and the root user for ESXi.
Managing the local account passwords is done through Prism Central only, so to do this, any cluster you want to manage must be onboard to PC. This feature also does not require any specific licensing. To manage the password for one or multiple local accounts, navigate within PC to Network & Security > Local Account Passwords. Make sure you’re under the Infrastructure application in the Application Switcher.
The Local Account Passwords screen makes it incredibly easy to change passwords. Yes, you can still use the NCI command on a CVM or PCVM user reset-password user-name=’admin’ password='<PASSWD>’ to change the password, and the passwd command on the CVM or PCVM to change the Nutanix user, but now you can get a single view across all these users, along with the last time the password was changed.
As we can see in my example, having just deployed a new cluster and PC instance, I had to change the admin user’s password upon initial login. However, the Nutanix user is still the default.
So, rather than ssh’ing to the CVM and PCVM to issue the passwd commands to change the password, we’ll do this via the Local Account Password Manager. Remember—as mentioned in the limitations, you can’t select BOTH of the AOS and PC options at the same time. In this example, we’ll select the Nutanix user for the cluster, and update that password. We’ll enter the current password, and then the new password for this user.
Now where doesn’t this tool help? Well if you forget the current password for the local users, you can’t bypass this. In the event you’ve lost the admin user’s current password, you can use the CVM or PCVM to run the command to reset the password. If you’ve lost the Nutanix users password, then adding a public ssh-key to log in via SSH will save your bacon, and it’s not a bad way to add some security to the environment as well!
A great result of this feature is the ability to mass change the admin or Nutanix accounts in bulk across multiple clusters as well.
Here are some additional items to consider to secure your Nutanix clusters (and other environments):
Nutanix’s centralized password management is more than just a convenience; it’s a strategic advantage. By leveraging this feature, organizations can enhance their security posture, streamline administrative processes, and ensure compliance with regulatory standards.
In a world where security threats are constantly evolving, adopting a centralized approach to password management is a proactive step towards safeguarding your organization’s critical assets. With Nutanix, you not only simplify your operations, but also fortify your defenses against the ever-present threat of cyberattacks.
By integrating this powerful feature into your IT strategy, you can transform how your organization handles passwords, leading to a more secure and efficient environment.
Thanks for reading, and stay tuned for more updates and tips on leveraging Nutanix to its fullest potential!
If you have any questions or you’re looking for assistance with Nutanix, please reach out to info@eGroup-us.com or complete the form below.
Contact our team today to schedule a call with one of our experts.
