Edge Node 및 NSX Manager 암호를 무기한화하는 방법
1. 소개
IBM Cloud VCS(VMware vCenter Server) Edge Node의 admin/root 암호와 NSX Manager의 루트 암호도 기본적으로 90일이 만료되며, 기한이 가까워지면 콘솔에 Warning을 시작하기 때문에 암호를 무기한 화해 보자.
2. Edge Node의 admin/root 비밀번호 무기한화
NSX-T Local Accounts and Password Expiration 의 기사를 참고로 해, Edge Node(cust-edge01, cust-edge02, service-edge01, service-edge02)의 패스워드를 무기한화해 보았다. 다음은 IBM Cloud에서 VSI의 실행 결과입니다.
우선, 원래 디폴트로 SSH 서비스가 기동하고 있지 않다.
SSH 할 수 없음$ nmap -Pn 10.192.64.2 -p 22
Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-20 17:27 JST
Nmap scan report for 10.192.64.2
Host is up.
PORT STATE SERVICE
22/tcp filtered ssh
Nmap done: 1 IP address (1 host up) scanned in 2.06 seconds
따라서 System -> Nodes -> Edge Transport Nodes에서 해당 Edge를 선택하고 Actions 버튼에서 Change Node Settings
를 선택합니다.
Allow SSH Settings가 No이므로 Yes로 변경.
이제 SSH로 액세스할 수 있게 되므로 로그인하여 비밀번호를 무기한화한다.
$ nmap -Pn 10.192.64.2 -p 22
Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-20 17:44 JST
Nmap scan report for 10.192.64.2
Host is up (0.0016s latency).
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
SSH로 로그인하고 admin
및 root
의 비밀번호를 유지합니다.
$ ssh [email protected]
The authenticity of host '10.192.64.2 (10.192.64.2)' can't be established.
ECDSA key fingerprint is SHA256:Ec8dQ/yfld9aAuNzbLL35lhSn8BBtbCRR+9OwunvjyA.
ECDSA key fingerprint is MD5:10:cd:31:17:7e:95:39:db:b4:be:7a:17:04:95:ce:4f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.192.64.2' (ECDSA) to the list of known hosts.
[email protected]'s password:
* TIPS: To reconfig management interface, please refer to these CLIs
1) stop service dataplane
2) set interface interface-name vlan vlan-id plane mgmt (for creating vlan sub-interface)
3) set interface interface-name ip x.x.x.x/24 gateway x.x.x.x plane mgmt (for static ip)
set interface interface-name dhcp plane mgmt (for dhcp)
4) start service dataplane
To config in-band management interface, please refer to these CLIs
1) set interface mac mac-addr vlan vlan-id in-band plane mgmt
2) set interface eth0.vlan ip x.x.x.x/24 gateway x.x.x.x plane mgmt (for static ip)
set interface eth0.vlan dhcp plane mgmt (for dhcp)
NSX CLI (Edge 3.1.0.0.0.17107177). Press ? for command list or enter: help
cust-edge01> get user admin password-expiration
Tue Apr 20 2021 UTC 11:31:11.308
Password expires 90 days after last change. Current password will expire in 11 days.
cust-edge01> get user root password-expiration
Tue Apr 20 2021 UTC 11:31:32.412
Password expires 90 days after last change. Current password will expire in 11 days.
cust-edge01> clear user admin password-expiration
cust-edge01> clear user root password-expiration
cust-edge01> get user admin password-expiration
Tue Apr 20 2021 UTC 11:31:50.233
Password expiration not configured for this user
cust-edge01> get user root password-expiration
Tue Apr 20 2021 UTC 11:31:56.231
Password expiration not configured for this user
아래와 같이 다른 Edge Node의 admin/root 패스워드를 무기한화한다.
3. NSX Manager 루트 암호 무기한화
$ NSXTCREDENTIAL='admin:<パスワード>'
$ NSXTTARGET=10.192.120.198
$ curl -ks -u $NSXTCREDENTIAL -X GET https://$NSXTTARGET/api/v1/node/users
{
"_schema": "NodeUserPropertiesListResult",
"_self": {
"href": "/node/users",
"rel": "self"
},
"result_count": 3,
"results": [
{
"full_name": "root",
"last_password_change": 79,
"password_change_frequency": 90,
"status": "ACTIVE",
"userid": 0,
"username": "root"
},
{
"full_name": "",
"last_password_change": 79,
"password_change_frequency": 0,
"status": "ACTIVE",
"userid": 10000,
"username": "admin"
},
{
"full_name": "",
"last_password_change": 173,
"password_change_frequency": 90,
"status": "NOT_ACTIVATED",
"userid": 10002,
"username": "audit"
}
]
}
루트 사용자의 userid는 0이므로 https://$TARGET/api/v1/node/users/0
를 지정합니다.
$ curl -ks -u $NSXTCREDENTIAL -X PUT https://$NSXTTARGET/api/v1/node/users/0 -H "Content-type: application/json" -d '{"password_change_frequency": 0}'
{
"full_name": "root",
"last_password_change": 79,
"password_change_frequency": 0,
"status": "ACTIVE",
"userid": 0,
"username": "root"
}
$ curl -ks -u $NSXTCREDENTIAL -X GET https://$NSXTTARGET/api/v1/node/users/0
{
"full_name": "root",
"last_password_change": 79,
"password_change_frequency": 0,
"status": "ACTIVE",
"userid": 0,
"username": "root"
}
만약을 위해, 다른 NSX Manager에 직접 액세스해 봐도 마찬가지로 root 패스워드의 유효기간이 무기한이 되어 있는 것을 알 수 있다.
$ TARGET=10.192.120.195
$ curl -ks -u $NSXTCREDENTIAL -X GET https://$NSXTTARGET/api/v1/node/users/0
{
"full_name": "root",
"last_password_change": 79,
"password_change_frequency": 0,
"status": "ACTIVE",
"userid": 0,
"username": "root"
}
$ TARGET=10.192.120.196
$ curl -ks -u $NSXTCREDENTIAL -X GET https://$NSXTTARGET/api/v1/node/users/0
{
"full_name": "root",
"last_password_change": 79,
"password_change_frequency": 0,
"status": "ACTIVE",
"userid": 0,
"username": "root"
}
$ TARGET=10.192.120.197
$ curl -ks -u $NSXTCREDENTIAL -X GET https://$NSXTTARGET/api/v1/node/users/0
{
"full_name": "root",
"last_password_change": 79,
"password_change_frequency": 0,
"status": "ACTIVE",
"userid": 0,
"username": "root"
}
Reference
이 문제에 관하여(Edge Node 및 NSX Manager 암호를 무기한화하는 방법), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/testnin2/items/f4c31cfd60aeb995a87c
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
$ nmap -Pn 10.192.64.2 -p 22
Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-20 17:27 JST
Nmap scan report for 10.192.64.2
Host is up.
PORT STATE SERVICE
22/tcp filtered ssh
Nmap done: 1 IP address (1 host up) scanned in 2.06 seconds
$ nmap -Pn 10.192.64.2 -p 22
Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-20 17:44 JST
Nmap scan report for 10.192.64.2
Host is up (0.0016s latency).
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
$ ssh [email protected]
The authenticity of host '10.192.64.2 (10.192.64.2)' can't be established.
ECDSA key fingerprint is SHA256:Ec8dQ/yfld9aAuNzbLL35lhSn8BBtbCRR+9OwunvjyA.
ECDSA key fingerprint is MD5:10:cd:31:17:7e:95:39:db:b4:be:7a:17:04:95:ce:4f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.192.64.2' (ECDSA) to the list of known hosts.
[email protected]'s password:
* TIPS: To reconfig management interface, please refer to these CLIs
1) stop service dataplane
2) set interface interface-name vlan vlan-id plane mgmt (for creating vlan sub-interface)
3) set interface interface-name ip x.x.x.x/24 gateway x.x.x.x plane mgmt (for static ip)
set interface interface-name dhcp plane mgmt (for dhcp)
4) start service dataplane
To config in-band management interface, please refer to these CLIs
1) set interface mac mac-addr vlan vlan-id in-band plane mgmt
2) set interface eth0.vlan ip x.x.x.x/24 gateway x.x.x.x plane mgmt (for static ip)
set interface eth0.vlan dhcp plane mgmt (for dhcp)
NSX CLI (Edge 3.1.0.0.0.17107177). Press ? for command list or enter: help
cust-edge01> get user admin password-expiration
Tue Apr 20 2021 UTC 11:31:11.308
Password expires 90 days after last change. Current password will expire in 11 days.
cust-edge01> get user root password-expiration
Tue Apr 20 2021 UTC 11:31:32.412
Password expires 90 days after last change. Current password will expire in 11 days.
cust-edge01> clear user admin password-expiration
cust-edge01> clear user root password-expiration
cust-edge01> get user admin password-expiration
Tue Apr 20 2021 UTC 11:31:50.233
Password expiration not configured for this user
cust-edge01> get user root password-expiration
Tue Apr 20 2021 UTC 11:31:56.231
Password expiration not configured for this user
$ NSXTCREDENTIAL='admin:<パスワード>'
$ NSXTTARGET=10.192.120.198
$ curl -ks -u $NSXTCREDENTIAL -X GET https://$NSXTTARGET/api/v1/node/users
{
"_schema": "NodeUserPropertiesListResult",
"_self": {
"href": "/node/users",
"rel": "self"
},
"result_count": 3,
"results": [
{
"full_name": "root",
"last_password_change": 79,
"password_change_frequency": 90,
"status": "ACTIVE",
"userid": 0,
"username": "root"
},
{
"full_name": "",
"last_password_change": 79,
"password_change_frequency": 0,
"status": "ACTIVE",
"userid": 10000,
"username": "admin"
},
{
"full_name": "",
"last_password_change": 173,
"password_change_frequency": 90,
"status": "NOT_ACTIVATED",
"userid": 10002,
"username": "audit"
}
]
}
루트 사용자의 userid는 0이므로
https://$TARGET/api/v1/node/users/0
를 지정합니다.$ curl -ks -u $NSXTCREDENTIAL -X PUT https://$NSXTTARGET/api/v1/node/users/0 -H "Content-type: application/json" -d '{"password_change_frequency": 0}'
{
"full_name": "root",
"last_password_change": 79,
"password_change_frequency": 0,
"status": "ACTIVE",
"userid": 0,
"username": "root"
}
$ curl -ks -u $NSXTCREDENTIAL -X GET https://$NSXTTARGET/api/v1/node/users/0
{
"full_name": "root",
"last_password_change": 79,
"password_change_frequency": 0,
"status": "ACTIVE",
"userid": 0,
"username": "root"
}
만약을 위해, 다른 NSX Manager에 직접 액세스해 봐도 마찬가지로 root 패스워드의 유효기간이 무기한이 되어 있는 것을 알 수 있다.
$ TARGET=10.192.120.195
$ curl -ks -u $NSXTCREDENTIAL -X GET https://$NSXTTARGET/api/v1/node/users/0
{
"full_name": "root",
"last_password_change": 79,
"password_change_frequency": 0,
"status": "ACTIVE",
"userid": 0,
"username": "root"
}
$ TARGET=10.192.120.196
$ curl -ks -u $NSXTCREDENTIAL -X GET https://$NSXTTARGET/api/v1/node/users/0
{
"full_name": "root",
"last_password_change": 79,
"password_change_frequency": 0,
"status": "ACTIVE",
"userid": 0,
"username": "root"
}
$ TARGET=10.192.120.197
$ curl -ks -u $NSXTCREDENTIAL -X GET https://$NSXTTARGET/api/v1/node/users/0
{
"full_name": "root",
"last_password_change": 79,
"password_change_frequency": 0,
"status": "ACTIVE",
"userid": 0,
"username": "root"
}
Reference
이 문제에 관하여(Edge Node 및 NSX Manager 암호를 무기한화하는 방법), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://qiita.com/testnin2/items/f4c31cfd60aeb995a87c텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)