VMware NSX alarm for root/admin/audit password expired or expiring
search cancel

VMware NSX alarm for root/admin/audit password expired or expiring

book

Article ID: 338942

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • You will see alarm for root/admin/audit password expired on the following components:

    • NSX-T Manager 

    • NSX-T Edge Node VMs

  • You can run the following command on the NSX appliance (manager/edge), as admin user, to see the days to password expiration:          

nsx-manager/edge> get user <root/admin/audit> password-expiration

Password expires 90 days after last change

User will receive warning messages 7 days before password expires.

    • Or if the password has already expired, a message similar to below is displayed:

Current password expired ## day ago.

  • In the NSX appliance Manager/Edge node log /var/log/auth.log, the following entries indicate which account(s) and when they will expire:

<87>1 20##-##-##T05:##:##.495576+00:00 nsxmgrT-A2 sshd 7437 - -  pam_unix(sshd:account): password for user admin will expire in 1 days
<87>1 20##-##-##T05:##:##.614870+00:00 nsxmgrT-A2 CRON 7771 - -  pam_unix(cron:account): password for user root will expire in 1 days

  • You will see the following messages when you SSH into the NSX appliance, when the password for that account has expired:

You are required to change your password immediately (password aged)
Changing password for root.
(current) UNIX password: 
New password: 
Retype new password: 

Environment

VMware NSX
VMware PKS

Cause

Password expiration was introduced in VMware NSX-T 2.4.0.

By default, password expiration is configured for 90 days.

VMware NSX-T 2.4.0 introduced the ability to set password expiration times and generate an alarm when the password(s) are about to expire or expire.

Resolution

If the password for admin/audit on the NSX appliance is already expired, you can reset the password by running the following command from nsxcli:

  • Login as root and switch to the admin user using 'su admin'.

nsxtmgr> set user <admin/audit> password
Current password:
New password:
Confirm new password:

As admin user, you can run the below command to change the password expire duration (maximum of 9999 days).

  • For example, the below steps can be used to change the admin password expiration to 9999 days on the NSX manager:

nsxtmgr> set user admin password-expiration 9999

Password expiration can also be disabled per user, for example, below the audit user password expiration is being disabled on the NSX manager:

          nsxtmgr> clear user audit password-expiration

Please refer Resetting User Passwords and NSX CLI Guide for more details

Alternatively, using the API, under NodeUserProperties, you can also configure expiration time or disable it. ("set to 0 to disable password expiration").

Please refer NSX-T Data Center REST API for more details.

Additional Information

See Authentication Policy Settings for details on password complexity requirements.

Impact/Risks:

  • Once the password expires, you will be unable to log in and manage NSX-T components.
  • Additionally, any task or API call that requires the NSX-T Admin password to be executed will fail.
  • You might not see any warning in the UI that your password is going to or already expired.
Powered by Wolken Software