Best Practies for CLI Passwords

This topic provides information about CLI passwords and best practices.

Note: The information applies to QBSP version 2.2.1 or later.

• Key password-related security features:

  • You cannot change the password from the web UI after the initial forced password change.

  • You can change the admin and root user passwords separately using the -u argument with the password CLI command.

  • The default invocation of the password CLI command changes BOTH the admin and root password to the new value you provide.

• BMC/IPMI passwords:

  • These have unique values set by the factory, and these pre-set unique values are usually displayed on "dog ears" (pull out tabs) or some sticker on the chassis/controllers. The passwords are unique to each controller in dual-controller products (both controllers do not contain the same value).

  • The QBSP operating system admin user can change the passwords using the CLI (SSH) or using the web UI with no additional password authentication; the old BMC/IPMI password is not required to set a new password value.

• QBSP operating system admin user password:

  • When QBSP-based products are shipped from the factory OR after a factory reset, the administrator password is set to admin.

  • After the initial login using the admin user account either using the web UI or the CLI (SSH) and the user is forced to change the password, the admin and root passwords are set to the same value; the passwords are changed on ALL controllers in the case of dual-head controller products, regardless of what controller it was changed from.

  • You can only change the admin user account password using the CLI (SSH) after initial login by using the password CLI command. With the default invocation of the password command, the admin and root passwords are changed to the new value you provide. You can use the -u argument to change the admin and root user passwords to different values, if desired. When you change the root password, you are first prompted for the current root password.

  • The admin user can log in to the CLI (SSH), or to the web UI.

• QBSP operating system root user password:

  • When QBSP-based products are shipped from the factory OR after a factory reset, the root password is scrambled by default; no record is maintained of the pre-configured password and a random value is generated during the manufacturing process.

  • After the initial login using the admin user account either using the web UI or the CLI (SSH) and the user is forced to change the password, the admin and root passwords are set to the same value; the passwords are changed on ALL controllers in the case of dual-head controller products, regardless of what controller it was changed from.

  • You can change the root user password by using the CLI (SSH) interface command password -u root and enter the current root password when prompted for password verification; this can only be done from the CLI.

  • You cannot log in as the root user using SSH directly; you can use the physical console and the BMC KVM console.

  • You cannot log in as the root user using the web UI directly; you can use the admin user to log in to the web UI.

  • When you use the rootsh CLI command to obtain a root shell, enter the root user password. There is no support password and it is always the root user account password to achieve privilege escalation.