Posted on by

Mastering Nutanix Security: Updating Default Passwords for Complete Protection

Securing your Nutanix environment is critical to safeguarding your infrastructure against unauthorized access. A key aspect of maintaining security is ensuring that all default passwords are updated across all components. This guide provides step-by-step instructions for identifying systems with default credentials, running health checks, and updating passwords for various Nutanix components, including Hypervisors, Controller VMs, Prism Central, IPMI, and Files Server VMs (FSVMs).

By following these guidelines, you can enhance the overall security posture of your Nutanix environment and prevent potential vulnerabilities.

Key Areas Where Passwords Must Be Updated: To ensure comprehensive security, you should update passwords in the following components of your Nutanix environment:

  • Installed Hypervisor (AHV, ESXi, or Hyper-V)
  • Nutanix Controller VM (CVM) on Prism Element/Central
  • Out-of-Band Management (IPMI)
  • Nutanix Files Server VMs (FSVMs)

How to Check If Password Updates Are Needed: There are three primary ways to identify systems with default credentials in your Nutanix environment:

  1. Alerts in Prism Element or Prism Central: Monitor your environment for password-related alerts displayed in the management interface. Log into Prism Element or Prism Central and go to Alerts.
  1. Run NCC Health Checks on a CVM: Use the NCC to perform health checks directly on a Controller VM. These checks will flag any default passwords that need to be updated.
    • From Prism Element:
      • SSH into any CVM and run:
        • ncc health_checks run_all
        • Or you can also run the check separately depending by run:
        • ncc health_checks system_checks default_password_check
    • For Prism Central (PCVM):
      • SSH into a PCVM and run:
        • ncc health_checks system_checks pc_default_password_check
    • For FILES:
      • You can’t run NCC on a FSVM so you can run this FSVM-specific check on any CVM:
        • ncc health_checks fileserver_checks fileserver_cvm_checks file_server_default_password_check
  1. Run NCC Health Checks from Prism Element: You can also run the checks from the Prism Element web console
  • On the Health page, select Actions and click Run NCC Checks.
  • Select All Checks and click Run
  • If you have SMTP setup, check your email for the NCC email, or go to Tasks and download the output by click ing Succeeded, then Download Output
  • If the check fails, you will see the something similar to the following

How to change default passwords

Changing passwords is pretty straightforward. Each Nutanix component has at least one or two passwords to change, except for AHV, which has three.

Let’s start with Installed Hypervisor (AHV, ESXi, or Hyper-V):

  • AHV: there are three local passwords to change- root, admin, and nutanix. To make life easy there here are 3 commands that you can use to change each password from any CVM. Just SSH into any CVM and run the below commands:
    • For root:
      • echo -e "CHANGING ALL AHV HOST ROOT PASSWORDS.\nPlease input new password: "; read -rs password1; echo "Confirm new password: "; read -rs password2; if [ "$password1" == "$password2" ]; then for host in $(hostips); do echo Host $host; echo $password1 | ssh root@$host "passwd --stdin root"; done; else echo "The passwords do not match"; fi
    • For admin:
      • echo -e "CHANGING ALL AHV HOST ADMIN PASSWORDS.\nPlease input new password: "; read -rs password1; echo "Confirm new password: "; read -rs password2; if [ "$password1" == "$password2" ]; then for host in $(hostips); do echo Host $host; echo $password1 | ssh root@$host "passwd --stdin admin"; done; else echo "The passwords do not match"; fi
    • For nutanix:
      • echo -e "CHANGING ALL AHV HOST NUTANIX PASSWORDS.\nPlease input new password: "; read -rs password1; echo "Confirm new password: "; read -rs password2; if [ "$password1" == "$password2" ]; then for host in $(hostips); do echo Host $host; echo $password1 | ssh root@$host "passwd --stdin nutanix"; done; else echo "The passwords do not match"; fi
  • ESX: there is one local password to change- root and like AHV, there is a command to change this via any CVM:
    • For root:
      • echo -e "CHANGING ALL ESXi HOST PASSWORDS. Note - This script cannot be used for passwords that contain special characters ( $ \ { }  ^ &)\nPlease input new password: "; read -s password1; echo "Confirm new password: "; read -s password2; if [ "$password1" == "$password2" ] && [[ ! "$password1" =~ [\{\$\^}\&] ]]; then hostssh "echo -e \"${password1}\" | passwd root --stdin"; else echo "The passwords do not match or contain invalid characters (\ $ { } ^ &)"; fi
  • Hyper-V: there is one local password to change- Administrator there is a command to change this via any CVM:
    • echo -e "CHANGING ALL HYPER-V HOST PASSWORDS. Note - This script cannot be used for passwords that contain special characters ( $ \ { } ^)\nPlease input new password: "; read -s password1; echo "Confirm new password: "; read -s password2; if [ "$password1" == "$password2" ] && [[ ! "$password1" =~ [\ \"\'\{\$\^}] ]]; then allssh winsh "net user administrator $password1"; echo "Updating Host and ManagementServer Entries…"; ncli host ls | grep -i id | grep -Eo "::[0-9]*" | cut -c 3- | while read hID; do ncli host edit id=$hID hypervisor-password=$password1;done > /dev/null; ncli host ls | grep "Hypervisor Address" | awk '{print $4}' | while read hIP; do ncli managementserver edit name=$hIP password=$password1;done > /dev/null; else echo "The passwords do not match or contain invalid characters (\ $ { } ^)"; fi

For the Nutanix Controller VM (CVM) on Prism Element/Central local nutanix user account:

  1. SSH into any CVM or Prism Central VM
  2. Log in as user nutanix (with the default credentials).
  3. Enter the below command:
    • sudo passwd nutanix
  4. Follow the prompts to enter a new password for the local nutanix user.

Note: Changing the nutanix password on any CVM will automatically change the password on all CVMs

Out-of-Band Management (IPMI):

To change this password, log into any CVM and use: for i in ipmiips ;do echo $i ;ipmitool -I lanplus -H $i -U ADMIN -P user set password 2 ; done

Note: This alert works for NX (Supermicro) hardware, if you have Dell, HP, Cisco, Lenovo, you might not get this error.

Nutanix Files Server VMs (FSVMs) Account: If you are running FILES, then you will need to change the nutanix local user password, like the CVMs this password is share and only needs to be changes on one CVM.

  1. SSH to any CVM
  2. On the CVM, list File Server details by running
    • ncli fs ls
  3. SSH to the File Server virtual IP address listed in the output above.
    • You need to do this from the CVM to avoid firewall restrictions that are on the FSVMs. 
  4. Change the File Server VM password by using the below command
    • sudo passwd nutanix

Password management is a fundamental part of maintaining a secure and resilient environment. Regularly updating default passwords across all components helps prevent unauthorized access and ensures compliance with security best practices. Use the commands and instructions in this guide to proactively secure your systems.

What Do You Think?

Did I miss something? Feel free to share your thoughts in the comments below—we’d love to hear from you!

Published by Raj

Leave a Reply

Your email address will not be published. Required fields are marked *