Nutanix is phasing out direct SSH access to the bash shell across AOS, AHV, Prism Central, and Files. The transition is rolling out across multiple releases through the end of 2026 and into 2027. If your team relies on bash for automation, scripting, or day-to-day administration, here’s what you need to know.
Why is bash shell access going away? Direct bash access gives unrestricted access to the underlying OS. That flexibility is also its biggest liability — it increases the attack surface, complicates long-term supportability, and makes consistent, auditable operations harder to enforce.
Removing bash access also enables Nutanix to shift its DISA STIG compliance posture from the RHEL-based STIG to the Network Appliance STIG, which is a better fit for how Nutanix products are engineered to function as appliances.
Transition Milestones
Phased rollout by release
- AOS 7.5 (Current State) – Bash shell access remains enabled by default. Customers can manually enable or disable it via KB-19114.
- Next NCI (Feature Release) – Bash disabled by default, with an option to re-enable. A new SSH Service Menu is introduced for common service and troubleshooting tasks.
- End of 2026 (Targeted) – Bash access fully disabled. Emergency access available only through Nutanix Support via a controlled, time-limited code-exchange mechanism.
- Q1 2027 (Targeted): Prism Central adopts Bash disablement and achieves full Network Appliance STIG compliance.
What replaces bash shell access?
- SSH Service Menu – Replaces day-to-day bash tasks. Provides acli/ncli access, self-service KB scripts, log viewing, network/IPMI config, and a Support-Only Mode toggle.
- v4 APIs – The primary replacement for custom automation. Covers most acli and NCLI capabilities. Full reference at nutanix.dev/api-reference.
- PowerShell cmdlets – Nutanix is building PowerShell support that maps directly to v4 API operations, covering legacy acli and ncli workflows.
- Support tunnel – The existing Remote Tunnel workflow continues to function, allowing Nutanix Support to access the bash shell when needed.
IPMI console access remains open by default after this transition. Nutanix recommends using network-based controls to protect IPMI rather than relying on the default.
Who is impacted? This change affects customers who use the Bash shell directly on the Controller VM (CVM), whether for custom scripts, automation pipelines, or manual command-line operations. Workflows such as Prism Central connectivity, PE/PC operations, and Remote Cluster Collection (RCC) are unaffected.
Nutanix Community Edition is also not impacted — bash shell access will remain enabled by default since CE deployments do not include Nutanix Support.
How to prepare? Start by auditing any scripts or automation that make direct SSH or bash calls to CVMs. Map those workflows to the v4 API equivalents and validate in a non-production environment before future releases ship. The Nutanix API reference, SDK docs, and a v4 migration guide are all available at nutanix.dev.
Common questions
- Will log access still be available? Yes. The new SSH Service Menu includes the ability to view and search system logs directly, without needing bash.
- What if I need bash for a critical issue after it’s disabled? Contact Nutanix Support. A controlled, time-limited code-exchange mechanism will grant temporary access for critical situations that require Support involvement.
- Does this affect DISA STIG compliance? AOS 7.3 is the last release planned for RHEL-based STIG compliance. The Summer 2026 release targets full Network Appliance STIG compliance for AOS and AHV. Prism Central follows in Q1 2027.
- Does the Remote Tunnel still work? Yes, the Remote Tunnel workflow is unaffected and continues to allow Nutanix Support access when needed.
What Do You Think?
Is this something you’re excited about? Did we miss any features you’re curious about? Feel free to share your thoughts in the comments below—we’d love to hear from you!
