ONTAP 9 Manuals ( CA08871-402 )

Enforce SHA-2 on administrator account passwords

About this task

The password hash functionality enables you to do the following:

  • Display user accounts that match the specified hash function.

  • Expire accounts that use a specified hash function (for example, MD5), forcing the users to change their passwords in their next login.

  • Lock accounts whose passwords use the specified hash function.

ONTAP accepts pre-hashed SHA-2 passwords only by using Manageability SDK (security-login-create and security-login-modify-password).

Steps
  1. Migrate the MD5 administrator accounts to the SHA-512 password hash function:

    1. Expire all MD5 administrator accounts: security login expire-password -vserver * -username * -hash-function md5

      Doing so forces MD5 account users to change their passwords upon next login.

    2. Ask users of MD5 accounts to log in through a console or SSH session.

      The system detects that the accounts are expired and prompts users to change their passwords. SHA-512 is used by default for the changed passwords.

  2. For MD5 accounts whose users do not log in to change their passwords within a period of time, force the account migration:

    1. Lock accounts that still use the MD5 hash function (advanced privilege level): security login expire-password -vserver * -username * -hash-function md5 -lock-after integer

      After the number of days specified by -lock-after, users cannot access their MD5 accounts.

    2. Unlock the accounts when the users are ready to change their passwords: security login unlock -vserver svm_name -username user_name

    3. Have users log in to their accounts through a console or SSH session and change their passwords when the system prompts them to do so.

Top of Page