Solved

How to Grant Prism Administrators Access to CVMs through SSH ?

  • 12 June 2020
  • 9 replies
  • 6175 views

Badge

Currently we are working on a project that requires couple of Admins to SSH into a CVM to execute some commands. 

The problem we are running into is that only the Nutanix\Admin default account can actually SSH  into CVMs. Other non-default admin accounts (Cluster Admin) can do everything in Prism but are denied access when they try to SSH.

Do The non-default admins need additional permissions\configurations to be able to SSH into CVMs ?

icon

Best answer by Neel Kotak 16 June 2020, 14:47

View original

9 replies

Userlevel 3
Badge +4

At this point in time SSH access to the CVM is limited to the user “nutanix” and “admin” as Nutanix doesn’t recommend any other user to have access to the CVMs for security reasons.

 

Even the “admin” user is not enabled to perform any cluster operation via ssh. This how by design is.

 

Cluster Admin user can have the full access of the Prism but not to the CVM

 

May I know why you need other admin user  to access the CVM? What is your end goal?

 

Userlevel 2
Badge +2

I don’t known if it helps, but you can add a specific ssh-key to the cvm(s) into the nutanix or admin account, and remove the given key later. 

It will allow you to give temporary ssh access to some guys without giving them your admin password. 

Can I re-open this conversation? I have to ask the same question as I have customers still migrating older VM’s over to Nutanix, and thus need access to the CVM. This creates issues as I don’t really want to give them very low level access to the CVM due to the critical role it plays in the cluster.

Is Nutanix looking at a way of doing this? Is there a scripted method/API based method?

Regards,

 

SW

Badge

Thank you Neel, that is what my research have yielded so far as well. 

We are in the process of migrating VHDXs (Gen2 VMs) from our old HyperV cluster to our new Nutanix cluster and as a part of the process we are setting the UEFI flag to true by SSH into a CVM.

Since more than one person is working on the migration, we thought it might be more efficient if other admins can set the UEFI Flag as they go through the VHDX migration process and creating the “new” VMs, instead of queuing the task for one person to do.

Userlevel 3
Badge +4

Are you using Nutanix Move to migrate the VMs from old Hyper V to Nutaxnix AHV cluster? If yes, what is the Move version?

 

May I know the Windows version installed on the Gen2VM? and Windows Version on the host?

 

“nutanix” user can have multiple sessions at the same time for the CVM so is it not possible to share the credentials of the “nutanix” user with other people?

Badge

Neel,

We are not using Nutanix Move, we currently Prep, VHDX migration, VM Creation, and post migration steps manually. Using Move sounds like a good Idea now that it support Hyper-V.

The VMs that require UEFI flag are mostly Server 2016, the HV cluster is 2016 as well.

It’s possible to share credentials but I’d rather not for security and accountability. 

Userlevel 3
Badge +4

I would encourage to use Nutanix Move to migrate the VM from Hyper V to Nutanix AHV. Here is the guide for Nutanix Move 3.5

https://portal.nutanix.com/page/documents/details/?targetId=Nutanix-Move-v35%3ANutanix-Move-v35

If you face any further issue with Nutanix Move feel free to reach out to us...

Badge

Thank you Neel.

At this point in time SSH access to the CVM is limited to the user “nutanix” and “admin” as Nutanix doesn’t recommend any other user to have access to the CVMs for security reasons.

 

Even the “admin” user is not enabled to perform any cluster operation via ssh. This how by design is.

 

Cluster Admin user can have the full access of the Prism but not to the CVM

 

May I know why you need other admin user  to access the CVM? What is your end goal?

 

 

Why ? maybe because some organizations don’t want to spread out the admin account for specific usages like, for example, local IT guys needing to power down a cluster for some random maintenance reason.

In such a scenario, why do I have to give those guys my usual admin password or change that password to something  else ?

That’s totally crazy when you think about it for 10 seconds.

And you ask “why” ?

?!?!

May I ask you this :

WHY is Nutanix deciding for me whats best for our “security” ?

Instead, why don’t simply leave people who bought your software (for heavy money) simply do stuff like that the way THEY have decided to do it.

That’s the real “why” to be asked here.

And I’ll finish on this : the simple fact you are asking “why?” demonstrates a serious lack of common sense, field experience and general knowledge on how IT actually works.

Reply