Password issue after upgrade to AOS 5.1


Badge +3
Hi everybody!

I'm not sure if this is the right thread for this topic, so please move it to the right one if needed.

I hope it may be useful for somebody.

After upgrading to AOS 5.1 from AOS 5.0.2 there is a need to change the Admin password to access Prism Web Console.
The issue:
Password change form does not accept a new password that completely meets all of the stated security requirements:

After several attempts and different password combinations I have found the origin of the problem:The new password validation rules do not accept vast majority of special characters, including "!", "@", "$", "/" etc.It may seriously confuse customers since there is no exact list of acceptable special chars and at first sight it seems like there is something wrong with the cluster after the upgrade. Although the problem is not critical at all it may impact reputaion of product and drop overall positive opinion on upgrade convenience.

So the workaround: It accepts dashes and underscores. :)

15 replies

Userlevel 7
Badge +35
Thanks for sharing Oleg_K - let me see who I can ping on the topic
Badge +3
Hi, aluciani

I suppose that all the sales folks should be advised to keep this stuff in mind while demonstrating one-click upgrade feature to potential customers, because when Prism requests for a new pass it does not accept the standard password (which we all used to enter) as well. 😉
Badge +2
AOS 5.1 to AOS 5.0.2 is considered a downgrade and not exactly an upgrade. Are you sure you meant "AOS 5.1 to AOS 5.0.2"? Because AOS 5.0.2 should not have this feature!
Badge +3
shivangacharya
No, I've been talking about an upgrade from 5.0.2 to 5.1, as I stated above 😃
Badge +2
Oleg_K My bad! I read that differently. Let me try those special characters and get back to you.
Userlevel 2
Badge +11
Hi Oleg_K

I have one of the engineers to test out in our internal system. It seems that those special characters "@", "/", "!", "#" all worked. Furthermore, The character set allowed for admin's password is the same that is allowed by CentOS. The special characters that you have mentioned are allowed by CentOS.

If it still doesn't work in your environment, can you submit a support ticket?
Badge +2
Oleg_K I tried the following sample password - Nu!#/123 and it worked in our internal system. AS harryhy suggested, please open a ticket with Nutanix Support and we shall look into it.
Badge +3
Yep, Nu!#/123 worked too. Seems like '#' works.
Sorry, I think I did not explain that stuff well enough: it accepts all the chars but seems like it does not consider some of those as special. For example, standard P@ssw0rd did not work.

Is there any way to flush the list of previous passwords (I don't think so, but what if...:D)? Just to exclude that from probable reasons...
Userlevel 1
Badge +10
I had thought I read in the release notes for 5.0.2 that the special character issue had been solved then. I just tried and was able to change my password to include most of those characters without issue.
I would also think that using previous passwords is just not a good practice.
Badge +5
Password Complexity
Badge +2
Agree with fcsallan, Oleg_K we should not be using the previous passwords. Release 5.1 will not allow you to use previous 10 passwords. We also do not allow to clear the password history as it may lead to a security breach for the in-built "admin" user account.
For your reference, the password must meet the following complexity requirements:
  • At least 8 characters long
  • At least 1 lowercase letter
  • At least 1 uppercase letter
  • At least 1 number
  • At least 1 special character
  • At least 4 characters difference from the old password
  • Should not be among the last 10 passwords
Click here for the official documentation.
Userlevel 4
Badge +17
Oleg_K on 5.1 please refer to https://portal.nutanix.com/#/page/docs/details?targetId=Web-Console-Guide-Prism-v51:Web-Console-Guide-Prism-v51
Badge +10
HI Oleg_K : thx for taking your time on this. It was not exactly my concern but it gave me some way of thinking about my problem ! After an upgrade my password (which contained a "!") was expired and I was not able to connect.

I'll put this on another thread, thx again !
Badge +3
Hi everyone!

NewVirtTomOh, don't mention it) Hope, You've solved all of Your issues already))

Again, I've tested this stuff on a "just built" cluster and got the same issue:
After creating a brand new cluster and upgrading it to 5.1 I tried to set "P@ssw0rd" as an admin pass. I'm pretty sure that this password has not been set ever before and it definitely meets all the other criteria. But despite that it did not accept it.

The main discomfortable thing is that Prism nor nCLI do not show the exact policy rule being violated by the password that You're trying to set. So it's pretty hard to test all the behavior to pinpoint a root cause of a problem since You do not know for sure which rule is violated from case to case.

As for me, the best way to address this unconvenience would be highlighting the exact rules being violated in the common list of password policy rules that is shown when inappropriate password has been entered.
Badge +1
Hi everybody
As an european the password policies are making it hard for us to get special characters which are located on the same key in different language settings.
It would be nice if the period (.) would be allowd 'cause it's the special character on the same key in german, english (us and uk) french and italian key settings I'm often confronted at consoles.
Why is it not allowed in nutanix environments? And exept dash and underscore what are the allow special characters in prism and AHV? I still don't find a list at https://portal.nutanix.com/#/page/docs/details?targetId=Nutanix-Calm-Admin-Operations-Guide-v56:nuc-changing-admin-password-t.html
thanks and best regards

Reply