Solved: Re: Nexus 9k Guestshell error: Account or password is expired, reset your password and try again

drussell · ‎03-30-2019

After performing a "yum update" on the guestshell of a Nexus 9300 (9.2.(3)) I get prompted for a password when I try to do a chvrf. It doesn't take the switches password for admin.

[admin@guestshell ~]$ sudo chvrf management
sudo: Account or password is expired, reset your password and try again
Changing password for root.
(current) UNIX password:

Does anyone know how to get around this?

Andrea Testino · ‎04-01-2019

David,

Either workaround will suffice. The main issue is the "password must be changed" state of the root user prior to any workarounds, see below:

[admin@guestshell ~]$ sudo su -
[root@guestshell ~]# chage -l root
Last password change                                    : password must be changed
Password expires                                        : password must be changed
Password inactive                                       : password must be changed
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

By changing the PW of the root user, you are effectively toggling it to "never" expire which is what we are interested in:

[root@guestshell ~]# passwd
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

Now:

[root@guestshell ~]# chage -l root
Last password change                                    : Apr 01, 2019
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

Both workarounds accomplish the same: They set the root PW to never expire so you should be in the clear!

Other workaround here:

[root@guestshell ~]# chage --lastday -1 root
[root@guestshell ~]# chage -l root
Last password change                                    : never
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

Glad to help.

- Andrea, CCIE #56739 R&S

View solution in original post

Andrea Testino · ‎04-01-2019

Hi there,

Unfortunately, looks like you are running into CSCvo29238 (should be external in the next 24-48 hours). The issue is indeed triggered after a "yum update" has been executed within the guest shell.

The workaround is to use the following command such that the root password does not expire:

[root@guestshell ~]# chage --lastday -1 root

Hope that helps.

- Andrea, CCIE #56739 R&S

drussell · ‎04-01-2019

Thanks for the reply.

I found that if I create a password (in the guestshell) for the admin account right after I create the guestshell, then I don't have any issues after the yum update.

Are there any downsides with this approach? Would I still need to run the command you suggested on the root account?

Regards,

David

Andrea Testino · ‎04-01-2019

David,

Either workaround will suffice. The main issue is the "password must be changed" state of the root user prior to any workarounds, see below:

[admin@guestshell ~]$ sudo su -
[root@guestshell ~]# chage -l root
Last password change                                    : password must be changed
Password expires                                        : password must be changed
Password inactive                                       : password must be changed
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

By changing the PW of the root user, you are effectively toggling it to "never" expire which is what we are interested in:

[root@guestshell ~]# passwd
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

Now:

[root@guestshell ~]# chage -l root
Last password change                                    : Apr 01, 2019
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

Both workarounds accomplish the same: They set the root PW to never expire so you should be in the clear!

Other workaround here:

[root@guestshell ~]# chage --lastday -1 root
[root@guestshell ~]# chage -l root
Last password change                                    : never
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

Glad to help.

- Andrea, CCIE #56739 R&S

drussell · ‎04-01-2019

Thanks!

- David, CCIE #5751 R&S