Skip to main content
ONTAP Technical Reports

Default administrative accounts

Contributors netapp-dbagwell
PDFs

The admin account should be restricted because the role of administrator is allowed access using all applications. The diag account allows access to the system shell and should be reserved only for technical support to perform troubleshooting tasks.

There are two default administrative accounts: admin and diag.

Orphaned accounts are a major security vector that often leads to vulnerabilities, including the escalation of privileges. These are unnecessary and unused accounts that remain in the user account repository. They are primarily default accounts that were never used or for which passwords were never updated or changed. To address this issue, ONTAP supports the removal and renaming of accounts.

Note ONTAP cannot remove or rename built-in accounts. However, NetApp recommends locking any unneeded built-in accounts with the lock command.

Although orphaned accounts are a significant security issue, NetApp strongly recommends testing the effect of removing accounts from the local account repository.

List local accounts

To list the local accounts, run the security login show command.

cluster1::*> security login show -vserver cluster1

Vserver: cluster1
                             Authentication             Acct   Is-Nsswitch
User/Group Name  Application Method    Role Name        Locked Group
---------------- ----------- --------- ---------------- ------ -----------
admin            console     password  admin            no     no
admin            http        password  admin            no     no
admin            ontapi      password  admin            no     no
admin            service-processor password admin       no     no
admin            ssh         password  admin            no     no
autosupport      console     password  autosupport      no     no
6 entries were displayed.

Set the diagnostic (diag) account password

A diagnostic account named diag is provided with your storage system. You can use the diag account to perform troubleshooting tasks in the systemshell. The diag account is the only account that can be used to access the systemshell through the diag privileged command systemshell.

Caution The systemshell and the associated diag account are intended for low-level diagnostic purposes. Their access requires the diagnostic privilege level and is reserved only to be used with guidance from technical support to perform troubleshooting tasks. Neither the diag account nor the systemshell is intended for general administrative purposes.
Before you begin

Before accessing the systemshell, you must set the diag account password by using the security login password command. You should use strong password principles and change the diag password at regular intervals.

Steps

  1. Set the diag account user password:

    cluster1::> set -privilege diag

Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? \{y|n}: y

cluster1::*> systemshell -node node-01
    (system node systemshell)
diag@node-01's password:

Warning: The system shell provides access to low-level
diagnostic tools that can cause irreparable damage to
the system if not used properly. Use this environment
only when directed to do so by support personnel.

node-01%