Revert password hash function to the supported encryption type

Contributors Download PDF of this page

If you revert to a release prior from any version of ONTAP 9, SHA-2 account users can no longer be authenticated with their passwords. Therefore, you must have them reset their passwords to using the encryption type (MD5) that is supported by the release you revert to.

  1. Prior to the revert, identify the user accounts that use the SHA-2 hash function (advanced privilege level): security login show -vserver * -username * -application * -authentication-method password -hash-function !md5

    You should retain the command output. You need the account information after the revert.

  2. During the revert, run the advanced command security Login password-prepare-to-downgrade as prompted to reset your own password to using the MD5 hash function.

    If your password is not encrypted with MD5, the command prompts you for a new password and encrypts it with MD5, enabling your credential to be authenticated after the revert.

  3. After the revert, reset SHA-2 accounts to MD5:

    1. For each SHA-2 account you identified, change the password to a temporary one: security login password -username user_name -vserver vserver_name

      The changed password uses the MD5 hash function.

    2. Communicate the temporary password to the affected users and have them log in through a console or SSH session to change their passwords as prompted by the system.