Introduction
This document describes how to unlock and/or reset the password for the Maglev user.
Background Information
In the case where the Maglev account is locked out, you cannot log in to unlock it. To unlock and/or reset the password for the Maglev user, you must mount an image to the Cisco IMC vKVM. This allows you to access the shell and reset the user and/or password.
Prerequisites
Requirements
Components Used
This operation was run on Ubuntu 20.04 image; a different image produces different times and results.
It has been seen in some environments to take up to 2 hours to reach the Ubuntu desktop.
This operation is not restricted strictly to the Ubuntu desktop version. All that is required is access to the shell. Any Ubuntu image that provides shell access works for this operation.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Note: you can use the same procedure in a DR environment. However, note these points:
*** Ensure that disaster recovery is in a PAUSED state before attempting any password recovery/reset methods ***
In a 1+1+1 DR deployment, the corresponding site is down while this process is completed.
In a 3+3+3, If your passwords are to be updated on all three nodes, do it one node at a time to ensure that the two other nodes are available to avoid an unnecessary DR failover.
Step 1: Boot from Live CD
Log in to the Cisco IMC GUI, choose Launch KVM and then choose Virtual Media > Activate Devices.
Next, choose Map CD/DVD.
After that choose Browse and then select the Ubuntu ISO image you downloaded to your local system. After you have selected the Ubuntu image, choose the Map Drive button.
Next power cycle the appliance with Power > Reset System (warm boot).
After the system has rebooted, press F6 when the Cisco logo appears. Expect to see the message "Entering Boot Menu ...".
When the boot menu pops up, choose the option that says Cisco vKVM-Mapped vDVD1.24. This causes the appliance to boot from the mapped Ubuntu image selected earlier.
*** NOTE: The screen shots illustrate how long it takes to reach the Ubuntu desktop. ***
You see a loading screen for Ubuntu that is mostly blank as the system starts to initialize.
After that the screen changes to display a wheel with the Ubuntu logo. (It could take up to 30 minutes for this transition).
Once the screen displays the message "Checking disks: 0% complete", you need to cancel this task Press Ctrl+C to cancel the disk check.
Once the disk check has been skipped you move back to a spinning wheel. Then you get a blank window with just the Ubuntu logo. (This can take another 30 - 45 minutes to process through).
You eventually start to see some messages appear as the system starts to boot Ubuntu for use. Please note that the failed messages are expected. This window remains for up to 20 minutes. After that, the window goes back to a blank screen. After another 10-20 minutes you see the cursor appear. The Ubuntu GUI loads a short time after that.
*** REMINDER: It has been seen in some environments to take up to 2 hours to get to this point ***
Step 2: Mount Required Partitions
Once you have access to the Ubuntu desktop GUI environment you need to open the terminal application and perform these steps
- Create a temporary mount point.
- Mount the root and var partitions to the system.
- Mount the pseudo filesystems to the temporary mount point.
First create the temporary mount point with the command:
sudo mkdir /altsys
Next find the root and var partitions to mount. You can use the lsblk -fm command to find a partition to mount for "/" (root) and "/var".
$ lsblk -fm
NAME FSTYPE LABEL UUID MOUNTPOINT SIZE OWNER GROUP MODE
sda 446.1G root disk brw-rw----
|-sda1 1M root disk brw-rw----
|-sda2 ext4 install1 1cac7f26-3b8b-43dd-838c-9970000cef3e 28.6G root disk brw-rw----
|-sda3 vfat 52E8-2653 239M root disk brw-rw----
|-sda4 ext4 var 0f0e3643-d4eb-46e8-af9f-756906c5f04a 9 .5G root disk brw-rw----
|-sda5 swap 221b2f64-5a44-404f-b47d-8489fec47598 30.5G root disk brw-rw----
|-sda6 ext4 data 8aff5ec4-924f-42f9-9ca0-705e5807859a 348.8G root disk brw-rw----
|-sda7 ext4 a0e853e9-b2d6-4099-ac77-2f322c2a3a26 28.4G root disk brw-rw----
sdb 1.8T root disk brw-rw----
|-sdb1 ext4 9b5c4182-9e9d-4e8a-baf6-8a88232f8bcd 426.1G root disk brw-rw----
|-sdb2 ext4 e918dda6-133b-44ee-b005-5e9707088198 1.3T root disk brw-rw----
sdc 5.2T root disk brw-rw----
|-sdc1 ext4 bea4d6d5-7750-4bac-b724-f18867e2029c 5.2T root disk brw-rw----
*** Please note that "install1" is root "/" and "var" is "/var" in the output. ***
Make a note of the partition for mount commands. If you do not see the labels, then:
- for /var: based on appliance profile, look for a 9.5G or 168GB partition
- for /: 28.66GB or 47.7GB. Note that there is /install-artifacts with similar size 28.46GB.
Once you have identified the var and root partitions mount them:
sudo mount /dev/sda2 /altsys # use the disk with up to 5 or 6 partitions
sudo mount /dev/sda4 /altsys/var # use the disk with up to 5 or 6 partitions
Once root and var have been mounted, mount the psuedo filesystems:
sudo mount --bind /proc /altsys/proc
sudo mount --bind /dev /altsys/dev
sudo mount --bind /sys /altsys/sys
The last step before you change the password or unlock the Maglev account is to change to the temporary mount environment:
sudo chroot /altsys
Use Case 1: Unlock Maglev Account
Step 1: Verify that maglev user is unlocked
grep maglev /etc/shadow
maglev:!$6$6jvRGoDihpcsr8Xl$RUFs.Lb.2AbbgvODfJsw4b2EnpSwiNUlwJ6NQIjEnvOtT5Svz4ePHZa4f0eUvLHl7VAFca46f2nHxqMWORYLm.:18176:0:99999:7:::
Check if there is an exclamation mark in front of the password hash or not. If there is, that indicates the account is locked. Type in the command to unlock the user:
Unlock the maglev user with the command:
usermod -U maglev
Step 2: Reset failed count
If the user does not have an escalation mark in front of the hash in the /etc/shadow file, then the login failure limit has been exceeded. Please use these steps to reset failed login attempts.
Find the failed login attempts for the maglev user:
$ sudo pam_tally2 -u maglev
Login Failures Latest failure From
maglev 454 11/25/20 20:24:05 x.x.x.x
As shown here, the login attempts are larger than the default 6 attempts. This denies that user the ability to log in until the failure count drops to less than six (6). You can reset the login failure count with the command:
sudo pam_tally2 -r -u maglev
You can confirm that the counter has been reset:
sudo pam_tally2 -u maglev
Login Failures Latest failure From
maglev 0
Use Case 2: Reset Maglev User Password
Step 1: Reset the Maglev user password
# passwd maglev
Enter new UNIX password: #Enter in the desired password
Retype new UNIX password: #Re-enter the same password previously applied
Password has been already used.
passwd: password updated successfully #Indicates that the password was successfully changed
Step 2: Reboot normally to Cisco DNA Center environment
Click on Power in the KVM window and then Reset System (warm boot). This causes the system to reboot and boot with the RAID controller so that the Cisco DNA Center software boots up.
Step 3: Update Maglev User Password from Cisco DNA Center CLI
Once the Cisco DNA Center software boots and you have access to the CLI, you need to change the Maglev password with the command sudo maglev-config update. This step is required to ensure that the change takes affect across the whole system.
Once the config wizard has been launched, you need to navigate completely through the wizard to screen that allows us to set the Maglev password in step 6.
Once the password has been set for both fields Linux Password and Re-enter Linux Password, choose next and complete the wizard. When the wizard finishes the configuration push, the password is successfully changed. You can create a new SSH session or enter in the command sudo -i in the CLI to test that the password has been changed.