AWS VA—Reset maglev User Password
Synopsis
This article describes how to
-
change the maglev user password
-
create a new SSH key to replace one that's been lost, and
-
recover the maglev user password after losing an SSH key.
Challenges in Catalyst Center on AWS
Catalyst Center on AWS instances cannot be booted from an ISO image, as is possible in an on-premises Catalyst Center environment.
Make system changes
Complete the steps described in this topic to make system changes in Catalyst Center on AWS.
The AWS EC2 serial console does not contain a color profile that the maglev-config update command needs. You must export a color terminal (like xterm), but then the export command is not in the allowed commands list. You'll need to contact the Cisco TAC for assistance getting full shell access.
Step 1 | Select your Catalyst Center instance in the Connect to Instance ( ) page, then click Connect. |
Step 2 | After the page updates, click the EC2 serial console tab, then click Connect. |
Step 3 | Log in as the maglev user, using the password set during initial deployment either through Cisco Global Launchpad, AWS CloudFormation, or AWS Marketplace. |
Step 4 | Contact the Cisco TAC and obtain the consent token you need to provide in order to get full shell access. |
Step 5 | Run the _shell -v _shell -v consent-token command. |
Step 6 | Get a color terminal by running the export TERM=xterm command. |
Step 7 | Run the sudo maglev-config update command and make the necessary changes (such as the maglev user's password). |
Create a new SSH key
An SSH key is the primary method for authenticating a remote SSH session with Catalyst Center. If you lose an SSH key, there are two ways to create a new one.
Option 1: Using the ssh-keygen utility
You can pick the key type (for example, rsa ed25519). Refer to this sample output.
You can skip the password by pressing Enter twice without typing anything.
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/faimehmo/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/faimehmo/.ssh/id_rsa
Your public key has been saved in /Users/faimehmo/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:Xd5G4nB6fR+BqMeSpXqEZeFikk0niz6lbkvb91vk/hX faimehmo@FAIMEHMO-M-Y6V6
The key's randomart image is:
+---[RSA 3072]----+
| |
| |
| X X . |
| = = .o . . |
| + * +Z ++.E . |
| . = = *Z= . .|
| = . ..=+=+... |
| o.+ ..o.=. ....|
| .+...Y.Y.... .|
+----[SHA256]-----+
You will have a key pair saved, as shown in the output. Note the output is modified to make it invalid.
Option 2: Using an AWS key pair
Open the Catalyst Center instance.
page to create a new key pair. After the public key is downloaded to your machine, extract the public key from the key file before pushing it to a$ ssh-keygen -y -f aws.pem
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCr2P+1/2AB68ThH0KFE06MtzwvrXOb5QEc0PVr100000000000xza
TBT9pAnRgoOefJVrU470saq8dcQcaEVHcdz2Tw/71sUK8HhyGcFH4SuR/vLBoZ/IHGA8k9SYuNd8hqS0+Wnb4A8cODlU
Ay26lZlh6UzxEi5c1BjRYDRU+aEyLDExZG5C5dolAKlyLEUwSu57kgBjDeppKSz0l94hzN2o7srWLhPnLzkt3t+c3uOxq
Scd3cqDSlv1gWLZIsuTXQKoSmC46uAEXBnw0oAqT/UAKYzP3lYADW4hnmdEu/QQ6e9vEl7Rw04jt14t5NZi85SUBD+sfRRuDs+9Ivzd1
Note the output is modified to make it invalid.
Transfer the SSH key to a Catalyst Center on AWS instance
After you have created the new SSH key, complete these steps to transfer the key to your Catalyst Center on AWS instance.
Step 1 | Copy the content from one of these sources:
|
Step 2 | Paste this content as a new line in your Catalyst Center on AWS instance's /home/maglev/.ssh/authorized_keys file. |
Recover the maglev user password after losing an SSH key
Complete this procedure to mount the Catalyst Center disk to another Amazon Elastic Compute Cloud (EC2) instance so you can recover the maglev user password.
Step 1 | Set up a recovery EC2 instance:
|
Step 2 | Recover the maglev user password: |
Step 3 | Restore the Catalyst Center instance.
|
Step 4 | Update the maglev user password. The maglev user password was updated on the OS level, but it is not synced with the platform database etcd. You must sync the password by running the maglev-config update command.
|
Step 5 |