Connectrix: Brocade FOS "root" User No Longer Exists Post FOS v9.1.x as is Replaced with "maintenance" User

Key Points

• No Support for "root" Account:
  In FOS v9.1, the "root" account is no longer supported.
  Although you might still see the "root" user listed in the User Account List, it has no access or privileges when enabled.

• Introducing the "Maintenance" User:
  As a replacement for the "root" account, the "Maintenance" user has been introduced.
  The "Maintenance" account serves similar purposes but with some important differences.

• Supervision by Service Provider:
  When using the "Maintenance" account, it is essential to operate under the supervision of the Service Provider (such as Dell/Broadcom).
  This ensures proper management and security.

• Default Password for "Maintenance":
  The default password for the "Maintenance" account is set to "password."
  It is suggested to change this password immediately after initial setup.

• Authentication for Debug/Kernel Mode:
  To access debug/kernel mode on the switch, the "Maintenance" user must be authenticated.
  This additional layer of security helps prevent unauthorized access.

• Conclusion
  Understanding the changes in user accounts and adopting the "Maintenance" account enhances security and compliance in FOS v9.1. Kindly see the respective Admin and Command Reference Guides for further details.

Example:

• A Brocade service ticket must be opened, and a Brocade engineer must get a remote session and access to the Maintenance account with the use of a token and a response token. (only valid for three attempts.)

  A token must be generated from the switch with the cli command: serviceshell --generate this contains the auth token for this switch and must be forwarded to the Brocade engineer.
  Login into the switch as the maintenance account to be able to run the command. (Note that if you have a Director switch you NEED to generate the tokens from both CP’s)

  Example

  sw0:FID128:maintenance> serviceshell --generate
  Contact your support provider to obtain response token
  using the following authentication token:
  <BEGIN REQUEST>

• Once Brocade has the information, the Dell TSE and the customer must attend a Webex session with one of Brocade’s L3 engineers, where you are provided with the required response token and further instructions on how to use it.

  When you are on the remote session with Brocade, and you received the response token from Brocade. (Note you must use double quotes for the token to be used.)
  Authenticate the serviceshell:

  sw0:FID128:maintenance> serviceshell --authenticate "<BEGIN RESPONSE>N9J0h7PtE3P+7z8hi
  [truncated]
  Service shell is authenticated for 2 hours.

   

  Activate the serviceshell:

  sw0:FID128:maintenance> serviceshell --activate
  Disclaimer for Service Shell Usage!
  
  The Serviceshell command is for use by authorized Broadcom support engineers only.
  Unauthorized use may cause damage to the fabric.
  Contact your switch provider for further instructions.
  
  Service session will expire at Tue May 16 12:33:49 CEST 2023

• Exit the session once we are done with the task/activity.

  S685:maintenance> exit
  logout:Closing the current session

Reference Link:
https://techdocs.broadcom.com/content/dam/broadcom/techdocs/us/en/pdf/fc-networking/software-fabric-os/fos-91x-command.pdf
https://techdocs.broadcom.com/content/dam/broadcom/techdocs/us/en/pdf/fc-networking/software-admingd/fos-91x-admin.pdf