- Infos im HLRS Wiki sind nicht rechtsverbindlich und ohne Gewähr -

Password change

From HLRS Platforms
Jump to navigationJump to search

Due to a security incident on Hawk within the pre-production timeframe, all users must change their passwords and remove/replace ssh-keys before June 3rd 2020. This page provide more detailed information and help for some problems.

  • If your account is enabled for multiple ressources, you have to do the changing procedure only once.

To do so following steps are necessary:

Login on an frontend system which is accessable for you.

If your account is locked

This is because you did not replace your login credentials in the requested time frame.

Please contact your project supervisor or send an email to

  rt-reactivate_login_request@hlrs.de

and provide your account and contact details.

Password criteria

  • minimum length: 8 characters
  • at least one upper case character: A-Z
  • at least one lower case character: a-z
  • at least one digit: 0-9
  • at least one non-alphanumerical character:
 !?,.;:\"'´\`/\\(){}[]<>§$%&=|^°*+-_~#@€µ                       
 and space and tabulator                                        
  • mustn't match a dictionary entry

Password change and SSH key removal

Vulcan

[you@home ~]$ ssh <your login>@vulcan.hww.hlrs.de
[you@cl5fr2 ~]$ /opt/system/wrappers/passwd
[you@cl5fr2 ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts

Please read information and watch output of this command. On success following text is displayed: Password changed successfully.

Password redistribution to all systems will take about 20min. Please wait at least this time before trying to connect using the new password.

Hawk

[you@home ~]$ ssh <your login>@hawk.hww.hlrs.de
[you@hawk ~]$ passwd
[you@hawk ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts

Please read information and watch output of this command. On success following text is displayed: Password changed successfully.

Password redistribution to all systems will take about 20min. Please wait at least this time before trying to connect using the new password.

Generation and distribution of new SSH keys

Please take care to generate a ed25519 key. In order to enhance security you should further consider securing your SSH private key with a passphrase.

Vulcan

[you@home ~]$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): *****
Enter same passphrase again: *****
Your identification has been saved in .ssh/id_ed25519
Your public key has been saved in .ssh/id_ed25519.pub
The key fingerprint is:
SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home
The key's randomart image is:
+--[ED25519 256]--+
|       .E++. o   |
|       . +  . o  |
|        .  . .   |
|      . ... .    |
|     .o.S.o..    |
|   .. .= o=. .   |
|   o++...o + .o  |
|   .=+o.  *.*+   |
|   .oo. oB=*+o   |
+----[SHA256]-----+
[you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@vulcan.hww.hlrs.de

Hawk

[you@home ~]$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): *****
Enter same passphrase again: *****
Your identification has been saved in .ssh/id_ed25519
Your public key has been saved in .ssh/id_ed25519.pub
The key fingerprint is:
SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home
The key's randomart image is:
+--[ED25519 256]--+
|       .E++. o   |
|       . +  . o  |
|        .  . .   |
|      . ... .    |
|     .o.S.o..    |
|   .. .= o=. .   |
|   o++...o + .o  |
|   .=+o.  *.*+   |
|   .oo. oB=*+o   |
+----[SHA256]-----+
[you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@$SYSTEM.hww.hlrs.de

Other systems

If users use the same password or ssh-keys on other systems, this keys / passwords should be replaced as well.



HLRS Employees: The password for HLRS services (mail, wiki etc.) has to be changed separately at https://kb.hlrs.de/passwd which is only accessible from within HLRS networks or via TIK CISCO VPN. If you use the same password there, you should change it as well and use the occasion to set it to something different than for the hww production environment.