- Infos im HLRS Wiki sind nicht rechtsverbindlich und ohne Gewähr -
- Information contained in the HLRS Wiki is not legally binding and HLRS is not responsible for any damages that might result from its use -

Password change: Difference between revisions

From HLRS Platforms
Jump to navigationJump to search
No edit summary
Line 9: Line 9:


Login on an frontend system which is accessable for you.
Login on an frontend system which is accessable for you.
==== Vulcan users: ====
ssh –l <your login> vulcan.hww.hlrs.de
Run the <code>passwd</code> command to change your password. Please read information and watch output of this command. On success following text is displayed: ''Password changed successfully.''


Wait for a minimum of 20 minutes to redistribute the password
== Password criteria ==
* minimum length: 8 characters                                 
* at least one upper case character: A-Z                       
* at least one lower case character: a-z                       
* at least one digit: 0-9                                       
* at least one non-alphanumerical character:
  !?,.;:\"'´\`/\\(){}[]<>§$%&=|^°*+-_~#@€µ                     
  and space and tabulator                                       
* mustn't match a dictionary entry
 
== Password change and SSH key removal ==
=== Vulcan ===
[you@home ~]$ ssh –l <your login> vulcan.hww.hlrs.de
[you@cl5fr2 ~]$ /opt/system/wrappers/passwd
[you@cl5fr2 ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts
 
Please read information and watch output of this command. On success following text is displayed: ''Password changed successfully.''


Remove your ssh-keys (see below)
Wait for a minimum of 20 minutes to redistribute the password.


==== Users with accounts on Hawk only ====
=== Hawk ===
[you@home ~]$ ssh –l <your login> change.hww.hlrs.de
[you@change ~]$ /opt/passwd
[you@change ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts


A server has been set up to provide a mechanism for the change:
Please read information and watch output of this command. On success following text is displayed: ''Password changed successfully.''
ssh –l  <your login> change.hww.hlrs.de
Run the <code>passwd</code> command to change your password. Please read information and watch output of this command. On success following text is displayed: ''Password changed successfully.''


Remove your ssh-keys (see below)
Wait for a minimum of 20 minutes to redistribute the password.
== Generation and distribution of new SSH keys ==
In order to enhance security you should consider securing your SSH private key with a password.


=== remove compromised ssh-keys on vulcan / hawk ===
=== Vulcan ===
[you@home ~]$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): *****
Enter same passphrase again: *****
Your identification has been saved in .ssh/id_ed25519
Your public key has been saved in .ssh/id_ed25519.pub
The key fingerprint is:
SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home
The key's randomart image is:
+--[ED25519 256]--+
|      .E++. o  |
|      . +  . o  |
|        .  . .  |
|      . ... .    |
|    .o.S.o..    |
|  .. .= o=. .  |
|  o++...o + .o  |
|  .=+o.  *.*+  |
|  .oo. oB=*+o  |
+----[SHA256]-----+
[you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@vulcan.hww.hlrs.de


  cd      # change into your HOME Directory
=== Hawk ===
  rm –rf .ssh  
  [you@home ~]$ ssh-keygen -t ed25519
  mkdir .ssh
Generating public/private ed25519 key pair.
  chmod 700 .ssh
Enter passphrase (empty for no passphrase): *****
  chmod og-w ~
  Enter same passphrase again: *****
  Your identification has been saved in .ssh/id_ed25519
  Your public key has been saved in .ssh/id_ed25519.pub
The key fingerprint is:
SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home
The key's randomart image is:
+--[ED25519 256]--+
|      .E++. o  |
|      . +  . o  |
|        .  . .  |
  |      . ... .    |
|    .o.S.o..    |
|  .. .= o=. .  |
|  o++...o + .o  |
|  .=+o.  *.*+  |
|  .oo. oB=*+o  |
  +----[SHA256]-----+
[you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@change.hww.hlrs.de


=== Other systems ===
=== Other systems ===


If Users use the same password or ssh-keys on other systems, this keys / passwords should be replaced as well.
If users use the same password or ssh-keys on other systems, this keys / passwords should be replaced as well.

Revision as of 16:16, 25 May 2020

Due to a security incident on Hawk within the pre-production timeframe, all users must change their passwords and remove/replace ssh-keys before June 3rd 2020. This page provide more detailed information and help for some problems.

  • If your account is enabled for multiple ressources, you have to do the changing procedure only once.
  • If you get an error while changing the password, check your environment. Passwd is a simple bash script located in /opt/system/wrappers/passwd on Vulcan or /opt/passwd on change.hww.hlrs.de.


To do so following steps are necessary:

Login on an frontend system which is accessable for you.

Password criteria

  • minimum length: 8 characters
  • at least one upper case character: A-Z
  • at least one lower case character: a-z
  • at least one digit: 0-9
  • at least one non-alphanumerical character:
 !?,.;:\"'´\`/\\(){}[]<>§$%&=|^°*+-_~#@€µ                       
 and space and tabulator                                        
  • mustn't match a dictionary entry

Password change and SSH key removal

Vulcan

[you@home ~]$ ssh –l <your login> vulcan.hww.hlrs.de
[you@cl5fr2 ~]$ /opt/system/wrappers/passwd
[you@cl5fr2 ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts

Please read information and watch output of this command. On success following text is displayed: Password changed successfully.

Wait for a minimum of 20 minutes to redistribute the password.

Hawk

[you@home ~]$ ssh –l <your login> change.hww.hlrs.de
[you@change ~]$ /opt/passwd
[you@change ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts

Please read information and watch output of this command. On success following text is displayed: Password changed successfully.

Wait for a minimum of 20 minutes to redistribute the password.

Generation and distribution of new SSH keys

In order to enhance security you should consider securing your SSH private key with a password.

Vulcan

[you@home ~]$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): *****
Enter same passphrase again: *****
Your identification has been saved in .ssh/id_ed25519
Your public key has been saved in .ssh/id_ed25519.pub
The key fingerprint is:
SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home
The key's randomart image is:
+--[ED25519 256]--+
|       .E++. o   |
|       . +  . o  |
|        .  . .   |
|      . ... .    |
|     .o.S.o..    |
|   .. .= o=. .   |
|   o++...o + .o  |
|   .=+o.  *.*+   |
|   .oo. oB=*+o   |
+----[SHA256]-----+
[you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@vulcan.hww.hlrs.de

Hawk

[you@home ~]$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): *****
Enter same passphrase again: *****
Your identification has been saved in .ssh/id_ed25519
Your public key has been saved in .ssh/id_ed25519.pub
The key fingerprint is:
SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home
The key's randomart image is:
+--[ED25519 256]--+
|       .E++. o   |
|       . +  . o  |
|        .  . .   |
|      . ... .    |
|     .o.S.o..    |
|   .. .= o=. .   |
|   o++...o + .o  |
|   .=+o.  *.*+   |
|   .oo. oB=*+o   |
+----[SHA256]-----+
[you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@change.hww.hlrs.de

Other systems

If users use the same password or ssh-keys on other systems, this keys / passwords should be replaced as well.