- Infos im HLRS Wiki sind nicht rechtsverbindlich und ohne Gewähr -
- Information contained in the HLRS Wiki is not legally binding and HLRS is not responsible for any damages that might result from its use -
Password change: Difference between revisions
No edit summary |
No edit summary |
||
(13 intermediate revisions by 5 users not shown) | |||
Line 3: | Line 3: | ||
* If your account is enabled for multiple ressources, you have to do the changing procedure only once. | * If your account is enabled for multiple ressources, you have to do the changing procedure only once. | ||
To do so following steps are necessary: | To do so following steps are necessary: | ||
Login on an frontend system which is accessable for you. | Login on an frontend system which is accessable for you. | ||
== If your account is locked == | |||
This is because you did not replace your | |||
login credentials in the requested time frame. | |||
Please contact your project supervisor or send an email to | |||
rt-reactivate_login_request@hlrs.de | |||
and provide your account and contact details. | |||
== Password criteria == | == Password criteria == | ||
Line 22: | Line 29: | ||
== Password change and SSH key removal == | == Password change and SSH key removal == | ||
=== Vulcan === | === Vulcan === | ||
[you@home ~]$ ssh | [you@home ~]$ ssh <your login>@vulcan.hww.hlrs.de | ||
[you@cl5fr2 ~]$ /opt/system/wrappers/passwd | [you@cl5fr2 ~]$ /opt/system/wrappers/passwd | ||
[you@cl5fr2 ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts | [you@cl5fr2 ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts | ||
Line 28: | Line 35: | ||
Please read information and watch output of this command. On success following text is displayed: ''Password changed successfully.'' | Please read information and watch output of this command. On success following text is displayed: ''Password changed successfully.'' | ||
Password redistribution to all systems will take about 20min. Please wait at least this time before trying to connect using the new password. | |||
=== Hawk === | === Hawk === | ||
[you@home ~]$ ssh | [you@home ~]$ ssh <your login>@hawk.hww.hlrs.de | ||
[you@ | [you@hawk ~]$ passwd | ||
[you@ | [you@hawk ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts | ||
Please read information and watch output of this command. On success following text is displayed: ''Password changed successfully.'' | Please read information and watch output of this command. On success following text is displayed: ''Password changed successfully.'' | ||
Password redistribution to all systems will take about 20min. Please wait at least this time before trying to connect using the new password. | |||
== Generation and distribution of new SSH keys == | == Generation and distribution of new SSH keys == | ||
In order to enhance security you should consider securing your SSH private key with a | Please take care to generate a <font color="red">ed25519</font> key. In order to enhance security you should further consider securing your SSH private key with a passphrase. | ||
=== Vulcan === | === Vulcan === | ||
Line 86: | Line 93: | ||
| .oo. oB=*+o | | | .oo. oB=*+o | | ||
+----[SHA256]-----+ | +----[SHA256]-----+ | ||
[you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@ | [you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@$SYSTEM.hww.hlrs.de | ||
=== Other systems === | === Other systems === | ||
If users use the same password or ssh-keys on other systems, this keys / passwords should be replaced as well. | <font color="red">If users use the same password or ssh-keys on other systems, this keys / passwords should be replaced as well.</font> | ||
<br> | |||
'''HLRS Employees:''' The password for HLRS services (mail, wiki etc.) has to be changed separately at https://kb.hlrs.de/passwd which is only accessible from within HLRS networks or via TIK CISCO VPN. If you use the same password there, you should change it as well and use the occasion to set it to something different than for the hww production environment. |
Latest revision as of 10:11, 28 June 2020
Due to a security incident on Hawk within the pre-production timeframe, all users must change their passwords and remove/replace ssh-keys before June 3rd 2020. This page provide more detailed information and help for some problems.
- If your account is enabled for multiple ressources, you have to do the changing procedure only once.
To do so following steps are necessary:
Login on an frontend system which is accessable for you.
If your account is locked
This is because you did not replace your login credentials in the requested time frame.
Please contact your project supervisor or send an email to
rt-reactivate_login_request@hlrs.de
and provide your account and contact details.
Password criteria
- minimum length: 8 characters
- at least one upper case character: A-Z
- at least one lower case character: a-z
- at least one digit: 0-9
- at least one non-alphanumerical character:
!?,.;:\"'´\`/\\(){}[]<>§$%&=|^°*+-_~#@€µ and space and tabulator
- mustn't match a dictionary entry
Password change and SSH key removal
Vulcan
[you@home ~]$ ssh <your login>@vulcan.hww.hlrs.de [you@cl5fr2 ~]$ /opt/system/wrappers/passwd [you@cl5fr2 ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts
Please read information and watch output of this command. On success following text is displayed: Password changed successfully.
Password redistribution to all systems will take about 20min. Please wait at least this time before trying to connect using the new password.
Hawk
[you@home ~]$ ssh <your login>@hawk.hww.hlrs.de [you@hawk ~]$ passwd [you@hawk ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts
Please read information and watch output of this command. On success following text is displayed: Password changed successfully.
Password redistribution to all systems will take about 20min. Please wait at least this time before trying to connect using the new password.
Generation and distribution of new SSH keys
Please take care to generate a ed25519 key. In order to enhance security you should further consider securing your SSH private key with a passphrase.
Vulcan
[you@home ~]$ ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): ***** Enter same passphrase again: ***** Your identification has been saved in .ssh/id_ed25519 Your public key has been saved in .ssh/id_ed25519.pub The key fingerprint is: SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home The key's randomart image is: +--[ED25519 256]--+ | .E++. o | | . + . o | | . . . | | . ... . | | .o.S.o.. | | .. .= o=. . | | o++...o + .o | | .=+o. *.*+ | | .oo. oB=*+o | +----[SHA256]-----+ [you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@vulcan.hww.hlrs.de
Hawk
[you@home ~]$ ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): ***** Enter same passphrase again: ***** Your identification has been saved in .ssh/id_ed25519 Your public key has been saved in .ssh/id_ed25519.pub The key fingerprint is: SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home The key's randomart image is: +--[ED25519 256]--+ | .E++. o | | . + . o | | . . . | | . ... . | | .o.S.o.. | | .. .= o=. . | | o++...o + .o | | .=+o. *.*+ | | .oo. oB=*+o | +----[SHA256]-----+ [you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@$SYSTEM.hww.hlrs.de
Other systems
If users use the same password or ssh-keys on other systems, this keys / passwords should be replaced as well.
HLRS Employees: The password for HLRS services (mail, wiki etc.) has to be changed separately at https://kb.hlrs.de/passwd which is only accessible from within HLRS networks or via TIK CISCO VPN. If you use the same password there, you should change it as well and use the occasion to set it to something different than for the hww production environment.