- Infos im HLRS Wiki sind nicht rechtsverbindlich und ohne Gewähr -
- Information contained in the HLRS Wiki is not legally binding and HLRS is not responsible for any damages that might result from its use -

Password change: Difference between revisions

From HLRS Platforms
Jump to navigationJump to search
No edit summary
 
(24 intermediate revisions by 6 users not shown)
Line 1: Line 1:
Due to a security incident on Hawk within the pre-production timeframe, all users must change their passwords and remove/replace ssh-keys before June 3rd 2020. This page provide more information and help for some problems.  
Due to a security incident on Hawk within the pre-production timeframe, all users must change their passwords and remove/replace ssh-keys before June 3rd 2020. This page provide more detailed
information and help for some problems.  


* If your account is enabled for multiple ressources, you have to do the changing procedure only once.
* If your account is enabled for multiple ressources, you have to do the changing procedure only once.
*  If you get an error while changing the password, check your environment. Passwd is a simple bash script located in ( /opt/system/wrappers/passwd on Vulcan or /opt/passwd on change.hww.hlrs.de).


Todo so following steps are necessary:
To do so following steps are necessary:


Login on an frontend system which is accessable for you.
Login on an frontend system which is accessable for you.
==== Vulcan users: ====
  ssh –l <your login> cl5fr2.hww.hlrs.de
  Run the ''passwd'' command to change your password. Please read information and watch output of this command. On success following text is displayed: ''Password changed successfully.''
  Wait for a minimum of 20 minutes to redistribute the password
  Remove your ssh-keys (see below)


==== Users with accounts on Hawk only ====
== If your account is locked ==


  A server has been set up to provide a mechanism for the change:
This is because you did not replace your
    ssh –l  <your login> change.hww.hlrs.de
login credentials in the requested time frame.
  Run the passwd command to change your password. Please read information and watch output of this command. On success following text is displayed: Password changed successfully.
  Remove your ssh-keys (see below)


=== remove compromised ssh-keys ===
Please contact your project supervisor or send an email to
  rt-reactivate_login_request@hlrs.de
and provide your account and contact details.


  cd      # change into your HOME Directory
== Password criteria ==
  rm –rf .ssh  
* minimum length: 8 characters                                 
mkdir .ssh
* at least one upper case character: A-Z                       
chmod 700 .ssh
* at least one lower case character: a-z                       
chmod og-w ~
* at least one digit: 0-9                                       
* at least one non-alphanumerical character:
  !?,.;:\"'´\`/\\(){}[]<>§$%&=|^°*+-_~#@€µ                     
  and space and tabulator                                       
* mustn't match a dictionary entry
 
== Password change and SSH key removal ==
=== Vulcan ===
  [you@home ~]$ ssh <your login>@vulcan.hww.hlrs.de
[you@cl5fr2 ~]$ /opt/system/wrappers/passwd
[you@cl5fr2 ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts
 
Please read information and watch output of this command. On success following text is displayed: ''Password changed successfully.''
 
Password redistribution to all systems will take about 20min. Please wait at least this time before trying to connect using the new password.
 
=== Hawk ===
  [you@home ~]$ ssh <your login>@hawk.hww.hlrs.de
  [you@hawk ~]$ passwd
[you@hawk ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts
 
Please read information and watch output of this command. On success following text is displayed: ''Password changed successfully.''
 
Password redistribution to all systems will take about 20min. Please wait at least this time before trying to connect using the new password.
 
== Generation and distribution of new SSH keys ==
Please take care to generate a <font color="red">ed25519</font> key. In order to enhance security you should further consider securing your SSH private key with a passphrase.
 
=== Vulcan ===
[you@home ~]$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): *****
Enter same passphrase again: *****
Your identification has been saved in .ssh/id_ed25519
Your public key has been saved in .ssh/id_ed25519.pub
The key fingerprint is:
SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home
The key's randomart image is:
+--[ED25519 256]--+
|      .E++. o  |
|      . +  . o  |
|        .  . .  |
|      . ... .    |
|    .o.S.o..    |
|  .. .= o=. .  |
|  o++...o + .o  |
.=+o.  *.*+  |
|  .oo. oB=*+o  |
+----[SHA256]-----+
[you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@vulcan.hww.hlrs.de
 
=== Hawk ===
[you@home ~]$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): *****
Enter same passphrase again: *****
Your identification has been saved in .ssh/id_ed25519
Your public key has been saved in .ssh/id_ed25519.pub
The key fingerprint is:
SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home
The key's randomart image is:
+--[ED25519 256]--+
|      .E++. o  |
|      . +  . o  |
|        .  . .  |
|      . ... .    |
|    .o.S.o..    |
|  .. .= o=. .  |
|  o++...o + .o  |
|  .=+o.  *.*+  |
|  .oo. oB=*+o  |
+----[SHA256]-----+
[you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@$SYSTEM.hww.hlrs.de
 
=== Other systems ===
 
<font color="red">If users use the same password or ssh-keys on other systems, this keys / passwords should be replaced as well.</font>
 
<br>
 
 
'''HLRS Employees:''' The password for HLRS services (mail, wiki etc.) has to be changed separately at https://kb.hlrs.de/passwd which is only accessible from within HLRS networks or via TIK CISCO VPN. If you use the same password there, you should change it as well and use the occasion to set it to something different than for the hww production environment.

Latest revision as of 10:11, 28 June 2020

Due to a security incident on Hawk within the pre-production timeframe, all users must change their passwords and remove/replace ssh-keys before June 3rd 2020. This page provide more detailed information and help for some problems.

  • If your account is enabled for multiple ressources, you have to do the changing procedure only once.

To do so following steps are necessary:

Login on an frontend system which is accessable for you.

If your account is locked

This is because you did not replace your login credentials in the requested time frame.

Please contact your project supervisor or send an email to

  rt-reactivate_login_request@hlrs.de

and provide your account and contact details.

Password criteria

  • minimum length: 8 characters
  • at least one upper case character: A-Z
  • at least one lower case character: a-z
  • at least one digit: 0-9
  • at least one non-alphanumerical character:
 !?,.;:\"'´\`/\\(){}[]<>§$%&=|^°*+-_~#@€µ                       
 and space and tabulator                                        
  • mustn't match a dictionary entry

Password change and SSH key removal

Vulcan

[you@home ~]$ ssh <your login>@vulcan.hww.hlrs.de
[you@cl5fr2 ~]$ /opt/system/wrappers/passwd
[you@cl5fr2 ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts

Please read information and watch output of this command. On success following text is displayed: Password changed successfully.

Password redistribution to all systems will take about 20min. Please wait at least this time before trying to connect using the new password.

Hawk

[you@home ~]$ ssh <your login>@hawk.hww.hlrs.de
[you@hawk ~]$ passwd
[you@hawk ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts

Please read information and watch output of this command. On success following text is displayed: Password changed successfully.

Password redistribution to all systems will take about 20min. Please wait at least this time before trying to connect using the new password.

Generation and distribution of new SSH keys

Please take care to generate a ed25519 key. In order to enhance security you should further consider securing your SSH private key with a passphrase.

Vulcan

[you@home ~]$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): *****
Enter same passphrase again: *****
Your identification has been saved in .ssh/id_ed25519
Your public key has been saved in .ssh/id_ed25519.pub
The key fingerprint is:
SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home
The key's randomart image is:
+--[ED25519 256]--+
|       .E++. o   |
|       . +  . o  |
|        .  . .   |
|      . ... .    |
|     .o.S.o..    |
|   .. .= o=. .   |
|   o++...o + .o  |
|   .=+o.  *.*+   |
|   .oo. oB=*+o   |
+----[SHA256]-----+
[you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@vulcan.hww.hlrs.de

Hawk

[you@home ~]$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): *****
Enter same passphrase again: *****
Your identification has been saved in .ssh/id_ed25519
Your public key has been saved in .ssh/id_ed25519.pub
The key fingerprint is:
SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home
The key's randomart image is:
+--[ED25519 256]--+
|       .E++. o   |
|       . +  . o  |
|        .  . .   |
|      . ... .    |
|     .o.S.o..    |
|   .. .= o=. .   |
|   o++...o + .o  |
|   .=+o.  *.*+   |
|   .oo. oB=*+o   |
+----[SHA256]-----+
[you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@$SYSTEM.hww.hlrs.de

Other systems

If users use the same password or ssh-keys on other systems, this keys / passwords should be replaced as well.



HLRS Employees: The password for HLRS services (mail, wiki etc.) has to be changed separately at https://kb.hlrs.de/passwd which is only accessible from within HLRS networks or via TIK CISCO VPN. If you use the same password there, you should change it as well and use the occasion to set it to something different than for the hww production environment.