- Infos im HLRS Wiki sind nicht rechtsverbindlich und ohne Gewähr -
- Information contained in the HLRS Wiki is not legally binding and HLRS is not responsible for any damages that might result from its use -

Password change

From HLRS Platforms
Revision as of 16:16, 25 May 2020 by Hpcsaute (talk | contribs)
Jump to navigationJump to search

Due to a security incident on Hawk within the pre-production timeframe, all users must change their passwords and remove/replace ssh-keys before June 3rd 2020. This page provide more detailed information and help for some problems.

  • If your account is enabled for multiple ressources, you have to do the changing procedure only once.
  • If you get an error while changing the password, check your environment. Passwd is a simple bash script located in /opt/system/wrappers/passwd on Vulcan or /opt/passwd on change.hww.hlrs.de.


To do so following steps are necessary:

Login on an frontend system which is accessable for you.

Password criteria

  • minimum length: 8 characters
  • at least one upper case character: A-Z
  • at least one lower case character: a-z
  • at least one digit: 0-9
  • at least one non-alphanumerical character:
 !?,.;:\"'´\`/\\(){}[]<>§$%&=|^°*+-_~#@€µ                       
 and space and tabulator                                        
  • mustn't match a dictionary entry

Password change and SSH key removal

Vulcan

[you@home ~]$ ssh –l <your login> vulcan.hww.hlrs.de
[you@cl5fr2 ~]$ /opt/system/wrappers/passwd
[you@cl5fr2 ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts

Please read information and watch output of this command. On success following text is displayed: Password changed successfully.

Wait for a minimum of 20 minutes to redistribute the password.

Hawk

[you@home ~]$ ssh –l <your login> change.hww.hlrs.de
[you@change ~]$ /opt/passwd
[you@change ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts

Please read information and watch output of this command. On success following text is displayed: Password changed successfully.

Wait for a minimum of 20 minutes to redistribute the password.

Generation and distribution of new SSH keys

In order to enhance security you should consider securing your SSH private key with a password.

Vulcan

[you@home ~]$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): *****
Enter same passphrase again: *****
Your identification has been saved in .ssh/id_ed25519
Your public key has been saved in .ssh/id_ed25519.pub
The key fingerprint is:
SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home
The key's randomart image is:
+--[ED25519 256]--+
|       .E++. o   |
|       . +  . o  |
|        .  . .   |
|      . ... .    |
|     .o.S.o..    |
|   .. .= o=. .   |
|   o++...o + .o  |
|   .=+o.  *.*+   |
|   .oo. oB=*+o   |
+----[SHA256]-----+
[you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@vulcan.hww.hlrs.de

Hawk

[you@home ~]$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): *****
Enter same passphrase again: *****
Your identification has been saved in .ssh/id_ed25519
Your public key has been saved in .ssh/id_ed25519.pub
The key fingerprint is:
SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home
The key's randomart image is:
+--[ED25519 256]--+
|       .E++. o   |
|       . +  . o  |
|        .  . .   |
|      . ... .    |
|     .o.S.o..    |
|   .. .= o=. .   |
|   o++...o + .o  |
|   .=+o.  *.*+   |
|   .oo. oB=*+o   |
+----[SHA256]-----+
[you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@change.hww.hlrs.de

Other systems

If users use the same password or ssh-keys on other systems, this keys / passwords should be replaced as well.