- Infos im HLRS Wiki sind nicht rechtsverbindlich und ohne Gewähr -
- Information contained in the HLRS Wiki is not legally binding and HLRS is not responsible for any damages that might result from its use -
Password change
Due to a security incident on Hawk within the pre-production timeframe, all users must change their passwords and remove/replace ssh-keys before June 3rd 2020. This page provide more detailed information and help for some problems.
- If your account is enabled for multiple ressources, you have to do the changing procedure only once.
- If you get an error while changing the password, check your environment. Passwd is a simple bash script located in
/opt/system/wrappers/passwd
on Vulcan or/opt/passwd
on change.hww.hlrs.de.
To do so following steps are necessary:
Login on an frontend system which is accessable for you.
Password criteria
- minimum length: 8 characters
- at least one upper case character: A-Z
- at least one lower case character: a-z
- at least one digit: 0-9
- at least one non-alphanumerical character:
!?,.;:\"'´\`/\\(){}[]<>§$%&=|^°*+-_~#@€µ and space and tabulator
- mustn't match a dictionary entry
Password change and SSH key removal
Vulcan
[you@home ~]$ ssh –l <your login> vulcan.hww.hlrs.de [you@cl5fr2 ~]$ /opt/system/wrappers/passwd [you@cl5fr2 ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts
Please read information and watch output of this command. On success following text is displayed: Password changed successfully.
Wait for a minimum of 20 minutes to redistribute the password.
Hawk
[you@home ~]$ ssh –l <your login> change.hww.hlrs.de [you@change ~]$ /opt/passwd [you@change ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts
Please read information and watch output of this command. On success following text is displayed: Password changed successfully.
Wait for a minimum of 20 minutes to redistribute the password.
Generation and distribution of new SSH keys
In order to enhance security you should consider securing your SSH private key with a password.
Vulcan
[you@home ~]$ ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): ***** Enter same passphrase again: ***** Your identification has been saved in .ssh/id_ed25519 Your public key has been saved in .ssh/id_ed25519.pub The key fingerprint is: SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home The key's randomart image is: +--[ED25519 256]--+ | .E++. o | | . + . o | | . . . | | . ... . | | .o.S.o.. | | .. .= o=. . | | o++...o + .o | | .=+o. *.*+ | | .oo. oB=*+o | +----[SHA256]-----+ [you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@vulcan.hww.hlrs.de
Hawk
[you@home ~]$ ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): ***** Enter same passphrase again: ***** Your identification has been saved in .ssh/id_ed25519 Your public key has been saved in .ssh/id_ed25519.pub The key fingerprint is: SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home The key's randomart image is: +--[ED25519 256]--+ | .E++. o | | . + . o | | . . . | | . ... . | | .o.S.o.. | | .. .= o=. . | | o++...o + .o | | .=+o. *.*+ | | .oo. oB=*+o | +----[SHA256]-----+ [you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@change.hww.hlrs.de
Other systems
If users use the same password or ssh-keys on other systems, this keys / passwords should be replaced as well.