- Infos im HLRS Wiki sind nicht rechtsverbindlich und ohne Gewähr -
- Information contained in the HLRS Wiki is not legally binding and HLRS is not responsible for any damages that might result from its use -

Password change: Difference between revisions

From HLRS Platforms
Jump to navigationJump to search
No edit summary
Line 91: Line 91:


If users use the same password or ssh-keys on other systems, this keys / passwords should be replaced as well.
If users use the same password or ssh-keys on other systems, this keys / passwords should be replaced as well.
'''HLRS Employees:''' The password for HLRS services (mail, wiki etc.) has to be changed separately at https://kb.hlrs.de/passwd which is only accessible from within HLRS networks or via CISCO VPN with hlrs account. If you use the same password there, you should change it as well and use the occasion to set it to something different than for the hww production environment.

Revision as of 13:28, 26 May 2020

Due to a security incident on Hawk within the pre-production timeframe, all users must change their passwords and remove/replace ssh-keys before June 3rd 2020. This page provide more detailed information and help for some problems.

  • If your account is enabled for multiple ressources, you have to do the changing procedure only once.
  • If you get an error while changing the password, check your environment. Passwd is a simple bash script located in /opt/system/wrappers/passwd on Vulcan or /opt/passwd on change.hww.hlrs.de.


To do so following steps are necessary:

Login on an frontend system which is accessable for you.

Password criteria

  • minimum length: 8 characters
  • at least one upper case character: A-Z
  • at least one lower case character: a-z
  • at least one digit: 0-9
  • at least one non-alphanumerical character:
 !?,.;:\"'´\`/\\(){}[]<>§$%&=|^°*+-_~#@€µ                       
 and space and tabulator                                        
  • mustn't match a dictionary entry

Password change and SSH key removal

Vulcan

[you@home ~]$ ssh <your login>@vulcan.hww.hlrs.de
[you@cl5fr2 ~]$ /opt/system/wrappers/passwd
[you@cl5fr2 ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts

Please read information and watch output of this command. On success following text is displayed: Password changed successfully.

Password redistribution to all systems will take about 20min. Please wait at least this time before trying to connect using the new password.

Hawk

[you@home ~]$ ssh <your login>@change.hww.hlrs.de
[you@change ~]$ /opt/passwd
[you@change ~]$ rm -rf .ssh/authorized_key* .ssh/id* .ssh/known_hosts

Please read information and watch output of this command. On success following text is displayed: Password changed successfully.

Password redistribution to all systems will take about 20min. Please wait at least this time before trying to connect using the new password.

Generation and distribution of new SSH keys

In order to enhance security you should consider securing your SSH private key with a password.

Vulcan

[you@home ~]$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): *****
Enter same passphrase again: *****
Your identification has been saved in .ssh/id_ed25519
Your public key has been saved in .ssh/id_ed25519.pub
The key fingerprint is:
SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home
The key's randomart image is:
+--[ED25519 256]--+
|       .E++. o   |
|       . +  . o  |
|        .  . .   |
|      . ... .    |
|     .o.S.o..    |
|   .. .= o=. .   |
|   o++...o + .o  |
|   .=+o.  *.*+   |
|   .oo. oB=*+o   |
+----[SHA256]-----+
[you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@vulcan.hww.hlrs.de

Hawk

[you@home ~]$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): *****
Enter same passphrase again: *****
Your identification has been saved in .ssh/id_ed25519
Your public key has been saved in .ssh/id_ed25519.pub
The key fingerprint is:
SHA256:hzJ396bow3r2OQmW83KjroRqtdgOxjtMddfFCAYeBTQ you@home
The key's randomart image is:
+--[ED25519 256]--+
|       .E++. o   |
|       . +  . o  |
|        .  . .   |
|      . ... .    |
|     .o.S.o..    |
|   .. .= o=. .   |
|   o++...o + .o  |
|   .=+o.  *.*+   |
|   .oo. oB=*+o   |
+----[SHA256]-----+
[you@home ~]$ ssh-copy-id -i ~/.ssh/id_ed25519.pub <your login>@change.hww.hlrs.de

Other systems

If users use the same password or ssh-keys on other systems, this keys / passwords should be replaced as well.

HLRS Employees: The password for HLRS services (mail, wiki etc.) has to be changed separately at https://kb.hlrs.de/passwd which is only accessible from within HLRS networks or via CISCO VPN with hlrs account. If you use the same password there, you should change it as well and use the occasion to set it to something different than for the hww production environment.