All Products
Search

This Product

    Bastionhost:Best practice for changing passwords and keys

    Document Center

    Bastionhost:Best practice for changing passwords and keys

    Last Updated:Sep 09, 2024

    This topic describes how to use Bastionhost to periodically rotate the secrets that are used to access assets. This reduces the chances of secret disclosure and the potential risks posed by idle accounts and also improves the efficiency of batch secret management.

    Background information

    Passwords and keys used to access assets are secrets that matter to the security of assets. Due to the growing diversity of businesses within enterprises, the number of assets continuously increases. Enterprises start to focus on how to efficiently and securely manage secrets that are used to access assets. Policies and regulations also emphasize the importance of secret security. To meet the requirements for reducing asset risks and comply with the relevant laws and regulations, enterprises must periodically rotate the passwords or keys used to log on to assets.

    Solutions

    In a traditional password change solution, each time the password is changed, the administrator needs to manually send the new password to all users. The password can be disclosed during this process. This also makes password rotation complex.

    The Bastionhost service provided by Alibaba Cloud serves as a centralized O&M security management platform. It not only supports O&M security management but also provides secret security management capabilities. In addition to the password-free secret hosting capability, Bastionhost can also automatically rotate the passwords of Linux Elastic Compute Service (ECS) instances or work with Key Management Service (KMS) to rotate the passwords or keys of Linux and Windows ECS instances. After you use a combination of Bastionhost and KMS to rotate secrets, users can directly use the rotated secrets in KMS to access assets.

    Solution 1: Create a password change task in Bastionhost to rotate passwords

    You can create password change tasks to periodically rotate the passwords of Linux ECS instances hosted in Bastionhost. You can specify how password change tasks are executed and create password rules to specify the complexity, length, and character policy of passwords. This enables enterprises to rotate passwords in a fine-grained manner.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. On the Password Change page, click Create Password Change Task.

    4. In the Create Password Change Task panel, configure parameters as described in the following table and click Create.

      Parameter

      Description

      Task Name

      The name of the password change task.

      Execution Method

      Specify how the password task is executed. Valid values:

      • Periodic: If you select this option, you must also configure the Executed At and Period parameters. You must set Executed At to a point in time that is at least 5 minutes later than the current time. The maximum value of Period is 365. Executed At and Period specify a cycle. Bastionhost runs the password change task multiple times based on the values that you specify for the Executed At and Period parameters.

      • Scheduled: If you select this option, you must also set the Executed At parameter to a point in time that is at least 5 minutes later than the current time. Bastionhost automatically runs the password change task at the point in time that you specify.

      Password Rules

      The complexity and length settings of the new password. Configure password rules based on the following descriptions:

      • Password Strength: the complexity settings of the new password. You can select Digits, Lowercase Letters, Uppercase Letters, and Other Characters. Bastionhost randomly generates a new password based on the character types that you select. We recommend that you select at least two characters types.

      • Password Length: the minimum length and maximum length of the new password. Valid values: 8 to 32. Unit: character. If you set the minimum length to 8 characters and the maximum length to 32 characters, Bastionhost randomly generates a new password that is 8 to 32 characters in length.

      • Password Policies: the minimum number of characters of each type in the new password, the maximum number of times a character appears in the new password, and the characters that the new password cannot contain. The sum of the minimum number of letters and the minimum number of other characters in a password cannot exceed the length of the password.

        • Valid values for the minimum numbers of digits, lowercase letters, uppercase letters, and other characters that the new password must contain: 0 to 32.

        • Valid values for the maximum number of times a character can appear in the new password: 1 to 32.

        • A set of characters that the new password cannot contain.

      Remarks

      The description of the password change task.

    5. Click Associate Account. On the Managed Accounts tab, click Add Host Account.

    6. In the Add Host Account dialog box, select the host account that you want to add and click Add.

      The following list describes the limits on adding host accounts to password change tasks:

      • A host account can be added only to one password change task.

      • The host account must use the SSH protocol and a password must have been configured for the host account. If an SSH key or a share key is used to authenticate a host account, you cannot add the account to the password change task.

      After the operation is complete, a message appears, which indicates that the password change task is associated with the host account. You can view the task on the Password Change page.

    Solution 2: Use Bastionhost with KMS to rotate passwords or keys

    Bastionhost can work with KMS, which allows you to import ECS secrets from KMS to Bastionhost and then use the secret rotation capability of KMS to rotate the passwords or keys of Linux and Window ECS instances. After the administrator configures KMS to periodically rotate ECS secrets and completes Bastionhost authorization, O&M engineers can directly use secrets hosted in KMS to access ECS instances. Bastionhost can retrieve secret versions from KMS in real time. This guarantees the availability of accounts, significantly enhances the security of secrets, reduces the cost of asset management, and greatly improves the efficiency of secret security management.

    Note

    You can configure password rotation and SSH key rotation for Linux ECS instances, and configure password rotation for Windows ECS instances.

    image

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Assets > Hosts.

    4. In the host list, find the host that you want to manage and click Import KMS Secret in the Actions column.

    5. In the Import KMS Secret dialog box, select the ECS secrets that you want to import and click Import.

      After the ECS secrets are imported, you can click the name of the host in the host list. On the Host Account tab, you can view and manage the imported ECS secrets.