Bastionhost provides the automatic password change feature. The feature can randomly generate a password based on the password policy that you configure and automatically rotate the passwords of managed host accounts. This topic describes the operations related to password changes. The operations include creating and running a password change task.
Background information
Multi-Level Protection Scheme (MLPS) requires that the logon credentials, such as passwords, of host accounts be changed on a regular basis. If the passwords are not changed for a long period of time, security risks may arise. However, regular and manual password rotation is inefficient and is prone to errors. To resolve this issue, Bastionhost provides the automatic password change feature.
Limits
Only Bastionhost Enterprise Edition supports the automatic password change feature.
The Authentication Type parameter of host accounts is set to Password.
Supported OSs and versions
OS | Version | |
Windows | Microsoft Windows |
|
Microsoft Windows Server |
| |
Linux | Alibaba Cloud Linux |
|
CentOS |
| |
Ubuntu |
| |
Debian |
| |
Open SUSE |
| |
SUSE Linux |
| |
CoreOS |
| |
Red Hat Enterprise |
|
Create a password change task
Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.
In the left-side navigation pane, choose .
On the Password Change page, click Create Password Change Task.
In the Create Password Change Task panel, configure the following parameters.
Parameter
Description
Task Name
The name of the password change task.
Execution Method
The execution method of the password change task. Valid values:
Periodic: If you select this option, you must also configure Executed At and Period. You must set Executed At to a point in time that is at least 5 minutes later than the current time. The maximum value of Period is 365. Executed At and Period specify a cycle. Bastionhost runs the password change task multiple times based on the values that you specify for Executed At and Period.
Scheduled: If you select this option, you must also set Executed At to a point in time that is at least 5 minutes later than the current time. Bastionhost automatically runs the password change task at the point in time that you specify.
Password Rules
The complexity and length settings of the new password.
Password Strength: the complexity settings of the new password. You can select Digits, Lowercase Letters, Uppercase Letters, and Other Characters. Bastionhost randomly generates a new password based on the character types that you select. We recommend that you select at least two characters types.
Password Length: the minimum length and maximum length of the new password. Valid values: 8 to 32. Unit: character. If you set the minimum length to 8 characters and the maximum length to 32 characters, Bastionhost randomly generates a new password that is 8 to 32 characters in length.
Password Policies: the minimum number of each type of characters in the new password, the maximum number of times a character appears in the new password, and the characters that the new password cannot contain. The sum of the minimum number of letters and the minimum number of other characters in a password cannot exceed the length of the password.
Valid values for the minimum numbers of digits, lowercase letters, uppercase letters, and other characters that the new password must contain: 0 to 32.
Valid values for the maximum number of times a character can appear in the new password: 1 to 32.
A set of characters that the new password cannot contain.
Remarks
The remarks of the password change task.
Click Create.
The newly created task is displayed on the Password Change page.
Click Associate Account.
On the Managed Accounts tab, click Add Host Account.
In the Add Host Account dialog box, select the host account that you want to add and click Add.
Take note of the following limits when you add host accounts to password change tasks:
A host account can be added only to one password change task.
The Protocol parameter of a host account must be set to SSH, and a password must be specified for the account. If an SSH key or a share key is used to authenticate a host account, you cannot add the account to the password change task.
After the operation is complete, a message appears, which indicates that the password change task is associated with the host account. You can view the created task on the Password Change page.
Immediately run a password change task
After you create a password change task, Bastionhost automatically runs the task based on the time or cycle that you specify. If you want to immediately run the task, select the task and click Execute Now on the Password Change page.
If you select more than one password change task, Bastionhost runs the tasks one by one.
If the time when you immediately run a periodic or scheduled password change task overlaps with the execution time that you specify for the task, Bastionhost runs the password change task only once. If the time when you immediately run a periodic or scheduled password change task does not overlap with the execution time that you specify for the task, the execution time or cycle that you specify for the password change task is not affected. In this case, although the password is changed after you immediately run the task, the task is still run to change the password based on the specified execution time or cycle.
Modify, enable, stop, or delete a password change task
After you create a password change task, you can modify, enable, stop, or delete the task on the Password Change page.
Modify a password change task
Bastionhost allows you to modify the basic information and associated accounts of a password change task. On the Password Change page, click the name of the task whose information you want to modify. On the Task Details tab of the panel that appears, modify the basic information about the task and click Update. To modify a managed account, click the Managed Accounts tab. On the Managed Accounts tab, add or remove host accounts.
Stop a password change task
If you no longer need one or more password change tasks within a specific period of time, you can stop the tasks. On the Password Change page, select the task that you want to stop and click Stop. After the task is stopped, the status of the task changes to Canceled. In this case, the task is not automatically run, and you cannot immediately run the task.
Enable a password change task
If you want to run one or more password change tasks that have been stopped, you can enable the tasks. On the Password Change page, select the task that you want to enable and click Enable. After the task is enabled, the status of the task changes to Pending Execution. In this case, the task is automatically run based on the execution time or cycle that you specify.
Delete a password change task
If you no longer need one or more password change tasks, you can delete the tasks. On the Password Change page, select the task that you want to delete and click Delete. In the message that appears, click Delete.
NoteAfter the password change task is deleted, the task cannot be recovered. Proceed with caution.
Export a password
After a password change task is successfully run, you can use the password export feature to obtain the current password of a host account. On the Change Password page, find the task for which you want to export the password and click Export Password in the Actions column. In the Export Password dialog box, enter a password that is used to encrypt the exported file and click Export Password. The file encryption password that you enter must be 4 to 32 characters in length. The current password of the host account is exported to a ZIP file and saved to your computer.
You must properly save the file encryption password that you enter in the Export Password dialog box. The file encryption password is required to decompress the exported file and obtain the current password of the host account.