Bastionhost provides the automatic password change feature. The feature can randomly generate a password based on the password policy that you configure and automatically rotate the passwords of managed host accounts. This topic describes the operations related to password changes. The operations include creating and running a password change task.
Multi-Level Protection Scheme (MLPS) requires that logon credentials, such as passwords, of host accounts be changed on a regular basis. If the passwords are not changed for a long period of time, security risks may arise. However, regular and manual password rotation is inefficient and is prone to errors. To resolve this issue, Bastionhost provides the automatic password change feature.
- The automatic password change feature is available only in Bastionhost HA Edition.
- Bastionhost allows you to change the passwords of accounts only for Linux hosts. You cannot change the passwords of accounts for Windows hosts.
- A password change task supports only the host accounts for which Protocol is set to SSH and Authentication Type is set to Password.
Supported OSs and versions
|Alibaba Cloud Linux||
Note You can use the automatic password change feature to change the passwords only of standard accounts. You cannot use this feature to change the passwords of root accounts.
Create a password change task
- Log on to your bastion host. For more information, see Log on to a bastion host.
- In the left-side navigation pane, choose .
- On the Password Change page, click Create Password Change Task.
- In the Create Password Change Task panel, configure the following parameters.
Parameter Description Task Name The name of the password change task. Execution Method The execution method of the password change task. Valid values:
- Periodic: If you select this option, you must also configure Executed At and Period. You must set Executed At to a point in time that is at least 5 minutes later than the current time. The maximum value of Period is 365. Executed At and Period specify a cycle. Bastionhost runs the password change task multiple times based on the values that you specify for Executed At and Period.
- Scheduled: If you select this option, you must also set Executed At to a point in time that is at least 5 minutes later than the current time. Bastionhost automatically runs the password change task at the point in time that you specify.
Password Rules The complexity and length settings of the new password.
- Password Strength: the complexity settings of the new password. You can select Digits, Lowercase Letters, Uppercase Letters, and Other Characters. Bastionhost randomly generates a new password based on the character types that you select. We recommend that you select at least two character types.
- Password Length: the minimum length of the new password. For example, if you set this parameter to 8, Bastionhost randomly generates a new password that is of 8 to 32 characters in length.
Remarks The remarks of the password change task.
- Click Create. The created task is displayed on the Password Change page.
- Click Associate Account.
- On the Managed Accounts tab, click Add Host Account.
- In the Add Host Account dialog box, select the host account that you want to add and click Add. Take note of the following limits when you add host accounts to password change tasks:
After the operation is complete, a message appears, which indicates that the password change task is associated with the host account. You can view the created task on the Password Change page.
- A host account can be added only to one password change task.
- The Protocol parameter of a host account must be set to SSH, and a password must be specified for the account. If an SSH key or a share key is used to authenticate a host account, you cannot add the account to the password change task.
Immediately run a password change task
- If you select more than one password change task, Bastionhost runs the tasks one by one.
- If the time when you immediately run a periodic or scheduled password change task overlaps with the execution time that you specify for the task, Bastionhost runs the password change task only once. If the time when you immediately run a periodic or scheduled password change task does not overlap with the execution time that you specify for the task, the execution time or cycle that you specify for the password change task is not affected. In this case, although the password is changed after you immediately run the task, the task is still run to change the password based on the specified execution time or cycle.
Modify, enable, stop, or delete a password change task
After you create a password change task, you can modify, enable, stop, or delete the task on the Password Change page.
- Modify a password change task
Bastionhost allows you to modify the basic information and associated accounts of a password change task. On the Password Change page, click the name of the task whose information you want to modify. On the Task Details tab of the panel that appears, modify the basic information about the task and click Update. To modify a managed account, click the Managed Accounts tab. On the Managed Accounts tab, add or remove host accounts.
- Stop a password change task
If you no longer need one or more password change tasks within a specific period of time, you can stop the tasks. On the Password Change page, select the task that you want to stop and click Stop. After the task is stopped, the status of the task changes to Canceled. In this case, the task is not automatically run, and you cannot immediately run the task.
- Enable a password change task
If you want to run one or more password change tasks that have been stopped, you can enable the tasks. On the Password Change page, select the task that you want to enable and click Enable. After the task is enabled, the status of the task changes to Pending Execution. In this case, the task is automatically run based on the execution time or cycle that you specify.
- Delete a password change taskIf you no longer need one or more password change tasks, you can delete the tasks. On the Password Change page, select the task that you want to delete and click Delete. In the message that appears, click Delete.Note You cannot recover a password change task after you delete it. Proceed with caution.