Use the automatic password change feature - Bastionhost - Alibaba Cloud Documentation Center

Bastionhost provides the automatic password change feature. The feature can randomly generate a password based on the password policy that you configure and automatically rotate the passwords of managed host accounts. This topic describes the operations related to password changes. The operations include creating and running a password change task.

Background information

Multi-Level Protection Scheme (MLPS) requires that logon credentials, such as passwords, of host accounts be changed on a regular basis. If the passwords are not changed for a long period of time, security risks may arise. However, regular and manual password rotation is inefficient and is prone to errors. To resolve this issue, Bastionhost provides the automatic password change feature.

Limits

The automatic password change feature is available only in Bastionhost Enterprise Edition.
Bastionhost allows you to change the passwords of accounts only for Linux hosts. You cannot change the passwords of accounts for Windows hosts.
A password change task supports only the host accounts for which Protocol is set to SSH and Authentication Type is set to Password.

Supported OSs and versions

OS	Version
Alibaba Cloud Linux	3.2104 64-bit 2.1903 LTS 64-bit 2.1903 64-bit (Quick Start)
CentOS	All versions
Ubuntu	All versions
Debian	All versions
Open SUSE	15.1 64-bit 15.2 64-bit 42.3 64-bit Note You can use the automatic password change feature to change the passwords only of standard accounts. You cannot use this feature to change the passwords of root accounts.
SUSE Linux	SUSE Linux Enterprise Server 15 SP2 64-bit SUSE Linux Enterprise Server 12 SP5 64-bit SUSE Linux Enterprise Server 11 SP4 64-bit
CoreOS	2303.4.0 64-bit 2247.6.0 64-bit 2023.4.0 64-bit 1745.7.0 64-bit

Create a password change task

Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.
In the left-side navigation pane, choose Assets > Password Change.
On the Password Change page, click Create Password Change Task.

In the Create Password Change Task panel, configure the following parameters.

Parameter	Description
Task Name	The name of the password change task.
Execution Method	The execution method of the password change task. Valid values: Periodic: If you select this option, you must also configure Executed At and Period. You must set Executed At to a point in time that is at least 5 minutes later than the current time. The maximum value of Period is 365. Executed At and Period specify a cycle. Bastionhost runs the password change task multiple times based on the values that you specify for Executed At and Period. Scheduled: If you select this option, you must also set Executed At to a point in time that is at least 5 minutes later than the current time. Bastionhost automatically runs the password change task at the point in time that you specify.
Password Rules	The complexity and length settings of the new password. Password Strength: the complexity settings of the new password. You can select Digits, Lowercase Letters, Uppercase Letters, and Other Characters. Bastionhost randomly generates a new password based on the character types that you select. We recommend that you select at least two character types. Password Length: the minimum length of the new password. For example, if you set this parameter to 8, Bastionhost randomly generates a new password that is 8 to 32 characters in length.
Remarks	The remarks of the password change task.

Click Create.
The newly created task is displayed on the Password Change page.
Click Associate Account.
On the Managed Accounts tab, click Add Host Account.
In the Add Host Account dialog box, select the host account that you want to add and click Add.
Take note of the following limits when you add host accounts to password change tasks:
- A host account can be added only to one password change task.
- The Protocol parameter of a host account must be set to SSH, and a password must be specified for the account. If an SSH key or a shared key is used to authenticate a host account, you cannot add the account to the password change task.
After the operation is complete, a message appears, which indicates that the password change task is associated with the host account. You can view the created task on the Password Change page.

Immediately run a password change task

After you create a password change task, Bastionhost automatically runs the task based on the time or cycle that you specify. If you want to immediately run the task, select the task and click Execute Now on the Password Change page.

Note

If you select more than one password change task, Bastionhost runs the tasks one by one.
If the time when you immediately run a periodic or scheduled password change task overlaps with the execution time that you specify for the task, Bastionhost runs the password change task only once. If the time when you immediately run a periodic or scheduled password change task does not overlap with the execution time that you specify for the task, the execution time or cycle that you specify for the password change task is not affected. In this case, although the password is changed after you immediately run the task, the task is still run to change the password based on the specified execution time or cycle.

Modify, enable, stop, or delete a password change task

After you create a password change task, you can modify, enable, stop, or delete the task on the Password Change page.

Modify a password change task
Bastionhost allows you to modify the basic information and associated accounts of a password change task. On the Password Change page, click the name of the task whose information you want to modify. On the Task Details tab of the panel that appears, modify the basic information about the task and click Update. To modify a managed account, click the Managed Accounts tab. On the Managed Accounts tab, add or remove host accounts.
Stop a password change task
If you no longer need one or more password change tasks within a specific period of time, you can stop the tasks. On the Password Change page, select the task that you want to stop and click Stop. After the task is stopped, the status of the task changes to Canceled. In this case, the task is not automatically run, and you cannot immediately run the task.
Enable a password change task
If you want to run one or more password change tasks that have been stopped, you can enable the tasks. On the Password Change page, select the task that you want to enable and click Enable. After the task is enabled, the status of the task changes to Pending Execution. In this case, the task is automatically run based on the execution time or cycle that you specify.
Delete a password change task
If you no longer need one or more password change tasks, you can delete the tasks. On the Password Change page, select the task that you want to delete and click Delete. In the message that appears, click Delete.
Note
After the password change task is deleted, the task cannot be recovered. Proceed with caution.

Export a password

After a password change task is successfully run, you can use the password export feature to obtain the current password of a host account. On the Change Password page, find the task for which you want to export the password and click Export Password in the Actions column. In the Export Password dialog box, enter a password that is used to encrypt the exported file and click Export Password. The file encryption password that you entered must be 4 to 32 characters in length. The current password of the host account is exported to a ZIP file and saved to your computer.

Note

You must properly save the file encryption password that you entered in the Export Password dialog box. The file encryption password is required to decompress the exported file and obtain the current password of the host account.

Export a password