All Products
Search

This Product

    Bastionhost:Password change tasks

    Document Center

    Bastionhost:Password change tasks

    Last Updated:Nov 11, 2025

    Password change tasks in Bastionhost rotate passwords or keys at scheduled times or periodic intervals based on rules that you configure. This process improves your business security. This topic describes how to use password change tasks.

    Background information

    Security compliance regulations require you to periodically change host account passwords or keys. Using the same passwords or keys for an extended period creates security risks. Manually rotating passwords and keys is a tedious and error-prone task. The automatic password change feature in Bastionhost solves these problems. This feature greatly improves O&M efficiency and security.

    Conditions

    • Version requirements: This feature is available only in Bastionhost Enterprise Edition and SM-compliant Edition. To purchase or upgrade a Bastionhost instance, see Purchase an instance and Upgrade an instance type.

    • Task limits:

      • Password change tasks do not support shared key rotation.

      • A host account can be associated with only one password change task.

    Prerequisites

    You must import host assets and escrow the host accounts in Bastionhost. For more information, see Create a host and Manage host accounts.

    Create a password change task

    1. Log on to the Bastionhost system. For more information, see Log on to the system.

    2. In the navigation pane on the left, choose Assets > Password Change.

    3. On the Password Change page, click Create Password Change Task.

    4. In the Password Change Task panel, configure the parameters for the task as described in the following table and then click Create.

      image

      Parameter

      Description

      Task Name

      Enter a name for the password change task.

      Task Type

      The options are Key Rotation and Password Rotation.

      Execution Mode

      Select an execution mode for the task. The following modes are available:

      • Periodic Execution: Bastionhost automatically runs the task at the specified time and interval.

        • The execution time must be at least five minutes after the current time.

        • The maximum period is 365 days.

      • Scheduled Execution: Bastionhost automatically starts the task at the scheduled time. The execution time must be at least five minutes after the current time.

      Password Rule

      When you set Task Type to Password Rotation, you can configure the password complexity and length.

      • Password Complexity: Select the character types to include, such as digits, lowercase letters, uppercase letters, and other characters. Bastionhost randomly generates a new password based on the selected types. Select at least two character types.

      • Password Length: Set the minimum and maximum password length. The value must be between 8 and 32. For example, if you set the minimum value to 8 and the maximum value to 32, a password with a random length from 8 to 32 characters is generated.

      • Password Policy: Set the minimum number of characters, character repetition limit, and excluded characters. The total number of minimum letters and other characters cannot exceed the password length.

        • The value for digits, lowercase letters, uppercase letters, and other characters must be between 0 and 32.

        • The value for the number of times a character can be repeated must be between 1 and 32.

        • Excluded character set: The generated password will not contain any characters from this set.

      Key Rule

      When you set Task Type to Key Rotation, you can configure the key algorithm, key length, and encryption password.

      • Key Algorithm: The options are RSA and ED25519.

      • Key Length: If you select RSA as the key algorithm, you can set the key length to 2048, 3072, or 4096 bits.

      • Encryption Password: Set the encryption password for the key. A key encryption password is a security mechanism used to protect the encryption key.

      Remarks

      Enter supplementary information about the password change task.

    5. Click Associate Accounts. On the Escrowed Accounts tab, click Add Host Account.

    6. In the Add Host Account dialog box, select the host accounts that you want to add and click Add.

      After the account is added, a message appears indicating that the Password Change Task Is Successfully Associated With The Host Account. You can view the created password change task on the Password Change Tasks page.

      Note

      • A host account can be associated with only one password change task.

      • If the task type is Password Rotation, you can add only accounts whose passwords have been escrowed. If the task type is Key Rotation, you can add only accounts whose Secure Shell (SSH) private keys have been escrowed. Shared keys cannot be rotated.

    Related operations

    Run a password change task immediately

    After you create a password change task, it runs automatically at the specified time or interval. To run a task immediately, on the Password Change Tasks page, select the task and click Run Now at the bottom of the list.

    image

    Note

    • If you run multiple password change tasks at the same time, they are executed sequentially.

    • If a scheduled execution time coincides with an immediate execution, Bastionhost runs the task only once. Otherwise, running a task immediately does not affect its schedule. The task will still run at the next scheduled time or interval.

    Immediately change the password for one or more accounts

    In the Password Change list, click the name of a task. On the Managed Accounts tab of the task details panel, select one or more host accounts and click Immediately change the password.

    image

    View password change records

    • In the Password Change list, click the name of a task that has been run. On the Managed Accounts tab of the task details panel, click the status in the Status column.

      image

    • In the Password Change Records panel that opens, view the details of the password change record.

      image

    Modify, enable, stop, or delete a password change task

    After you create a password change task, you can modify, enable, stop, or delete it on the Password Change Tasks page.

    • Modify: You can modify the basic information and associated accounts of a task.

      • On the Password Change Tasks page, click the name of the task that you want to modify. On the Task Details tab, modify the basic information of the task and click Update.

      • To modify the escrowed accounts, click the Escrowed Accounts tab. The Escrowed Accounts tab lets you add or remove host accounts.

    • Stop: If you do not need to use one or more tasks for a period of time, you can stop them.

      On the Password Change Tasks page, select the tasks that you want to stop and click Stop. After a task is stopped, its status changes to Canceled, and it will no longer run automatically.

    • Enable: To restart one or more stopped tasks, you can enable them.

      On the Password Change Tasks page, select the tasks that you want to enable and click Enable. After a task is enabled, its status changes to Pending, and it will run automatically at the specified time and interval.

    • Delete: If you are sure that you no longer need one or more tasks, you can delete them.

      On the Password Change Tasks page, select the tasks that you want to delete, click Delete, and then click Delete again in the confirmation dialog box.

      Warning

      Deleted password change tasks cannot be recovered. Perform this operation with caution.

    Export passwords and password change logs

    After a password change task runs successfully, you can export the new passwords and the password change logs.

    1. In the Password Change list, click the name of a completed task. In the task details panel, click the Password Change History tab and then click Export Password.

      image

    2. In the Export Password Change History dialog box, enter a file encryption password of 4 to 32 characters to encrypt the file, and then click Export Password Change History.

      The passwords of the host accounts are compressed into a .zip file and downloaded to your computer.

      image

      Note

      Keep the file encryption password in a safe place. You must enter this password to retrieve the passwords from the file.

    Operating system versions that support password change tasks

    Operating system

    Version

    Windows

    Microsoft Windows

    • Windows 7

    • Windows 8

    • Windows 10

    Microsoft Windows Server

    • Windows Server 2008

    • Windows Server 2012R2

    • Windows Server 2016

    • Windows Server 2019

    • Windows Server 2022

    Linux

    Alibaba Cloud Linux

    • 3.2104 64-bit

    • 2.1903 LTS 64-bit

    • 2.1903 64-bit Quick Launch

    CentOS

    • CentOS 6.10 to CentOS 8.5

    • CentOS Stream 8

    • CentOS Stream 9

    Ubuntu

    • Ubuntu 20.04 64-bit

    • Ubuntu 18.04 64-bit

    • Ubuntu 16.04 32-bit

    • Ubuntu 20.04 64-bit UEFI

    • Ubuntu 22.04 64-bit

    Debian

    • Debian 11.8 64-bit

    • Debian 8.9 64-bit

    openSUSE

    • 15.1 64-bit

    • 15.2 64-bit

    • 42.3 64-bit

    SUSE Linux

    • SUSE Linux Enterprise Server 15 SP2 64-bit

    • SUSE Linux Enterprise Server 12 SP5 64-bit

    CoreOS

    • 34.20210529.3.0_3

    • 33.20210217.3.0_3

    Red Hat Enterprise

    • Linux 7 (64-bit) to Linux 8 (64-bit)