Create a password change task, use the password change task feature, rotate passwords, rotate keys, and operating systems that support password change - Bastionhost

Bastionhost provides the automatic password change feature. The feature can periodically rotate passwords or keys of host accounts or rotate passwords or keys of host accounts at a scheduled time based on the password or key rules that you configure. This effectively improves the security of your business. This topic describes how to use the automatic password change feature.

Background information

Multi-Level Protection Scheme (MLPS) requires that the logon credentials, such as passwords and keys, of host accounts be changed on a regular basis. If the passwords or keys are not changed for a long period of time, security risks may arise. However, regular and manual password or key rotation is inefficient and is prone to errors. To resolve this issue, Bastionhost provides the automatic password change feature. This improves the O&M efficiency and ensures security.

Limits

Limits on editions: Only Bastionhost Enterprise Edition and SM Edition support the automatic password change feature. For more information about how to purchase and upgrade a bastion host, see Purchase a bastion host and Upgrade a bastion host.
Limits on password change tasks:
- The password change tasks do not support the rotation of shared keys.
- A host account can be associated with only one password change task.

Supported versions of operating systems

Operating system		Version
Windows	Microsoft Windows	Windows 7 Windows 8 Windows 10
	Microsoft Windows Server	Windows Server 2008 Windows Server 2012R2 Windows Server 2016 Windows Server 2019 Windows Server 2022
Linux	Alibaba Cloud Linux	3.2104 64-bit 2.1903 LTS 64-bit 2.1903 64-bit (Quick Start)
	CentOS	CentOS 6.10 to CentOS 8.5 CentOS Stream 8 CentOS Stream 9



	Ubuntu	Ubuntu 20.04 64-bit Ubuntu 18.04 64-bit Ubuntu 16.04 32-bit Ubuntu 20.04 64-bit (UEFI) Ubuntu 22.04 64-bit



	Debian	Debian 11.8 64-bit Debian 8.9 64-bit

	Open SUSE	15.1 64-bit 15.2 64-bit 42.3 64-bit
	SUSE Linux	SUSE Linux Enterprise Server 15 SP2 64-bit SUSE Linux Enterprise Server 12 SP5 64-bit
	CoreOS	34.20210529.3.0_3 33.20210217.3.0_3
	Red Hat Enterprise	Linux 7 (64-bit)~Linux 8 (64-bit)

Prerequisites

Hosts are imported to a bastion host and a host account is hosted in the console of a bastion host. For more information, see Add hosts and Manage a host account.

Create a password change task

Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.
In the left-side navigation pane, choose Assets > Password Change.
On the Password Change page, click Create Password Change Task.

In the Create Password Change Task panel, configure parameters that are described in the following table and click Create.

Parameter	Description
Task Name	The name of the password change task.
Task Type	The type of the password change task. Valid values: Key Rotation and Password Rotation.
Execution Method	The execution method of the password change task. Valid values: Periodic: Bastionhost automatically runs the password change task based on the values that you specify for Executed At and Period. You must set Executed At to a point in time that is at least 5 minutes later than the current time. The maximum value of Period is 365. Scheduled: When the specified execution time is reached, Bastionhost automatically runs the password change task. You must set Executed At to a point in time that is at least 5 minutes later than the current time.
Password Rules	The complexity and length settings of the new password. If you set Task Type to Password Rotation, you can configure these settings. Password Strength: the complexity settings of the new password. You can select Digits, Lowercase Letters, Uppercase Letters, and Other Characters. Bastionhost randomly generates a new password based on the character types that you select. We recommend that you select at least two characters types. Password Length: the minimum number of characters and maximum number of characters of the new password in length. Valid values: 8 to 32. If you set the minimum length to 8 characters and the maximum length to 32 characters, Bastionhost randomly generates a new password that is 8 to 32 characters in length. Password Policies: the minimum number of each type of characters in the new password, the maximum number of times that a character can appear in the new password, and the characters that the new password cannot contain. The sum of the minimum number of letters and the minimum number of other characters in a password cannot exceed the length of the password. Valid values for the minimum numbers of digits, lowercase letters, uppercase letters, and other characters that the new password must contain: 0 to 32. Valid values for the maximum number of times a character can appear in the new password: 1 to 32. A set of characters that the new password cannot contain.
Key Rule	The key algorithm, key length, and encryption password settings. If you set Task Type to Key Rotation, you can configure these settings. Key Algorithm: Select RSA or ED25519. Key Length: If you set Key Algorithm to RSA, you can set the key length to 2,048, 3,072, or 4,096 bits. Encryption Password: Configure the key encryption password. A key encryption password is a security mechanism used to protect encryption keys.
Remarks	The remarks of the password change task.

Click Associate Account. On the Managed Accounts tab, click Add Host Account.
In the Add Host Account dialog box, select the host account that you want to add and click Add.
After the host account is added, a message appears, which indicates that the password change task is associated with the host account. You can view the created task on the Password Change page.
Note
- A host account can be associated with only one password change task.
- If you set Task Type to Password Rotation, you can add only accounts that have passwords hosted on your bastion host to the password change task. If you set Task Type to Key Rotation, you can add only accounts that have SSH private keys hosted on the bastion host to the password change task. You cannot rotate shared keys.

Related operations

Immediately run a password change task

After you create a password change task, Bastionhost automatically runs the task based on the time or cycle that you specify. If you want to immediately run the task, select the task and click Execute Now in the lower part of the task list on the Password Change page.

Note

If you select more than one password change task, Bastionhost runs the tasks one by one.
If the time when you immediately run a periodic or scheduled password change task overlaps with the execution time that you specify for the task, Bastionhost runs the password change task only once. If the time when you immediately run a periodic or scheduled password change task does not overlap with the execution time that you specify for the task, the execution time or cycle that you specify for the password change task is not affected. In this case, although the password is changed after you immediately run the task, the task is still run to change the password based on the specified execution time or cycle.

Modify, enable, stop, or delete a password change task

After you create a password change task, you can modify, enable, stop, or delete the task on the Password Change page.

Modify a password change task: Bastionhost allows you to modify the basic information and associated accounts of a password change task.
- On the Password Change page, click the name of the task whose information you want to modify. On the Task Details tab of the panel that appears, modify the basic information about the task and click Update.
- To modify a managed account, click the Managed Accounts tab. On the Managed Accounts tab, add or remove host accounts.
Stop a password change task: If you no longer need one or more password change tasks within a specific period of time, you can stop the tasks.
On the Password Change page, select the task that you want to stop and click Stop. After the task is stopped, the status of the task changes to Canceled and the task is no longer automatically run.
Enable a password change task: If you want to run one or more password change tasks that are stopped, you can enable the tasks.
On the Password Change page, select the task that you want to enable and click Enable. After the task is enabled, the status of the task changes to Pending Execution. In this case, the task is automatically run based on the execution time or cycle that you specify.
Delete a password change task: If you no longer need one or more password change tasks, you can delete the tasks.
On the Password Change page, select the task that you want to delete and click Delete. In the message that appears, click Delete.
Warning
After the password change task is deleted, the task cannot be recovered. Proceed with caution.

Export a password or key

After a password change task is successfully run, you can export the password or key of a host account.

On the Change Password page, find the task for which you want to export the password or key and click Export Password or Export Key in the Actions column.
In the Export Password dialog box, enter a password that is used to encrypt the exported file and click Export Password. The file encryption password that you enter must be 4 to 32 characters in length.
The current password of the host account is exported to a ZIP file and saved to your computer.
Note
Keep the file encryption password confidential. The file encryption password is required to decompress the exported file and obtain the current password of the host account.