Managing Accounts and Passwords

The Appliance CLI Manager includes options to change password and permissions for multiple users through the CLI interface. The options available are listed as follows:

  • Change My Password
  • Manage Password and Local-Accounts
    • Reset directory user-password
    • Change OS root account password
    • Change OS local_admin account password
    • Change OS local_admin account permissions
    • Manage internal Service-Accounts
    • Manage local OS users

OS Users in Appliances

When you install an appliance, some users are installed to run specific services for the products.

When adding users, ensure that you do not add the OS users as policy users.

The following table describes the OS users that are available in your appliance.

OS UsersDescription
allianceHandles DSG processes
rootSuper user with access to all commands and files
local_adminLocal administrator that can be used when an LDAP user is not accessible
www-dataDaemon that runs the Apache, Service dispatcher, and Web services as a user
ptyclusterHandles TAC related services and communication between TAC through SSH.
service_admin and service_viewerInternal service accounts used for components that do not support LDAP
clamavHandles ClamAV antivirus
rabbitmqHandles the RabbitMQ messaging queues
epmdDaemon that tracks the listening address of a node
openldapHandles the openLDAP utility
dpsdbuserInternal repository user for managing policies

Strengthening Password Policy

Passwords are a common way of maintaining a security of a user account. The strength and complexity of a password are some of the primary requirements of an enterprise to prevent security vulnerability. A weak password increases chances of a security breach. Thus, to ensure a strong password, different password policies are set to enhance the security of an account.

Password policies are rules that enforce validation checks to provide a strong password. You can set your password policy based on the enterprise ordinance. Some requirements of a strong password policy might include use of numerals, characters, special characters, password length, and so on.

The default requirements of a strong password policy for an appliance OS user are as follows.

  • The password must have at least 8 characters.
  • All the printable ASCII characters are allowed.
  • The password must contain at least one character each from any of the following two groups:
    • Numeric: Includes numbers from 0-9.
    • Alphabets: Includes capitals [A-Z] and small [a-z] alphabets.
    • Special characters: Includes ! " # $ % & ( ) * + , - . / : ; < > = ? @ [ \ ] ^ _ ` { | } ~

You can enforce password policy rules for the LDAP and OS users by editing the check_password.py file. This file contains a Python function that validates a user password. The check_password.py file is run before you set a password for a user. The password for the user is applied only after it is validated using this Python function.

For more information about password policy for LDAP users, refer here.

Enforcing Password Policy

The following section describes how to enforce your policy restrictions for the OS and LDAP user accounts.

To enforce password policy:

  1. Login to the CLI Manager.

  2. Navigate to Administration > OS Console.

  3. Enter the root password and select OK.

  4. Edit the check_password.py file using a text editor.

    /etc/ksa/check_password.py
    
  5. Define the password rules as per your organizational requirements.

    For more information about the password policy examples, refer here.

  6. Save the file.

    The password rules for the users in ESA are updated.

Examples

The following section describes a few scenarios about enforcing validation checks for the LDAP and OS users.

The check_password.py file contains the def check_password (password) Python function. In this function you can define your validations for the user password. This function returns a status code and a status message. In case of successful validation, the status code is zero and the status message is empty. In case of validation failure, the status code is non-zero and the status message contains the appropriate error message.

Scenario 1:

An enterprise wants to implement the following password rules:

  • Length of the password should contain atleast 15 characters
  • Password should contain digits

You must add the following snippet in the def check_password (password) function:

# Password length check
if len(password)<15: return (1,"Password should contain at least 15 characters")
# Password digits check
password_set=set(password)
digits=set(string.digits)
if ( password_set.intersection(digits) == set([]) ): return (2,"Password must contain digit)

Scenario 2:

An enterprise wants to implement the following password rule:

  • Password should not contain 1234.

You must add the following snippet in the def check_password (password) function:

if password==1234:
return (1,"Password must not contain 1234")
return (0,None)

Scenario 3:

An enterprise wants to implement the following password rules:

  • Password should contain a combination of uppercase, lowercase, and numbers.

You must add the following snippet in the def check_password (password) function:

digits=set(string.digits)
if ( password_set.intersection(digits) == set([]) ): return (2,"Password must contain numbers, upper, and lower case characters.")
# Force lowercase
lower_letters=set(string.ascii_lowercase)
if ( password_set.intersection(lower_letters) == set([]) ): return (2,"Password must contain numbers, upper, and lower case characters")
# Force uppercase
upper_letters=set(string.ascii_uppercase)
if ( password_set.intersection(upper_letters) == set([]) ): return (2,"Password must contain numbers, upper ,and lower case characters")

Changing Current Password

In situations where you need to change your current password due to suspicious activity or reasons other than password expiration, you can use the following steps.

For more information about appliance users, refer here.

To change the current password:

  1. Login to the CLI Manager.

  2. Navigate to Administration > Accounts and Passwords > Change My Password.

  3. In the Current password field, type the current password.

  4. In the New Password field, type the new password.

  5. In the Retype Password field, retype the new password.

  6. Select OK and press ENTER to save the changes.

Resetting Directory Account Passwords

You can change the password for any user existing in the internal LDAP directory. The user accounts and their security privileges as well as passwords are defined in the LDAP directory.

To be able to change the password for any LDAP user, you need to provide Administrative LDAP user credentials. You can also provide the old credentials of the LDAP user.

The LDAP Administrator is an admin user or the Directory Administrator assigned by admin. Admin can define Directory Administrators in the LDAP directory.

For more information about the internal LDAP directory, refer here.

To change a directory account password:

  1. Login to the CLI Manager.

  2. Navigate to Administration > Accounts and Passwords > Manage Passwords and Local-Accounts > Reset directory user-password.

  3. In the displayed dialog box, in the Administrative LDAP user name or local_admin and Administrative user password fields, enter the Administrative LDAP user name and password. You can also use the local_admin credentials.

  4. In the Target LDAP user field, enter the LDAP user name you wish to change the password for.

  5. In the Old password field, enter the old password for the selected LDAP user. This step is optional.

  6. In the New password field, enter a new password for the selected LDAP user.

  7. In the Confirm new password field, re-enter a new password for the selected LDAP user.

  8. Select OK and press ENTER to save the changes.

Changing the Root User Password

You may want to change the root user password due to security reasons, and this can only be done using the Appliance CLI Manager.

To change the root password:

  1. Login to the CLI Manager.

  2. Navigate to Administration > Accounts and Passwords > Manage Passwords and Local-Accounts > Change OS root account password.

  3. In the Administrative user name and Administrative user password fields, enter the administrative user name and its valid password. You can also use the local_admin credentials.

  4. In the Old root password field, enter the old password for the root user.

  5. In the New root password field, enter the new password for the root user.

  6. In the Confirm new password field, re-enter the new password for the root user.

  7. Select OK and press ENTER to save the changes.

Changing the Local Admin Account Password

You can log into CLI Manager as a local_admin user if the LDAP is down or for LDAP maintenance. It is recommended that the local_admin account is not used for standard operations since it is primarily intended for maintenance tasks.

To change local_admin account password:

  1. Login to the CLI Manager.

  2. Navigate to Administration > Accounts and Passwords > Manage Passwords and Local-Accounts > Change OS local_admin account password.

  3. In the Administrative user name and Administrative user password fields, enter the administrative user name and the old password for the local_admin. You can also use the Directory Server Administrator credentials.

  4. In the New local_admin password field, enter new local_admin password.

  5. In the Confirm new password filed, re-enter the new local_admin password.

  6. Select OK and press ENTER to save changes.

Changing the Local Admin Account Permission

By default, the local_admin user cannot log into CLI Manager using SSH or log into the Web UI. However, you can configure this access using the tool, which changes the local_admin account permissions.

To change local_admin account permissions:

  1. Login to the CLI Manager.

  2. Navigate to Administration > Accounts and Passwords > Manage Passwords and Local-Accounts > Change OS local_admin account permissions.

  3. In the dialog box displayed, in the Password field, enter the local_admin password.

  4. Select OK.

  5. Specify the permissions for the local_admin. You can either select SSH Access, Web-Interface Access, or both.

  6. Select OK.

Changing Service Accounts Passwords

Service Account users are service_admin and service_viewer. They are used for internal operations of components that do not support LDAP, such as Management Server internal users, and Management Server Postgres database. You cannot log into the Appliance Web UI, Reports Management (for ESA), or CLI Manager using service accounts users. Since service accounts are internal OS accounts, they must be modified only in special cases.

To change service accounts:

  1. Login to the CLI Manager.

  2. Navigate to Administration > Accounts and Passwords > Manage Passwords and Local-Accounts > Manage internal ‘Service-Accounts’.

  3. In the Account name and Account password fields, enter the Administrative user name and password.

  4. Select OK.

  5. In the dialog box displayed, in the Admin Service Account section, in the New password field, enter the new admin service account password.

  6. In the Confirm field, re-enter the new admin service account password.

  7. In the Viewer Service Account section, in the New password field, enter the new viewer service account password.

  8. In the Confirm field, re-enter the new viewer service account password.

  9. Select OK.

    In the Service Account details dialog box, click Generate-Random to generate the new passwords randomly. Select OK.

Managing Local OS Users

Managing local OS user option provides you the ability to create users that need direct OS shell access. These users are allowed to perform non-standard functions, such as schedule remote operations, backup agents, run health monitoring, etc. This option also lets you manage passwords and permissions for the dpsdbuser, which is available by default when ESA is installed.

The password restrictions for OS users are as follows:

  • For all OS users, you cannot repeat the last 10 passwords used.
  • If an OS user signs in three times using an incorrect password, the account is locked for five minutes. You can unlock the user by providing the correct credentials after five minutes. If an incorrect password is provided in the subsequent sign-in attempt, the account is again locked for five minutes.

To manage local OS users:

  1. Login to the CLI Manager.

  2. Navigate to Administration > Accounts and Passwords > Manage Passwords and Local-Accounts > Manage local OS users.

  3. Enter the root password and select OK.

  4. In the dialog box displayed, select Add to add a new user or select an existing user as explained in following steps.

    1. Select Add to create a new local OS user.

      1. In the dialog box displayed, in the User name and Password fields, enter a user name and password for the new user. The & character is not supported in the Username field.

      2. In the Confirm field, re-enter the password for the new user.

      3. Select OK.

    2. Select an existing user from the displayed list.

      1. You can select one of the following options from the displayed menu.

      Table: User Options

      OptionsDescriptionProcedure
      Check passwordValidate entered password.
      1. In the dialog box displayed, enter the password for the local OS user.
      A Validation succeeded message appears.
      Update passwordChange password for the user.
      1. In the dialog box displayed, in the Old password field, enter the Old password for the local OS user.
        This step is optional.
      2. In the New Password field, enter the New Password for the local OS user.
      3. In the Confirm field, re-enter the New Password for the local OS user.
      Update shellDefine shell access for the user.
      1. In the dialog box displayed, select one of the following options.
        • No login access /bin/fasle
        • Linux Shell - /bin/bash
        • Custom
      Note
      The default shell is set as No login access (/bin/false).
      Toggle SSH accessSet SSH access for the user.Select the Toggle SSH access option and press ENTER to set SSH access to Yes.
      Note
      The default is set as No when a user is created.
      Delete userDelete the local OS user and related home directory.Select the Delete user option and select Yes to confirm the selection.
  5. Select Close to exit.

Last modified January 21, 2025