Password rules enhancement
Story: 2011084 Task: 50154 Change-Id: I34a70e6f2a68cb6617a16931f04edc92ccff0a93 Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
This commit is contained in:
parent
d02980606e
commit
f85f77229a
@ -115,7 +115,7 @@ are in ``/home/sysadmin/ssl/``.
|
|||||||
insecureNoSSL: false
|
insecureNoSSL: false
|
||||||
insecureSkipVerify: false
|
insecureSkipVerify: false
|
||||||
bindDN: cn=Administrator,cn=Users,dc=cumulus,dc=wrs,dc=com
|
bindDN: cn=Administrator,cn=Users,dc=cumulus,dc=wrs,dc=com
|
||||||
bindPW: Li69nux*
|
bindPW: St8rlingXCloud*
|
||||||
usernamePrompt: Username
|
usernamePrompt: Username
|
||||||
userSearch:
|
userSearch:
|
||||||
baseDN: ou=Users,ou=Titanium,dc=cumulus,dc=wrs,dc=com
|
baseDN: ou=Users,ou=Titanium,dc=cumulus,dc=wrs,dc=com
|
||||||
|
@ -34,4 +34,4 @@ For example:
|
|||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
|
|
||||||
~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin" -e "ansible_become_pass=St8rlingX*" -e "admin_password=St8rlingX*" -e "backup_filename=localhost_platform_backup.tgz" -e "restore_mode=optimized" -e "restore_registry_filesystem=true" -e "replacement_mgmt_mac=a1:a2:a3:a4:a5:a6"
|
~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin" -e "ansible_become_pass=St8rlingXCloud*" -e "admin_password=St8rlingXCloud*" -e "backup_filename=localhost_platform_backup.tgz" -e "restore_mode=optimized" -e "restore_registry_filesystem=true" -e "replacement_mgmt_mac=a1:a2:a3:a4:a5:a6"
|
||||||
|
@ -176,7 +176,7 @@ conditions are in place:
|
|||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
|
|
||||||
~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_user_images.yml -e "initial_backup_dir=/home/sysadmin backup_filename=localhost_user_images_backup_2023_07_15_21_24_22.tgz ansible_become_pass=St8rlingX*"
|
~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_user_images.yml -e "initial_backup_dir=/home/sysadmin backup_filename=localhost_user_images_backup_2023_07_15_21_24_22.tgz ansible_become_pass=St8rlingXCloud*"
|
||||||
|
|
||||||
.. note::
|
.. note::
|
||||||
|
|
||||||
|
@ -84,11 +84,11 @@ and target it at controller-0.
|
|||||||
yes/no: 'yes'
|
yes/no: 'yes'
|
||||||
sysadmin*: 'sysadmin'
|
sysadmin*: 'sysadmin'
|
||||||
(current) UNIX password: 'sysadmin'
|
(current) UNIX password: 'sysadmin'
|
||||||
New password: 'St8rlingX*'
|
New password: 'St8rlingXCloud*'
|
||||||
Retype new password: 'St8rlingX*'
|
Retype new password: 'St8rlingXCloud*'
|
||||||
admin_password: St8rlingX*
|
admin_password: St8rlingXCloud*
|
||||||
ansible_become_pass: St8rlingX*
|
ansible_become_pass: St8rlingXCloud*
|
||||||
ansible_ssh_pass: St8rlingX*
|
ansible_ssh_pass: St8rlingXCloud*
|
||||||
|
|
||||||
Save your changes and quit the editor. If you need to make additional
|
Save your changes and quit the editor. If you need to make additional
|
||||||
changes, you can use the command :command:`ansible-vault edit
|
changes, you can use the command :command:`ansible-vault edit
|
||||||
|
@ -85,7 +85,7 @@ Below you can find other ``-e`` command line options:
|
|||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
|
|
||||||
~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin ansible_become_pass=St8rlingX* admin_password=St8rlingX* backup_filename=localhost_platform_backup_2020_07_27_07_48_48.tgz wipe_ceph_osds=true"
|
~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_platform_backup_2020_07_27_07_48_48.tgz wipe_ceph_osds=true"
|
||||||
|
|
||||||
.. note::
|
.. note::
|
||||||
|
|
||||||
|
@ -186,7 +186,7 @@ From a new shell as a root user, without sourcing ``/etc/platform/openrc``:
|
|||||||
endpoint_type: internalURL
|
endpoint_type: internalURL
|
||||||
auth:
|
auth:
|
||||||
username: 'admin'
|
username: 'admin'
|
||||||
password: 'Li69nux*'
|
password: 'St8rlingXCloud*'
|
||||||
project_name: 'admin'
|
project_name: 'admin'
|
||||||
project_domain_name: 'default'
|
project_domain_name: 'default'
|
||||||
user_domain_name: 'default'
|
user_domain_name: 'default'
|
||||||
|
@ -269,7 +269,7 @@ The following command will request the Keystone token:
|
|||||||
"user": {
|
"user": {
|
||||||
"name": "admin",
|
"name": "admin",
|
||||||
"domain": { "id": "default" },
|
"domain": { "id": "default" },
|
||||||
"password": "St8rlingX*"
|
"password": "St8rlingXCloud*"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -127,7 +127,7 @@ Example:
|
|||||||
|
|
||||||
::
|
::
|
||||||
|
|
||||||
ansible-playbook /localdisk/designer/repo/cgcs-root/stx/stx-ansible-playbooks/playbookconfig/src/playbooks/backup-restore/backup.yml --limit my_vbox -i $HOME/br_test/hosts -e "host_backup_dir=$HOME/br_test ansible_become_pass=Li69nux* admin_password=Li69nux* ansible_ssh_pass=Li69nux* ansible_ssh_pass=Li69nux*"
|
ansible-playbook /localdisk/designer/repo/cgcs-root/stx/stx-ansible-playbooks/playbookconfig/src/playbooks/backup-restore/backup.yml --limit my_vbox -i $HOME/br_test/hosts -e "host_backup_dir=$HOME/br_test ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* ansible_ssh_pass=St8rlingXCloud* ansible_ssh_pass=St8rlingXCloud*"
|
||||||
|
|
||||||
#. If you deploy the system with rook instead of ceph backend, you must add the ``rook_enabled=true`` variable.
|
#. If you deploy the system with rook instead of ceph backend, you must add the ``rook_enabled=true`` variable.
|
||||||
|
|
||||||
@ -344,7 +344,7 @@ Steps:
|
|||||||
|
|
||||||
::
|
::
|
||||||
|
|
||||||
ansible-playbook /localdisk/designer/jenkins/tis-stx-dev/cgcs-root/stx/ansible-playbooks/playbookconfig/src/playbooks/restore_platform.yml --limit my_vbox -i $HOME/br_test/hosts -e "ansible_become_pass=Li69nux* admin_password=Li69nux* ansible_ssh_pass=Li69nux* initial_backup_dir=$HOME/br_test backup_filename=my_vbox_system_backup_2019_08_08_15_25_36.tgz ansible_remote_tmp=/home/sysadmin/ansible-restore"
|
ansible-playbook /localdisk/designer/jenkins/tis-stx-dev/cgcs-root/stx/ansible-playbooks/playbookconfig/src/playbooks/restore_platform.yml --limit my_vbox -i $HOME/br_test/hosts -e "ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* ansible_ssh_pass=St8rlingXCloud* initial_backup_dir=$HOME/br_test backup_filename=my_vbox_system_backup_2019_08_08_15_25_36.tgz ansible_remote_tmp=/home/sysadmin/ansible-restore"
|
||||||
|
|
||||||
#. If you deploy the system with rook instead of ceph backend, you must add the ``rook_enabled=true`` variable in above command.
|
#. If you deploy the system with rook instead of ceph backend, you must add the ``rook_enabled=true`` variable in above command.
|
||||||
|
|
||||||
@ -470,7 +470,7 @@ Steps:
|
|||||||
|
|
||||||
::
|
::
|
||||||
|
|
||||||
ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'initial_backup_dir=/opt/backups ansible_become_pass=Li69nux* admin_password=Li69nux* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz'
|
ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'initial_backup_dir=/opt/backups ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz'
|
||||||
|
|
||||||
If you want to restore Glance images and Cinder volumes from external
|
If you want to restore Glance images and Cinder volumes from external
|
||||||
storage (the Optional step above was executed) or you want to reconcile
|
storage (the Optional step above was executed) or you want to reconcile
|
||||||
@ -489,7 +489,7 @@ Steps:
|
|||||||
|
|
||||||
::
|
::
|
||||||
|
|
||||||
ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_cinder_glance_data=true ansible_become_pass=Li69nux* admin_password=Li69nux* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups'
|
ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_cinder_glance_data=true ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups'
|
||||||
|
|
||||||
* Restore Glance images and Cinder volumes using image-backup.sh and
|
* Restore Glance images and Cinder volumes using image-backup.sh and
|
||||||
tidy_storage_post_restore helper scripts.
|
tidy_storage_post_restore helper scripts.
|
||||||
@ -556,4 +556,4 @@ Steps:
|
|||||||
|
|
||||||
::
|
::
|
||||||
|
|
||||||
ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_openstack_continue=true ansible_become_pass=Li69nux* admin_password=Li69nux* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups'
|
ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_openstack_continue=true ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups'
|
||||||
|
@ -93,7 +93,7 @@ using the ansible playbook.
|
|||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
|
|
||||||
{
|
{
|
||||||
"ansible_ssh_pass": "St8rlingX*",
|
"ansible_ssh_pass": "St8rlingXCloud*",
|
||||||
"external_oam_node_0_address": "10.10.10.13",
|
"external_oam_node_0_address": "10.10.10.13",
|
||||||
"external_oam_node_1_address": "10.10.10.14",
|
"external_oam_node_1_address": "10.10.10.14",
|
||||||
}
|
}
|
||||||
|
@ -21,6 +21,7 @@ System Accounts
|
|||||||
remote-windows-active-directory-accounts
|
remote-windows-active-directory-accounts
|
||||||
starlingx-system-accounts-system-account-password-rules
|
starlingx-system-accounts-system-account-password-rules
|
||||||
manage-local-ldap-39fe3a85a528
|
manage-local-ldap-39fe3a85a528
|
||||||
|
linux-accounts-password-3dcad436dce4
|
||||||
|
|
||||||
*****************
|
*****************
|
||||||
Access the System
|
Access the System
|
||||||
|
@ -18,6 +18,26 @@ You can configure custom password rules for keystone security compliance.
|
|||||||
system service-parameter-add identity security_compliance unique_last_password_count
|
system service-parameter-add identity security_compliance unique_last_password_count
|
||||||
system service-parameter-add identity security_compliance password_regex
|
system service-parameter-add identity security_compliance password_regex
|
||||||
system service-parameter-add identity security_compliance password_regex_description
|
system service-parameter-add identity security_compliance password_regex_description
|
||||||
|
system service-parameter-add identity security_compliance password_expires_days
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
``password_expire_days`` must be a positive integer.
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
[sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-add identity security_compliance password_expires_days=90
|
||||||
|
+-------------+--------------------------------------+
|
||||||
|
| Property | Value |
|
||||||
|
+-------------+--------------------------------------+
|
||||||
|
| uuid | 27d24c80-e9de-37ce-9d26-f21236782be8 |
|
||||||
|
| service | identity |
|
||||||
|
| section | security_compliance |
|
||||||
|
| name | password_expires_days |
|
||||||
|
| value | 90 |
|
||||||
|
| personality | None |
|
||||||
|
| resource | None |
|
||||||
|
+-------------+--------------------------------------+
|
||||||
|
|
||||||
#. In order for the changes to take effect, apply the new configuration with
|
#. In order for the changes to take effect, apply the new configuration with
|
||||||
the command:
|
the command:
|
||||||
|
@ -0,0 +1,58 @@
|
|||||||
|
.. _linux-accounts-password-3dcad436dce4:
|
||||||
|
|
||||||
|
=============================
|
||||||
|
Linux Accounts Password Rules
|
||||||
|
=============================
|
||||||
|
|
||||||
|
.. rubric:: Check Current Password Expiry Settings
|
||||||
|
|
||||||
|
Before making any changes, you may want to check the current password expiry
|
||||||
|
settings for the user. You can do this by running the :command:`chage -l
|
||||||
|
<username>` command, replacing ``<username>`` with the name of the user whose
|
||||||
|
password expiry settings you want to view.
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
sudo chage -l <username>
|
||||||
|
|
||||||
|
.. rubric:: Change Password Expiry Settings
|
||||||
|
|
||||||
|
To change the password expiry period of Linux accounts, run the :command:`chage`
|
||||||
|
command, as bellow:
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
[sysadmin@controller-0 ~(keystone_admin)]$ sudo chage -M <days_to_expiry> <username>
|
||||||
|
|
||||||
|
For example, to set the maximum number of days before the password must be
|
||||||
|
changed to 60 days for a user named ``sysadmin``, you can use the following
|
||||||
|
command:
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
[sysadmin@controller-0 ~(keystone_admin)]$ sudo chage -M 60 sysadmin
|
||||||
|
|
||||||
|
|
||||||
|
Verify Changes
|
||||||
|
--------------
|
||||||
|
|
||||||
|
After making the changes, verify that the new password expiry settings have
|
||||||
|
been applied by running the :command:`chage -l <username>` command again.
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
chage -l <username>
|
||||||
|
|
||||||
|
For the example above of user ``sysadmin`` and expiry period of 60 days, the
|
||||||
|
output of ``chage -l <username>`` should be as follows:
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
[sysadmin@controller-0 ~(keystone_admin)]$ chage -l sysadmin
|
||||||
|
Last password change : abr 30, 2024
|
||||||
|
Password expires : jun 29, 2024
|
||||||
|
Password inactive : never
|
||||||
|
Account expires : never
|
||||||
|
Minimum number of days between password change : 0
|
||||||
|
Maximum number of days between password change : 60
|
||||||
|
Number of days of warning before password expires : 7
|
@ -14,9 +14,9 @@ other Linux Accounts, and Keystone accounts):
|
|||||||
|
|
||||||
.. _starlingx-system-accounts-system-account-password-rules-ul-evs-dsn-ynb:
|
.. _starlingx-system-accounts-system-account-password-rules-ul-evs-dsn-ynb:
|
||||||
|
|
||||||
- The password must be at least seven characters long.
|
- The password must be at least 12 characters long.
|
||||||
|
|
||||||
- You cannot reuse the last 2 passwords in history.
|
- You cannot reuse the last 5 passwords in history.
|
||||||
|
|
||||||
- The password must contain:
|
- The password must contain:
|
||||||
|
|
||||||
@ -59,3 +59,6 @@ LDAP, sysadmin, and other Linux accounts):
|
|||||||
.. note::
|
.. note::
|
||||||
|
|
||||||
This rule does not apply to the root user.
|
This rule does not apply to the root user.
|
||||||
|
|
||||||
|
For more details on Linux Accounts password rules see:
|
||||||
|
:ref:`linux-accounts-password-3dcad436dce4`.
|
||||||
|
@ -13,9 +13,9 @@ By default, the following rules apply:
|
|||||||
|
|
||||||
.. _security-system-account-password-rules-ul-jwb-g15-zw:
|
.. _security-system-account-password-rules-ul-jwb-g15-zw:
|
||||||
|
|
||||||
- The password must be at least seven characters long.
|
- The password must be at least 12 characters long.
|
||||||
|
|
||||||
- You cannot reuse the last 2 passwords in history.
|
- You cannot reuse the last 5 passwords in history.
|
||||||
|
|
||||||
- The password must contain:
|
- The password must contain:
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user