TIP This page concerns authentication and management of roles that govern network administrative access to the appliance.
That is, access, management, and use of the cryptographic module and its application partitions, are distinct from access to the physical platform (and operating system) in which the HSM resides. This is true:
>for Luna PCIe HSM 7 installed in a workstation that you provide, and
>for the same cryptographic module inside a Luna Network HSM 7 appliance with hardened operating system and administrative access restricted to the limited Luna shell command set.
On the appliance, the cryptographic module has its own separate and distinct authentication roles and requirements; see hsm init , hsm login, and partition init, partition init co, partition init cu, partition createChallenge, partition changePw, partition activate, and audit changePwd, audit login among the various other administrative operations on the SSH-accessible appliance command path, or via the equivalent REST APIs, as well as the client-side equivalent commands (in LunaCM) partition init, partition login, partition logout, and all the partition role commands.
Configuring appliance user password parameters and behavior
Luna Appliance Software 7.9.0 and newer includes enhanced password management and configuration for administrative roles on the Luna Network HSM 7 appliance. You can now configure:
>password length constraints
>the number of previous passwords that are remembered and not permitted to re-use (password history)
>the lifetime of a user password (expiry)
> handling of bad login attempts
CAUTION! This feature is not supported for use with Clusters; do not enable it on any Luna Network HSM 7 that is a member of a cluster.
NOTE
>If you reimage the appliance to an earlier version, these appliance-user password-management commands and operations will no longer exist; nor will their effects on users' passwords and handling.
Firmware rollback and firmware upgrade would have no effect, because the HSM (the cryptographic module) and its firmware are not involved in appliance-level (the host machine) user accounts.
>The appliance user password configuration settings described here are not preserved by the sysconf config backup and sysconf config export and sysconf config restore operations.
Password history
You can optionally set a password history for users of the appliance, such that:
>the minimum number of passwords that are remembered (and forbidden to reuse) is one(1), while
>the maximum remembered passwords for the appliance is ten (10), and
>the default is four (4).
If the history option is disabled, then no previous passwords are excluded at password change, meaning that a user can continue [re-]using the same password indefinitely.
Setting a default (4) password history
To set a default number of passwords for the appliance to exclude, next time users change their passwords, do the following:
1.Run the sysconf user password history command without a number.
lunash:>sysconf user sh Password policies: ===================== History : disabled Expire after : disabled Minimum length : 8 characters Login policy : disabled Command Result : 0 (Success) [localhost] lunash:>sysconf user password history Password history set to 4 successfully. Command Result : 0 (Success)
2.[Optional] view the new setting.
lunash:>sysconf user sh Password policies: ===================== History : 4 Expire after : disabled Minimum length : 8 characters Login policy : disabled Command Result : 0 (Success)
3.[Optional] Verify by performing some password changes.
[localhost] lunash:>user password
Changing password for user admin.
You can now choose the new password.
The password must be at least 8 characters long.
The password must contain characters from the following categories:
- Uppercase letters (A through Z)
- Lowercase letters (a through z)
- Numbers (0 through 9)
- Non-alphanumeric characters (such as !, $, #, %)
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Command Result : 0 (Success)[localhost] lunash:>
: :<another change>
: :<another change>
:
[localhost] lunash:>user password
Changing password for user admin.
You can now choose the new password.
The password must be at least 8 characters long.
The password must contain characters from the following categories:
- Uppercase letters (A through Z)
- Lowercase letters (a through z)
- Numbers (0 through 9)
- Non-alphanumeric characters (such as !, $, #, %)
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Command Result : 0 (Success)
The current user has now accumulated at least 4 prior passwords that should be forbidden to reuse.
4.Try a password change, reusing any of the most recent 4 passwords.
lunash:>user password
Changing password for user admin.
You can now choose the new password.
The password must be at least 8 characters long.
The password must contain characters from the following categories:
- Uppercase letters (A through Z)
- Lowercase letters (a through z)
- Numbers (0 through 9)
- Non-alphanumeric characters (such as !, $, #, %)
New password:
Retype new password:
Password has been already used. Choose another.
passwd: Have exhausted maximum number of retries for service
Failed to set password.
Command Result : 65535 (Luna Shell execution)
Any password that has been used in the past 'n' password changes (in this case the default 4 prior passwords) is rejected.
5.Then try with a unique password, or a password that is older than the number remembered by the history.
lunash:>user password
Changing password for user admin.
You can now choose the new password.
The password must be at least 8 characters long.
The password must contain characters from the following categories:
- Uppercase letters (A through Z)
- Lowercase letters (a through z)
- Numbers (0 through 9)
- Non-alphanumeric characters (such as !, $, #, %)
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Command Result : 0 (Success)
A unique password, or a password that was used before the most recent (in this example, 4) is accepted.
Setting a specific password history
To set a desired number of passwords for the appliance to exclude, when appliance users change their passwords, do the following:
1.Run the sysconf user password history command with a number.
lunash:>sysconf user show
Password policies:
=====================
History : disabled
Expire after : disabled
Minimum length : 8 characters
Login policy : disabled
Command Result : 0 (Success)
[localhost] lunash:>sysconf user password history 6
Password history set to 6 successfully.
Command Result : 0 (Success)
2.[Optional] view the new setting.
lunash:>sysconf user show Password policies: ===================== History : 6 Expire after : disabled Minimum length : 8 characters Login policy : disabled Command Result : 0 (Success)
Password length
You can optionally set a minimum password length for users of the appliance, such that:
>the minimum number of characters allowed in passwords can be set between eight (8) and thirty (30)
>the default is eight (8).
Setting a specific minimum permitted password length
To set a desired minimum number of characters permitted in any new appliance user passwords, do the following:
1.Run the sysconf user password length command with a number.
lunash:>sysconf user show Password policies: ===================== History : disabled Expire after : disabled Minimum length : 8 characters Login policy : disabled Command Result : 0 (Success) lunash:>sysconf user password length 15 Minimum password length set to 15 characters Command Result : 0 (Success)
2.[Optional] view the new setting.
lunash:>sysconf user show
Password policies:
=====================
History : disabled
Expire after : disabled
Minimum length : 15 characters
Login policy : disabled
Command Result : 0 (Success)
Setting the default minimum password length
To set the default minimum number of characters permitted in any new appliance user passwords, do the following:
1.Run the sysconf user password length command with no number specified.
lunash:>sysconf user show Password policies: ===================== History : disabled Expire after : disabled Minimum length : 15 characters Login policy : disabled Command Result : 0 (Success) lunash:>sysconf user password length Minimum password length set to 8 characters Command Result : 0 (Success)
2.[Optional] view the new setting.
lunash:>sysconf user show
Password policies:
=====================
History : disabled
Expire after : disabled
Minimum length : 8 characters
Login policy : disabled
Command Result : 0 (Success)
NOTE For security reasons it is not possible to disable the requirement for a minimum password length.
Password expiry
After software upgrade, the password expiry option is in a "never enabled" state with a value of 99999 days.
lunash:>sysconf user show
Password policies:
=====================
History : disabled
Expire after : 99999 days
Minimum length : 8 characters
Login policy : disabled
Command Result : 0 (Success)
Setting a default 90 day expiry period for passwords
To set a password expiry to the default value, do the following:
1.Run the command sysconf user password expire without a number.
lunash:>sysconf user password expire
User password expiration set to 90 days successfully.
Command Result : 0 (Success)
2.[Optional] Verify that the 90 day value is in force.
lunash:>sysconf user show
Password policies:
=====================
History : disabled
Expire after : 90 days
Minimum length : 8 characters
Login policy : disabled
Command Result : 0 (Success)
Setting a specific expiry period for passwords
To set a password expiry, do the following:
1.Run the command sysconf user password expire with a number between 1 and 365.
lunash:>sysconf user password expire 30
User password expiration set to 30 days successfully.
Command Result : 0 (Success)
2.[Optional] Verify that the value is in force.
lunash:>sysconf user show
Password policies:
=====================
History : disabled
Expire after : 30 days
Minimum length : 8 characters
Login policy : disabled
Command Result : 0 (Success)
Disabling expiry for appliance user passwords
To disable password expiry, do the following:
1.Run the command sysconf user password expire with no number and include the -disable flag.
lunash:>sysconf user password expire -disable User password expiration disabled. Command Result : 0 (Success)
2.[Optional] Verify that expiry is disabled.
lunash:>sysconf user show
Password policies:
=====================
History : disabled
Expire after : disabled
Minimum length : 8 characters
Login policy : disabled
Command Result : 0 (Success)
Bad login / failed login handling
The sysconf user login command lets you set how the appliance reacts when login attempts fail.
>An -interval option can be set (a number of seconds), during which bad login attempts are counted.
>A number 'n' of attempts is set with the -attempt option, for counting during the interval.
>The attempt count and the interval start at the first failed login attempt when no interval or lockout period is in effect.
>If 'n' failed attempts occur within the window/interval, then the account is locked out until the lockout is released (where the lockout duration is a number of seconds imposed by the -release option).
>A bad-login interval, in progress, has these effects:
•If fewer than 'n' failed attempts are detected before the end of the window/interval is reached, then no lockout occurs. No action is taken and the interval and the count simply end.
•The next failed login after the interval closes, starts a new interval and starts the failed login attempt count at one (1).
•If a successful login occurs during a bad-login counting interval, before the configured number of bad-attempts is reached, then the interval is ended and the count is reset to zero (0).
•If attempts simply stop (no more failed attempts or successful attempts), then the interval proceeds to its time-out value and ends and the count is reset to zero (0)
>The first failed attempt after a window/interval expires launches a new window/interval with the failed-attempt count incremented to one (1)
>Lockout configuration applies to all appliance users, but lockout action is specific to the user account that triggered it and does not affect other users.
>Bad login attempts during a lockout period are refused.
>Correct login attempts during a lockout period are refused.
>Ability for the affected user to log into their account on the appliance resumes after a lockout period ends.
Password example of bad-login behavior
1.Set the parameters for password handling.
lunash:>sysconf user login -attempts 5 -release 600 -interval 300 Restarting ssh... Login policy set successfully. Command Result : 0 (Success) lunash:>sysconf user show Password policies: ===================== History : disabled Expire after : disabled Minimum length : 8 characters Deny attempts : 5 Release interval : 600 seconds Detection window : 300 seconds Command Result : 0 (Success)
2.Make five login attempts with incorrect passwords.
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:
Remote side sent disconnect message
type 2 (protocol error):
"Too many authentication failures"
Radius example of bad-login behavior
1.Start by ensuring that Radius is enabled, with a server deployed.
lunash:>sysconf radius show
RADIUS for SSH is enabled with the following deployed servers:
server:port timeout
-------------------------
10.124.143.226:1812 30
Command Result : 0 (Success)
2.Verify that a suitable user exists on the appliance.
lunash:>user list
Users Roles Status RADIUS
-------------------- -------- -------- --------
admin admin enabled no
audit audit disabled no
monitor monitor disabled no
operator operator disabled no
radius monitor enabled yes
Command Result : 0 (Success)
3.For this example, the password-related user settings start in the default conditions:
lunash:>sysconf user sh Password policies: ===================== History : disabled Expire after : disabled Minimum length : 8 characters Login policy : disabled Command Result : 0 (Success)
Apply some configuration settings.
lunash:>sysconf user login -attempt 4 -release 300 -interval 600 Restarting ssh... Login policy set successfully. Command Result : 0 (Success) lunash:>sysconf user show Password policies: ===================== History : disabled Expire after : disabled Minimum length : 8 characters Deny attempts : 4 Release interval : 300 seconds Detection window : 600 seconds Command Result : 0 (Success)
4.Try some bad login attempts via the Radius server
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:
Remote side sent disconnect message
type 2 (protocol error):
"Too many authentication failures"
5.Attempt a correct login immediately after lockout was triggered (that is, within the set lockout period ).
########################### Correct logins Within fail lockout ################################################### Keyboard-interactive authentication prompts from server: | | Too many failed login attempts have been detected. | | Please try again later. | Password: End of keyboard-interactive prompts from server Access denied Keyboard-interactive authentication prompts from server: | | Too many failed login attempts have been detected. | | Please try again later. | Password: End of keyboard-interactive prompts from server Access denied Keyboard-interactive authentication prompts from server: | | Too many failed login attempts have been detected. | | Please try again later. | Password:
6.After the lockout window expires (3 minutes for this example), login with correct credential again becomes possible.
