Show the Table of Contents

Administration & Maintenance

Recover or reset admin account password

The 'recover' account is a limited-purpose account that has the permanent (or fixed) password "PASSWORD". The 'recover' account's only purposes are:

• to reset the password of the 'admin' user, if the 'admin' password is lost/forgotten, or
• to reset the entire Luna HSM server appliance to blank condition (all passwords are reset, any contents [including any certificates] are erased and any partitions are removed).

As a security measure, 'recover' can login only via the local serial connection.
 

What to Do

If you ever forget or lose the admin password,

1. Have the blue SO PED Key available, and the Luna PED connected, powered on, and "Awaiting command..", for PED authenticated (FIPS 140-3) HSMs, or have the HSM password available for password authenticated HSMs.
2. Connect a serial terminal to the serial console connector on the Luna HSM server front panel.
3. Login as "recover".
   myluna login: recover 
   Password: 
   Last login: Wed Apr 13 10:21:37 on ttyS0 
   WARNING !! The recover function will stop the network interface, disable SSH
   service, reset the admin password to the default and then
   force you to change admin password from default before restarting the
   network interface and SSH service. Network interface and SSH service
   will be re-enabled and restarted only if the recover process is successful. 
   If you are sure you wish to continue, type ‘proceed’, otherwise hit ENTER to abort. 
   proceed 
   Proceeding ... 
   HSM is zeroized. Will proceed to recover admin password. 
   Stopping sshd:[ OK ] 
   Shutting down interface eth0: [ OK ] 
   Shutting down loopback interface: [ OK ]  
   Changing password for user admin. 
   You can now choose the new password. 
   A valid password should be a mix of upper and lower case letters, 
   digits, and other characters. You can use an 8 character long 
   password with characters from at least 3 of these 4 classes. 
   An upper case letter that begins the password and a digit that 
   ends it do not count towards the number of character classes used. 
   Enter new password: 
   Re-type new password: 
   passwd: all authentication tokens updated successfully. 
   Bringing up lookback interface: [ OK ] 
   Bringing up interface eth0: 
   Determining IP information for eth0… failed. 
   [FAILED] 
   Bringing up interface eth1: 
   Determining IP information for eth1.. failed; no link present. Check cable? 
   [FAILED] 
   Starting sshd:WARNING: initlog is deprecated and will be removed in a future release 
   [ OK ] 
   Successfully performed admin password recovery. Exiting …

If you have already initialized the HSM, then you are prompted for the appropriate blue PED Key. If you have not initialized the HSM prior to resetting the admin password, then the default HSM SO authentication is used, from the Luna PED, and no PED Key is required.

4. Login as 'admin'. You are prompted to change the 'admin' password.
5. Change the 'admin' password.

If you believe that your Luna HSM server has not been compromised, you can resume using it as before (taking care to both remember and secure the 'admin' password).

During recovery, the network service is stopped and other services are affected. The minimum-effort resumption would be to reboot the system, which causes all services to restart with current configuration. However, for safety, you should consider manually restarting services from the local (serial) console, until all passwords have been changed from their default values.

The recover account does not have the following:
- lockout
- password expiry
- public key authentication (you cannot access 'recover' via SSH anyway)
- SSH access
- changeable password

Show the Table of Contents