Recover or Reset the Admin Account Password

The recover account is a limited-purpose account that has the permanent (or fixed) password "PASSWORD". The recover account's only purposes are:

> to reset the password of the admin user, if the admin password is lost/forgotten, or

>to reset the entire SafeNet Luna Network HSM appliance to blank condition (all passwords are reset, any contents [including any certificates] are erased and any partitions are removed).

As a security measure, recover can log in via the local serial connection only. The admin user's account password can be changed remotely by anyone who already knows it, but the admin user's password cannot be arbitrarily reset unless the person doing so has physical access to the appliance, to make the serial connection.

The recover account does not have the following:

>Lockout

>Password expiry

>Public key authentication (you cannot access recover via SSH anyway)

>SSH access

>Changeable password

CAUTION!   The exception to the "physical access to the appliance" statement is where you have your appliances connected to a "terminal server" that aggregates serial links and makes them accessible via telnet or similar. We do that in a test lab, where access control is not critical, and it can be very convenient when we are constantly setting up and tearing down appliances and HSM hosts for various test and verification scenarios. However, connection of your SafeNet appliances to a remotely accessible terminal server could expose an additional avenue of attack, and therefore we suggest that you always avoid allowing such a potential security opening in a production environment.

What to do if you ever forget or lose the admin password

1.Have the blue SO PED key available, and the Luna PED connected, powered on, and in Local PED-USB mode (see Changing Modes), for PED authenticated HSMs, or have the HSM password available for password authenticated HSMs.

2.Connect a serial terminal to the serial console connector on the SafeNet Luna Network HSM rear panel.

3.Login as recover. 

myLuna login: recover
Password:
Last login: Fri May  4 15:42:31 on ttyS0
 
WARNING !!  The recover function will stop the network interface, disable SSH
            service, reset the admin password to the default and then
            force you to change admin password from default before restarting the
            network interface and SSH service.  Network interface and SSH service
            will be re-enabled and restarted only if the recover process is successful.
 
If you are sure you wish to continue, type 'proceed', otherwise hit ENTER to abort.
 
proceed
Proceeding ...
 
  Please enter the HSM Administrators' password:
  > ********
 
'hsm login' successful.
 
 
Stopping sshd:                                             [  OK  ]
 
Changing password for user admin.
 
You can now choose the new password.
 
The password must be at least 8 characters long.
The password must contain characters from at least 3 of the following 4 categories:
    - Uppercase letters (A through Z)
    - Lowercase letters (a through z)
    - Numbers (0 through 9)
    - Non-alphanumeric characters (such as !, $, #, %)
 
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
 
Starting sshd:                                             [  OK  ]
 
Successfully performed admin password recovery. Exiting...

NOTE   If you have already initialized the HSM, then you are prompted for the HSM Security Officer credential. If you have not initialized the HSM prior to resetting the admin password, then no credential is required.

4.Login as admin. You are prompted to change the admin password.

5.Change the admin password.

If you believe that your SafeNet Luna HSM server has not been compromised, you can resume using it as before (taking care to both remember and secure the admin password).

Do Not Cancel Out

See the "Warning" text at the beginning of the recover dialog, above. Use of the recover account sets the password of the admin account back to the factory value, and then forces a password change. Do not attempt to bypass the password change.

To prevent the admin account being accessible over the network with a known password during the recover procedure, SSH is disabled when the recover process begins. The SSH service is re-enabled only after the password is changed. Interrupting the process and avoiding the password change leaves SSH service off at boot time. If you cancel out partway through the process in order to retain the default password, instead of changing it when prompted, you might find that you no longer have SSH access.

If you encounter the problem, reconnect a local terminal and log into the recover account again, this time allowing it to complete the full process, ending with a proper, non-default password. If SSH service is still not available, contact Technical Support.

CAUTION!   During recovery, the network service is stopped and other services are affected. The minimum-effort resumption would be to reboot the system, which causes all services to restart with current configuration. However, for safety, you should consider manually restarting services from the local (serial) console, until all passwords have been changed from their default values.


Customer Support Portal

SafeNet Luna Network HSM 7.2 Product Documentation  25 November 2019  Copyright 2001-2019 Thales. All rights reserved.