Recovering the Admin Account Password

The recover account is a limited-purpose account that has the permanent (fixed) password "PASSWORD". The recover account's only purpose is to reset the password of the admin user, if the admin password is lost/forgotten.

As a security measure, recover can log in via the local serial connection only. The admin user's account password can be changed remotely by anyone who already knows it, but the admin user's password cannot be arbitrarily reset unless the person doing so has physical access to the appliance, to make the serial connection.

CAUTION!   The exception to this rule is where you have your appliances connected to a "terminal server" that aggregates serial links and makes them accessible via telnet or similar. This configuration is useful in a test lab, where access control is not critical, and it can be very convenient when setting up and tearing down appliances for various test and verification scenarios. However, connection of your SafeNet appliances to a remotely accessible terminal server could expose an additional avenue of attack, and therefore Thales recommends that you avoid allowing this potential security opening in a production environment.

The recover account cannot be locked out, and its default password does not expire.

To reset the admin account password

1.Connect a serial terminal to the serial console connector on the SafeNet Luna Network HSM rear panel.

2.Log in to LunaSH as recover, using the fixed password "PASSWORD".

NOTE   If the HSM is initialized, you are required to present the HSM Security Officer (SO) credential. Therefore, only the SO can perform this operation. If you have not initialized the HSM prior to resetting the admin password, then no credential is required.

You are prompted to set a new admin password (see Do Not Cancel Out).

LunaSH passwords must be at least eight characters in length, and include characters from at least three of the following four groups:
>  lowercase alphabetic: abcdefghijklmnopqrstuvwxyz
>  uppercase alphabetic: ABCDEFGHIJKLMNOPQRSTUVWXYZ
>  numeric: 0123456789
>  special (spaces allowed):  !@#$%^&*()-_=+[]{}\|/;:'",.<>?`~

If you believe that your SafeNet Luna Network HSM has not been compromised, you can resume using it as before (taking care to both remember and secure the admin password).

Do Not Cancel Out

See the Caution text at the beginning of the recover dialog above. Use of the recover account sets the password of the admin account back to the factory value, and then forces a password change. Do not attempt to bypass the password change.

To prevent the admin account being accessible over the network with a known password during the recover procedure, SSH is disabled when the recover process begins. The SSH service is re-enabled only after the password is changed. Interrupting the process and avoiding the password change leaves SSH service off at boot time. If you cancel out partway through the process in order to retain the default password, instead of changing it when prompted, you might find that you no longer have SSH access.

If you encounter the problem, reconnect a local terminal and log into the recover account again, this time allowing it to complete the full process, ending with a proper, non-default password. If SSH service is still not available, contact Technical Support.

CAUTION!   During recovery, the network service is stopped and other services are affected. The minimum-effort resumption would be to reboot the system, which causes all services to restart with current configuration. However, for safety, you should consider manually restarting services from the local (serial) console, until all passwords have been changed from their default values.