Logging In to LunaSH
When you open a connection to the Luna Network HSM appliance (serial or SSH) you are presented with the login as: prompt. By default, only the admin user is enabled; the other roles must be enabled by an admin user before they can log in (see Enabling/Disabling Appliance User Accounts). After entering the user name and password, you are presented with the lunash:> prompt.
To log in to LunaSH on the Luna Network HSM appliance
1.At the login as: prompt, enter the name of the account you want to use (admin, operator, monitor, audit, or a custom user account) and press ENTER.
You are prompted for the password.
2.Enter the account password and press ENTER. If you are logging in to this account for the first time, the initial password is “PASSWORD” (uppercase).
NOTE You must log in within two minutes of opening an administration session, or the connection will time out. The username and passwords are case-sensitive.
3.For security, you are immediately prompted to change the factory-default password.
LunaSH passwords must be at least eight characters in length,
and include characters from at least three of the following four
groups:
> lowercase alphabetic: abcdefghijklmnopqrstuvwxyz
> uppercase alphabetic: ABCDEFGHIJKLMNOPQRSTUVWXYZ
> numeric: 0123456789
> special (spaces allowed): !@#$%^&*()-_=+[]{}\|/;:'",.<>?`~
NOTE If you forget the password to any account, an admin-level user can set a new password for you (see Changing Appliance User Passwords).
If you forget the admin password, and no other admin-level accounts are available, you can use a local serial connection to log in to the recover account (see Recovering the Admin Account Password).
After successful login, the HSM appliance presents a lunash:> prompt. Type ? or help and press Enter for a summary of the main commands. Type ? followed by any of the commands, with or without parameters, and press Enter to see a summary of sub-commands and parameters for that command.
Failed Appliance Login Attempts
The response to failed login attempts is the same for admin, operator, monitor, audit, and any named users you have created, and is limited by default SSH settings:
>If you initiate an SSH session against the appliance, and fail to respond to the prompts, the session expires after 120 seconds. You must restart or launch a new session in your SSH terminal tool.
>If you initiate an SSH session against the appliance, provide a user name, and then provide an incorrect password, the session prompts you to re-attempt the correct password for that user account. If you fail to provide the correct authentication six (6) times, the session is dropped. You must restart or launch a new session in your SSH terminal tool.
The maximum number of simultaneous sessions per channel is the SSH default of 10. These factors help to limit the pace of brute-force attacks, while still allowing timely recovery from mistyping or forgetfulness by an administrative user.
You can configure Luna Network HSM to accept administrative connections (SSH) on only one Ethernet LAN port, and client (NTLS) connections on another.
Why does my new Network HSM appliance report failed logins?
Upon first login to the Network appliance, you might see a system message like the following:
Last failed login: Wed Jan 02 14:25:11 EDT 2019 from 192.168.10.105 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Wed Jan 02 14:15:09 from 192.168.10.105
This is expected. The manufacturing process uses a temporary password, then resets the default password and verifies that the temporary password is no longer valid. This accounts for the "failed login attempts".