Logging In to LunaSH
TIP This page concerns authentication and management of roles that govern network administrative access to the appliance.
That is, access, management, and use of the cryptographic module and its application partitions, are distinct from access to the physical platform (and operating system) in which the HSM resides. This is true:
>for Luna PCIe HSM 7 installed in a workstation that you provide, and
>for the same cryptographic module inside a Luna Network HSM 7 appliance with hardened operating system and administrative access restricted to the limited Luna shell command set.
On the appliance, the cryptographic module has its own separate and distinct authentication roles and requirements; see hsm init , hsm login, and partition init, partition init co, partition init cu, partition createChallenge, partition changePw, partition activate, and audit changePwd, audit login among the various other administrative operations on the SSH-accessible appliance command path, or via the equivalent REST APIs, as well as the client-side equivalent commands (in LunaCM) partition init, partition login, partition logout, and all the partition role commands.
When you open a connection to the Luna Network HSM 7 appliance (serial or SSH) you are presented with the login as: prompt. By default, only the admin user is enabled; the other roles must be enabled by an admin user before they can log in (see Enabling/Disabling Appliance User Accounts). After entering the user name and password, you are presented with the lunash:> prompt.
To log in to LunaSH on the Luna Network HSM 7 appliance
1.At the login as: prompt, enter the name of the account you want to use (admin, operator, monitor, audit, or a custom user account) and press ENTER.
You are prompted for the password.
2.Enter the account password and press ENTER. If you are logging in to this account for the first time, the initial password is “PASSWORD” (uppercase).
NOTE You must log in within two minutes of opening an administration session, or the connection will time out. The username and passwords are case-sensitive.
3.For security, you are immediately prompted to change the factory-default password.
LunaSH passwords must be at least eight characters in length,
and include characters from at least three of the following four
groups:
> lowercase alphabetic: abcdefghijklmnopqrstuvwxyz
> uppercase alphabetic: ABCDEFGHIJKLMNOPQRSTUVWXYZ
> numeric: 0123456789
> special (spaces allowed): !@#$%^&*()-_=+[]{}\|/;:'",.<>?`~
NOTE If you forget the password to any account, an admin-level user can set a new password for you (see Changing Appliance User Passwords).
If you forget the admin password, and no other admin-level accounts are available, you can use a local serial connection to log in to the recover account (see Recovering the Admin Account Password).
After successful login, the HSM appliance presents a lunash:> prompt. Type ? or help and press Enter for a summary of the main commands. Type ? followed by any of the commands, with or without parameters, and press Enter to see a summary of sub-commands and parameters for that command.
NOTE If you are using Luna Appliance Software 7.7.1 or newer, SSH sessions timeout after 30 minutes of inactivity.
Failed Appliance Login Attempts
The response to failed login attempts is the same for admin, operator, monitor, audit, and any named users you have created, and is limited by default SSH settings:
>If you initiate an SSH session against the appliance, and fail to respond to the prompts, the session expires after 120 seconds. You must restart or launch a new session in your SSH terminal tool.
>If you initiate an SSH session against the appliance, provide a user name, and then provide an incorrect password, the session prompts you to re-attempt the correct password for that user account. If you fail to provide the correct authentication six (6) times*, the session is dropped. You must restart or launch a new session in your SSH terminal tool.
The maximum number of simultaneous sessions per channel is the SSH default of 10. These factors help to limit the pace of brute-force attacks, while still allowing timely recovery from mistyping or forgetfulness by an administrative user.
You can configure Luna Network HSM 7 to accept administrative connections (SSH) on only one Ethernet LAN port, and client (NTLS) connections on another.
* Luna Network HSM 7 Appliance Might Allow Fewer Than Six Bad Logins
Your appliance uses the default SSH setting for MaxAuthTries of six attempts; it will not allow more bad attempts. Two conditions can affect the number of tries that are permitted:
>The client with which you are connecting, can have a different number. If the client's MaxAuthTries number is greater, the appliance prevails and stops at six attempts. If the client's MaxAuthTries is lower, the client prevails.
>The client might have a preference set for public key authentication. If the appliance and client are unable to establish a public-key authenticated connection, then that attempt silently fails, and further attempts to authenticate with a bad password are halted after MaxAuthTries-1 (according to whichever party has the lower setting for bad login attempts).
Failed Logins Reported on New Luna Network HSM 7 Appliance
Upon first login to the Luna Network HSM 7 appliance, you might see a system message like the following:
Last failed login: Wed Jan 02 14:25:11 EDT 2019 from 192.168.10.105 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Wed Jan 02 14:15:09 from 192.168.10.105
This is expected. The manufacturing process uses a temporary password, then resets the default password and verifies that the temporary password is no longer valid. This accounts for the "failed login attempts".