5.1.6.1. Individual Password Management

This section provides information on how to change passwords for the services separately, allowing for a more targeted approach.

5.1.6.1.1. SSH Password

To change the root ssh password you need to access to the machine by ssh and run:

passwd

You will be prompted to enter the new password twice.

../../../_images/passwd.png


If it is not the root user that you want to change, just add the user:

passwd <username>
../../../_images/passwd_onadm.png


Note

If the password is weak, it will prompt you with a message that it is a bad password.

5.1.6.1.2. MySQL Passwords

There are two main users/passwords used to access mysql: root and admin. On the ON Core, there is a script to change one or both of the passwords on /usr/share/opennac/utils/scripts/opennac_mysql_password_change.sh

To check its usage, ssh into the machine you can execute the script with the help option:

/usr/share/opennac/utils/scripts/opennac_mysql_password_change.sh --help
../../../_images/mysql_help.png


You need to indicate:

  • The server role where you are at (the most common options are principal and worker):

    • “single”: server locally reading and writing on the mysql database

    • “principal”: principal server replicating workers servers with all OpenNAC Enterprise services running (radius, collectd, …)

    • “only_principal”: principal server but only MySQL server (without other services)

    • “worker”: worker server replicating from a principal server

  • The current mysql root password (the default one is “opennac”)

  • The new mysql root password

  • The new mysql admin password (optional)

The usage can be:

cd /usr/share/opennac/utils/scripts/

./opennac_mysql_password_change.sh -s <server_role> -c <current_password> -r <new_root_password> -a <new_admin_password>

The script changes the access password and all the related files.

5.1.6.1.3. Administration Portal Password

The default user/password is admin/opennac. To change the OpenNAC Enterprise Web Administration Portal password, you will need to access it:

On the right upper corner, select Settings and type your old password, the new password twice, and click on Accept.

../../../_images/settings1.png


../../../_images/admin_portal_password.png


Important

All passwords must comply with the password policy:

  • Password length: minimum 8 characters.

  • One or more lowercase characters.

  • One or more uppercase characters.

  • One or more numbers.

  • One or more special characters.

  • It cannot be the user’s name.

  • It cannot be a car license plate.

  • None of the last 3 passwords used can be reused.

The system enforces a password change annually. If for some reason you have lost access to the OpenNAC Enterprise Web Administration Portal, there is a script that resets the admin user’s password to the default value. The script acts as a lost password recovery. To perform this password reset process, you need to access the ON Core terminal.

Execute the script:

/usr/share/opennac/api/scripts/resetAdminPassword.php
../../../_images/reset_admin_pass.png