5.2.6. Password Management

In this section, we are going to take a look at passwords and how to change them. This can be useful in the following cases:

  • To change the default password after the first OpenNAC Enterprise deployment.

  • If the password expires.

  • Whenever you want to change the password.

5.2.6.1. SSH Password

To change the root ssh password you need to access to the machine by ssh and run:

passwd

You will be prompted to enter the new password twice.

../../_images/passwd.png


If it is not the root user that you want to change, just add the user:

passwd <username>
../../_images/passwd_onadm.png


Note

If the password is weak, it will prompt you with a message that it is a bad password.

5.2.6.2. MySQL Passwords

There are two main users/passwords used to access mysql: root and admin. On the ON Core, there is a script to change one or both of the passwords on /usr/share/opennac/utils/scripts/opennac_mysql_password_change.sh

To check its usage, ssh into the machine you can execute the script with the help option:

/usr/share/opennac/utils/scripts/opennac_mysql_password_change.sh --help
../../_images/mysql_help.png


You need to indicate:

  • The server role where you are at (the most common options are principal and worker):

    • “single”: server locally reading and writing on the mysql database

    • “principal”: principal server replicating workers servers with all OpenNAC Enterprise services running (radius, collectd, …)

    • “only_principal”: principal server but only MySQL server (without other services)

    • “worker”: worker server replicating from a principal server

  • The current mysql root password (the default one is “opennac”)

  • The new mysql root password

  • The new mysql admin password (optional)

The usage can be:

cd /usr/share/opennac/utils/scripts/

./opennac_mysql_password_change.sh -s <server_role> -c <current_password> -r <new_root_password> -a <new_admin_password>

The script changes the access password and all the related files.

5.2.6.3. Administration Portal Password

The default user/password is admin/opennac. To change the OpenNAC Enterprise Web Administration Portal password, you will need to access it.

In the setting menu, click on the user icon to open the drop-down menu.

../../_images/dropdown_menu.png


Select the Settings option to open the following configuration window:

../../_images/settings.png


Important

All passwords must comply with the password policy:

  • Password length: minimum 8 characters.

  • One or more lowercase characters.

  • One or more uppercase characters.

  • One or more numbers.

  • One or more special characters.

  • It cannot be the user’s name.

  • It cannot be a car license plate.

  • None of the last 3 passwords used can be reused.

The system enforces a password change annually. If for some reason you have lost access to the OpenNAC Enterprise Web Administration Portal, there is a script that resets the admin user’s password to the default value. The script acts as a lost password recovery. To perform this password reset process, you need to access the ON Core terminal.

Execute the script:

/usr/share/opennac/api/scripts/resetAdminPassword.php
../../_images/reset_admin_pass.png