5.1.6.1. Individual Password Management

This section provides information on how to change passwords for the services separately, allowing for a more targeted approach.

5.1.6.1.1. SSH Password

To change the root ssh password you need to access to the machine by ssh and run:

passwd

You will be prompted to enter the new password twice.

../../../_images/passwd.png


If it is not the root user that you want to change, just add the user:

passwd <username>
../../../_images/passwd_onadm.png


Note

If the password is weak, it will prompt you with a message that it is a bad password.

5.1.6.1.2. MySQL Passwords

There are two main users/passwords used to access mysql: root and admin. On the ON Core, there is a script to change one or both of the passwords on /usr/share/opennac/utils/scripts/opennac_mysql_password_change.sh

To check its usage, ssh into the machine you can execute the script with the help option:

/usr/share/opennac/utils/scripts/opennac_mysql_password_change.sh --help
../../../_images/mysql_help.png


You need to indicate:

  • The server role where you are at (the most common options are principal and worker):

    • “single”: server locally reading and writing on the mysql database

    • “principal”: principal server replicating workers servers with all OpenNAC Enterprise services running (radius, collectd, …)

    • “only_principal”: principal server but only MySQL server (without other services)

    • “worker”: worker server replicating from a principal server

  • The current mysql root password (the default one is “opennac”)

  • The new mysql root password

  • The new mysql admin password (optional)

The usage can be:

cd /usr/share/opennac/utils/scripts/

./opennac_mysql_password_change.sh -s <server_role> -c <current_password> -r <new_root_password> -a <new_admin_password>

The script changes the access password and all the related files.

5.1.6.1.3. Administration Portal Password

The default user/password is admin/opennac. To change the OpenNAC Enterprise Web Administration Portal password, you will need to access it:

On the right upper corner of the Administration Portal, select Settings:

../../../_images/settings1.png


It will display a configuration window:

../../../_images/user_settings.png


In the Change password configuration, type your old password, the new password twice, and click on Accept to save the new configuration.

Important

All passwords must comply with the password policy:

  • Password length: minimum 8 characters.

  • One or more lowercase characters.

  • One or more uppercase characters.

  • One or more numbers.

  • One or more special characters.

  • It cannot be the user’s name.

  • It cannot be a car license plate.

  • None of the last 3 passwords used can be reused.

The system enforces a password change annually. If for some reason you have lost access to the OpenNAC Enterprise Web Administration Portal, there is a script that resets the admin user’s password to the default value. The script acts as a lost password recovery. To perform this password reset process, you need to access the ON Core terminal.

Execute the script:

/usr/share/opennac/api/scripts/resetAdminPassword.php
../../../_images/reset_admin_pass.png