Introduction
This document describes the procedure to recover cloud-user passwords in the Cloud Native Deployment Platform (CNDP) Policy Control Function (PCF).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
Note: Cisco recommends that you must have cloud-user and privilege root access to PCF CLI.
Components Used
The information in this document is based on these software and hardware versions:
- PCF
- Unified Computing System (UCS)-B
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
The user cloud-user is used for CLI access to PCF setup for Operation and Maintenance (OAM) works. As per Cisco security policy for all the products, the maximum age of passwords is set as 90 days by default.
Problem
Suppose you access PCF setup with the user as cloud-user post the password expiry date, then PCF denies you to access it. In that case, you must first recover the password for the cloud-user user and then it is required to set the expiry of the password as "never".
Procedure to Recover cloud-user Password in PCF
Consider a case where the worker-15 node cloud-user password has expired.
Step 1. Log in to the Cluster Manager and from there access worker-15 via ssh.
It asks for a password change and then you have to provide a new password. The new password must be different from the old password. You must be able to login into worker-15 now.
Later you can change the password back to the old password.
§cloud-user@pcf-cm-1:~$ ssh xx.xx.xx.xx //worker-15 IP address
§Authorized uses only. All activity may be monitored and reported.
§Password:
§You are required to change your password immediately (password aged)
§Changing password for cloud-user.
§(current) UNIX password:
§New password:
§Retype new password:
§Retype new password:
§Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-49-generic x86_64)
§
§ * Documentation: https://help.ubuntu.com
§ * Management: https://landscape.canonical.com
§ * Support: https://ubuntu.com/advantage
§
§ * Canonical Livepatch is available for installation.
§ - Reduce system reboots and improve kernel security. Activate at:
§ https://ubuntu.com/livepatch
§
§9 packages can be updated.
§0 of these updates are security updates.
§To see these additional updates run: apt list --upgradable
§
§Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
§cloud-user@pcf-worker-15:~$
Step 2. Take a backup of common-password and pwquality.conf files.
cloud-user@pcf-worker-15:~$ cd /etc/pam.d/
cloud-user@pcf-worker-15:/etc/pam.d$ ls -lrt common-password
-rw-r--r-- 1 cloud-user cloud-user 1770 Apr 19 08:01 common-password
cloud-user@pcf-worker-15:/etc/pam.d$ cp common-password common-password_bkp
cloud-user@pcf-worker-15:/etc/pam.d$ cd /etc/security/
cloud-user@pcf-worker-15:/etc/security$ ls -lrt pwquality.conf
-rw-r--r-- 1 cloud-user cloud-user 2172 Apr 19 08:00 pwquality.conf
cloud-user@pcf-worker-15:/etc/security$ cp pwquality.conf pwquality.conf_bkp
cloud-user@pcf-worker-15:~$
Step 3. Edit the common-password and pwquality.conf files.
§cloud-user@pcf-worker-15:/etc/security$
§cloud-user@pcf-worker-15:/etc/security# sudo sed -i 's/14/8/' pwquality.conf
§cloud-user@pcf-worker-15:/etc/security# cat pwquality.conf | grep "minlen"
§# minlen = 8
§minlen = 8 //This line must contain minlen =8
§cloud-user@pcf-worker-15:/etc/security#
§cloud-user@pcf-worker-15:/etc/security# cd /etc/pam.d/
§cloud-user@pcf-worker-15:/etc/pam.d# sudo sed -i '26 s/password/#password/' common-password
§cloud-user@pcf-worker-15:/etc/pam.d# sudo sed -i '28 s/password/#password/' common-password
§cloud-user@pcf-worker-15:/etc/pam.d# cat common-password | grep password
§# /etc/pam.d/common-password - password-related modules common to all services
§# used to change user passwords. The default is pam_unix.
§# The "sha512" option enables salted SHA512 passwords. Without this option,
§password requisite pam_pwquality.so retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
§#password requisite pam_pwhistory.so remember=5 use_authtok
§password requisite pam_pwquality.so try_first_pass retry=3
§#password required pam_pwhistory.so use_authtok remember=5
§password [success=1 default=ignore] pam_unix.so obscure try_first_pass sha512
§password requisite pam_deny.so
§password required pam_permit.so
§cloud-user@pcf-worker-15:/etc/pam.d#
Step 4. Change the password policies of the cloud-user user. Verify the current password expiry date.
cloud-user@pcf-worker-15:~$ sudo chage -l cloud-user
Last password change : May 21, 2021
Password expires : Aug 19, 2021
Password inactive : Sep 18, 2021
Account expires : never
Minimum number of days between password change : 7
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
cloud-user@pcf-worker-15:~$
You must change the password expiry to never by this command.
cloud-user@pcf-worker-15:~$
cloud-user@pcf-worker-15:~$ sudo chage -m 0 -M -1 cloud-user
Verify that password expiry has changed to never.
cloud-user@pcf-worker-15:~$ sudo chage -l cloud-user
Last password change : May 21, 2021
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : -1
Number of days of warning before password expires : 7
cloud-user@pcf-worker-15:~$
5. Change the cloud-user password to the old password.
§cloud-user@pcf-worker-15:~# sudo passwd cloud-user
§New password:
§Retype new password:
§Retype new password:
§passwd: password updated successfully
§cloud-user@pcf-worker-15:~#
You can apply this procedure to recover passwords for another user in CNDP PCF which you have defined.
Feedback