Rotating Stored Passwords
Automatically rotate passwords for target accounts using stored passwords. When enabled, PrivX will periodically:
- Assign a new password to target accounts, according to password-rotation policy.
- Automatically store and update the new password to PrivX configuration.
PrivX can perform password rotation over SSH or WinRM.
The high-level steps for enabling password rotation involve:
- Creating password policies, which define how passwords are rotated.
- Creating rotation scripts.
- Enabling password rotation on target hosts and accounts.
Instead of password rotation, we recommend doing away with passwords altogether by using certificate-based authentication whenever possible. For more information about setting up certificate authentication, see SSH Certificate Authentication.
Before enabling password rotation, verify the following prerequisites:
Unix target hosts must be configured with at least one SSH service. The SSH service used for rotation must be configured with the host keys of the target host. Trust on first use will not work for this purpose.
Windows target hosts must be configured with WinRM. For additional instructions about enabling WinRM, see Enabling Remote Commands on Windows with WinRM.
Determine whether you want to rotate passwords via an admin account, or as individual accounts themselves:
Via admin account (recommended): Configure access to a privileged account with permissions to change other users' passwords. We recommend this method because you do not need to manually store individual users' passwords in PrivX.
Access to admin account must be non-interactive. For SSH, the admin account must be set up with certificate or stored-password authentication. If certificate authentication is used, then the admin account must be configured so that their sudo password is not needed for changing passwords.
WinRM configuration always needs a password set for the target account that is used for rotation.
Via individual accounts: All target users requiring password rotation must be configured with valid stored passwords in PrivX. Target users must have permissions to change their own passwords via their default shell.
Account passwords may become irrecoverable in case of desynchronization issues. For this reason we also recommend not setting up password rotation for admin accounts.
Creating Password Policies
Password policies in PrivX define:
- How often passwords are rotated.
- The strength of automatically-generated passwords.
- Recovery behavior in case of failures in automation.
To create a new password policy:
On Administration→Deployment→Deploy Password Rotation, click Add Password Rotation Policy.
Provide the required information for the password policy. You will at least need to provide:
- A unique name.
- A rotation interval.
- Maximum password revisions and retries.
Set up reasonable retries and retry intervals. This way random downtime on hosts won't cause PrivX to mark password rotation as failed, which halts PrivX from trying to rotate passwords on affected targets.
Click Save to create the new password policy.
You may review your password policies back on the Administration→Deployment→Deploy Password Rotation page.
Creating Password-Rotation Scripts
Password-rotation scripts are shell scripts, which PrivX runs to rotate passwords on target accounts. Password-rotation scripts enable adapting to different host configurations and target host shell versions.
PrivX provides set of default password-rotation scripts on Administration→Deployment→Deploy Password Rotation, under Script templates. These can be used as-is in common environments, or used as a basis for scripts to suit your custom environment.
If none of the existing password-rotation scripts suit your needs, you can create your own by clicking Add Script Template. Note the following when creating your own scripts:
- The script must define behavior that results in successfully changing target-account passwords, without user interaction.
- Depending on your configuration, password-rotation scripts can be run as the target users, or as an admin user.
- PrivX runs password-rotation scripts using the users' default shell. Typically (*)sh or PowerShell on Unix and Windows respectively.
Password rotation scripts are composed of variables and shell commands. Variables are used for synchronising user-name and password data between PrivX and the target host.
Linux SSH pipe/stdin
These variables are used to tell privx to use/not use stdin over ssh. Examples in this document are provided for bash shell:
When enabled, privx echoes data over ssh pipe to shell in target making data invisible in process tables and in shell command history increasing security. It is recommended to use stdin to echo passwords.
When enabled, use sudo password to elevate the account in target host. Sudo pass is the main account password, when main account used for rotation. If using individual account, sudo_pass is the current account password.
Values: text, or template variables to echo through pipe
Would equal when run in shell in local computer:
(echo sudopass; echo user1:pass1; echo user2:pass2) | ssh target.ip.com sudo -k -S chpasswd
Would equal when run in shell in local computer:
(echo pass1; echo pass2; echo pass2) | ssh target.ip.com passwd
Both Windows & Linux
The current password of the target account.
The new password of the target account.
The user name of the target account
How the username and password are written to username-password-list.
If the username/password list need to be prefixed to the script.
How the username/password items are seprated to produce a list usable in the script.
Enabling Password Rotation on Target Hosts and Accounts
To enable password rotation on a host:
On Administration→Hosts, Edit the target host's settings.
Under Options, enable Rotate account passwords.
Under Accounts, enable Password rotation for each desired account.
Under Password rotation, configure how passwords are rotated on all enabled accounts.
Click Save to apply the settings. Password rotation should now be enabled.
To verify successful password rotation, click the host back on the Administration→Hosts page to see its details. Under Accounts, verify for target accounts that Password rotation is Enabled and that Rotation status is OK.
You may click ☰ and select Rotate Now to immediately test password rotation.
Force Password Rotation
After password rotation is set up, you can force immediate password rotation per account.
To resume automatic password rotations on accounts where rotation has failed beyond max retries, you will need to force password rotation. Forcing password rotation can also be used when you need to immediately change target-account passwords.
To force password rotation on a target account:
On Administration→Hosts, click a host to see its details.
In the Accounts section, click ☰ next to an account, then select Rotate Now.
PrivX will immediately attempt to rotate the target-account password. You will be notified about the outcome of the task once it is completed.
Enabling Remote Commands on Windows with WinRM
Enabling password rotation on Windows hosts requires remote-command support via Windows Remote Management (WinRM).
To enable WinRM on a Windows host:
The instructions in this example are verified against Windows Server 2019. These instructions may need to be adapted for other platforms. The commands are only for testing purposes and are not suitable for production environments.
Gain Administrator access to the target host.
Create a certificate for HTTPS connections:
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "test-windows"
Enable remote PowerShell:
Enable-PSRemoting -SkipNetworkProfileCheck -Force
Create an HTTPS listener using the certificate created earlier:
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
Open port 5986 for WinRM access:
New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" -Profile Any -LocalPort 5986 -Protocol TCP
Finally, configure WinRM with:
Remote commands via WinRM are now enabled. You may now enable password rotation on the host using the WinRM protocol.
Updated about 1 year ago