Help Center> Cloud Bastion Host> User Guide> Policy> Password Change Rules> Creating a Password Change Rule
View PDF

Creating a Password Change Rule

With password change rules, you can let the CBH system periodically change the passwords of multiple managed host resources at a time, improving the managed resource account security.

With password change rules, you can:

  • Change passwords of managed resource accounts manually, periodically, or at a scheduled time.
  • Change the passwords of multiple managed resource accounts to different passwords randomly generated by the system, the same password generated by the system, or the same password you specify.

Constraints

  • Password change rules apply only to hosts configured with SSH, MySQL, SQL Server, Oracle, RDP, or Telnet protocols.
  • To enable a password change rule for Windows hosts, enable the SMB service and open port 445 in the security group.

Prerequisites

  • You have the operation permissions for the Chpwd Rules module.
  • The configured OS type of the resource whose account password you want to change must be the same as the actual OS type of the resource.

Creating a Password Change Rule

  1. Log in to the CBH system.
  2. Choose Policy > Chpwd Rules > Chpwd Rules.

    Figure 1 Chpwd Rules

  3. Click New in the upper right corner of the page to switch to the New Chpwd Rule dialog box.
  4. Configure the basic information.

    Figure 2 New password change rule
    Table 1 Parameter for password change rules

    Parameter

    Description

    Rule Name

    Name of a password change rule. The rule name must be unique in the CBH system.

    Timing

    The options are Manual, Fixed-Time, and Cycle.

    • Manual: Manually trigger the password change rule to change the password of the managed resource account.
    • Fixed-Time: The password change rule is triggered by the CBH system to change the password of the managed resource account at a fixed time. This type of password change rule is executed only once.
    • Cycle: The password change rule is periodically triggered by the CBH system to change the passwords of the managed resource accounts. This type of password change rule is executed many times during the period you specify.

    Execute Time

    Date when the password change rule is executed. The default execution time is at 00:00 every day.

    Cycle

    Password change interval.

    • The unit is day.
    • Set the End Time for this type of password change rules. Otherwise, the password will be changed indefinitely.

    Method

    How the password is changed. The options are as follows: generating a different password, generating the same password, and specifying the same password.

    • Generating a different password: The system randomly generates different passwords for managed resource accounts in compliance with password requirements.
    • Generating the same password: Randomly generate the same password for managed resource accounts in compliance with password requirements.
    • Specifying the same password: You manually change passwords of managed resource accounts to the same preset password you specify.
    • Password requirements:

      Must contain 20 characters, including uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), and the following special characters: @*:_

      Must comply with the host account password requirements and cannot start with a special character.

    Options

    Additional password change functions, including Priority use of the sudo account to change password and Allow to change the sudo account password.

    • To change the password of sudo account, select Allow to change the sudo account password. Otherwise, the password of the sudo account cannot be changed. This option is not selected by default.
    • To let the system automatically search for the corresponding sudo account and use it to change the account password, select Priority use of the sudo account to change password. If no sudo account is available, the password can be changed using the current account. This option is selected by default.

  5. Click Next and start to relate the password change rule to one or more accounts or account groups.

    • After a password change rule is related to an account group, accounts automatically obtain the permissions of the rule the instant they are added to the account group.
    • If a password change rule is related to multiple managed resource accounts, batch changing passwords is available.
    Figure 3 Relate account

  6. Click OK. You can then view the new password change rule in the rule list.

    To obtain the new password of the managed resource accounts, download the password change log after a password change rule is executed.

Follow-up Operations

CBH gives you the ability to manage all password change rules on the rule list page, including managing related resources, deleting, enabling, or disabling one or more password change rules, and immediate execution of a password change rule.

  • To quickly relate a password rule to more accounts or account groups, select the rule and click Relate in the Operation column.
  • To delete a password change rule, select the rule and click Delete in the Operation column.
  • To disable password change rules, select the ones you want to disable and click Disable at the bottom of the list. When the status of those rules changes to Disabled, they become invalid.
  • To change the password of a managed account immediately, click Execute in the Operation column.
Parent topic: Password Change Rules