This document provides guidance for working with your CenturyLink-managed Red Hat Enterprise Linux Operating System.
CenturyLink provides you overall management for your server OS, including access to the primary root user privileges for new user account creation, user deletion, application installation, and other administrative tasks. CenturyLink will also maintain root access which allows us to effectively monitor and maintain your server OS.
Connecting to Your Server with SSH
When your server was initially configured, a customer account was created for your use, and the root account was configured for you to initially access the machine for administrative purposes.
1. You will need the Admin (root) password for your initial SSH session. Access your server password in the CenturyLink Cloud Control by choosing the ‘click to authenticate’ link illustrated below in the red box, in the upper right corner. Note: Your Admin user name and password are different from your CenturyLink Cloud Control user name and password. Also, this root account password should not be changed except from within this CenturyLink Cloud Control interface.
2. Use any SSH version 2 compatible client. (SSH, Putty, Secure CRT, WS_FTP).
3. Direct your SSH client to connect to the host server IP that was provided to you by CenturyLink Cloud Control. This IP is a CLC private network IP. You should NEVER manage your virtual server through a public IP address but rather, always use a secure tunnel such as a client VPN or site to site VPN connection.
4. Once logged in, you should immediately set the password of your non-root management account. Run the command that's bolded below and note the resulting account name (shown below in italics) that you can use for your regular server operations:
# passwd $(getent passwd 5000 | cut -d: -f1)
Changing password for user clc_test.
New password: ********
Retype new password: ********
passwd: all authentication tokens updated successfully.
5. Change your password right away, constructing your new password in a manner meaningful to you, but also secure. Please follow the password guidelines that are recommended below.
Linux password strength is handled by a custom PAM(8) configuration that enforces the following policy:
- Inclusion of at least three (3) characters from each of the following character classes:
- Digit (0-9)
- Upper case alphabetic
- Lower case alphabetic
- Any other “special” character (non-digit and non-alphabetic)
- Minimum nine (9) character password.
- Eight (8) character password if all four (4) of the character classes are used.
- Maximum of two (2) repeating, consecutive characters.
- Five (5) characters in the new password must not be present in the old password.
- Username (straight or reversed) must not be present.
- No dictionary words.
Linux password expiration adheres to the following policy:
- Maximum number of days a password may be used is ninety (90) days, after which the password will be force expired.
- None of the last twelve (12) passwords for a specific user account may be reused.
- A warning is issued at login time beginning at seven (7) days before password expiration.
6. Log out of the highly-privileged root account and reserve your use of it for operations you cannot do using your non-root management account and the sudo privilege escalation command.
Difficulty Connecting via SSH
If you should have difficulty connecting via SSH, be sure that you are connecting from an IP address that has port 22 allowed on the CenturyLink inbound firewall. The firewall rule-set can be reviewed with CenturyLink Support.
If you have a firewall at your location ensure port 22 is opened for outbound traffic. Additionally, confirm that your SSH client is configured to use port 22 (in all likelihood it is by default).
If you are having problems connecting to your VM, please execute the following trouble-shooting steps (and save your output), prior to contacting Support. Saving your output data will help to expedite the trouble-shooting process.
1. Provide a traceroute(8) output from your source host to the CenturyLink server destination IP.
- Example from a UNIX or Linux source host:
$ traceroute 184.108.40.206
- Example from a Windows/DOS environment:
2. Ensure that your firewall is open for outbound connections on port 22. Provide output of a telnet to CenturyLink server destination IP over port 22.
- From most operating systems that have the telnet command the following example command line would be executed to test port 22:
$ telnet 220.127.116.11 22
- A successful connection will display output similar to the following:
$ telnet 18.104.22.168 22
Connected to 22.214.171.124. Escape character is '^]'.