Passwords

Connecting to Jean Zay is done with the user login and the associated password.

During the first connection, the user must indicate the “initial password” and then immediately change it to an “actual password”.

The initial password

What is the initial password?

The initial password is the result of the concatenation of two passwords respecting the order:

  1. The first part consists of a randomly generated IDRIS password which is sent to you by e-mail during the account opening and during a reinitialisation of your password. It remains valid for 20 days.
  2. The second part consists of the user-chosen password (8 alphanumeric characters) which you provided on the “Account creation request form (GENCI)” during your first account opening request (if you are a new user) or when requesting a change in your initial password (using the FGC form).
    Note: For a user with a previously opened login account created in 2014 or before, the password indicated in the last postal letter from IDRIS should be used.

The initial password must be changed within 20 days following transmission of the randomly generated password (see below the section "Using an initial password at the first connection").
If this first connexion is not done within the 20-day timeframe, the initial password is invalidated and an e-mail is sent to inform you. In this case, you just have to send an e-mail to to request a new randomly generated password which is then sent to you by e-mail.

An initial password is generated (or re-generated) in the following cases:

  • Account opening (or reopening): an initial password is formed at the creation of each account and also for the reopening of a closed account.
  • Loss of the actual password:
    • If you have lost your actual password, you must contact to request the re-generation of a randomly generated password which is then sent to you by e-mail. You will also need to have the user-chosen part of the password you previously provided in the FGC form.
    • If you have also lost the user-chosen part of the password which you previously provided in the FGC form (or was contained in the postal letter from IDRIS in the former procedure of 2014 or before), you must complete the “Request to change the user part of initial password” section of the FGC form, print and sign it, then scan and e-mail it to or send it to IDRIS by postal mail. You will then receive an e-mail containing a new randomly generated password.

Using an initial password at the first connection

Below is an example of the first connection (without using ssh keys) for which the “initial password” be required for the login_idris account on IDRIS machine.

Important: At the first connection, the initial password is requested twice. A first time to establish the connection on the machine and a second time by the password change procedure which is then automatically executed.

Recommendation : As you have to change the initial password the first time you log in, before beginning the procedure, carefully prepare another password which you will enter (see Creation rules for "actual passwords" in section below).

$ ssh login_idris@machine_idris.idris.fr
login_idris@machine_idris password:  ## Enter INITIAL PASSWORD first time ##
Last login: Fri Nov 28 10:20:22 2014 from machine_idris.idris.fr
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user login_idris.
Enter login(    ) password:          ## Enter INITIAL PASSWORD second time ##
Enter new password:                      ## Enter new chosen password   ##
Retype new password:                     ## Confirm new chosen password ##
     password information changed for login_idris
passwd: all authentication tokens updated successfully.
Connection to machine_idris closed.

Remark : You will be immediately disconnected after entering a new correct chosen password (“all authentication tokens updated successfully”).

Now, you may re-connect using your new actual password that you have just registered.

The actual password

Once your actual password has been created and entered correctly, it will remain valid for one year (365 days).

How to change your actual password

You can change your password at any time by using the UNIX command passwd directly on front end. The change is taken into account immediately for all the machines. This new actual password will remain valid for one year (365 days) following its creation.

Creation rules for "actual passwords"

  • It must contain a minimum of 12 characters.
  • The characters must belong to at least 3 of the 4 following groups:
    • Uppercase letters
    • Lowercase letters
    • Numbers
    • Special characters
  • The same character may not be repeated more than 2 times consecutively.
  • A password must not be composed of words from dictionaries or from trivial combinations (1234, azerty, …).

Notes:

  • Your actual password is not modifiable on the same day as its creation or for the 5 days following its creation. Nevertheless, if necessary, you may contact the User Support Team to request a new randomly generated password for the re-creation of an initial password.
  • A record is kept of the last 6 passwords used. Reusing one of the last 6 passwords will be rejected.

Forgotten or expired password

If you have forgotten your password or, despite the warning e-mails sent to you, you have not changed your actual password before its expiry date (i.e. one year after its last creation), your password will be invalidated.

In this case, you must contact to request the re-generation of the randomly generated password which is then sent to you by e-mail.

Note: You will also need to have the user-chosen part of the initial password you initially provided, to be able to connect on the host after this re-generation. In fact, you will have to follow the same procedure than for using an initial password at the first connection.

Account blockage following 15 unsuccessful connection attempts

If your account has been blocked as a result of 15 unsuccessful connection attempts, you must contact the IDRIS User Support Team.

Account security reminder

You must never write out your password in an e-mail, even ones sent to IDRIS (User Support, Gestutil, etc.) no matter what the reason: We would be obligated to immediately generate a new initial password, the objective being to inhibit the actual password which you published and to ensure that you define a new one during your next connection.

Each account is strictly personal. Discovery of account access by an unauthorised person will cause immediate protective measures to be taken by IDRIS including the eventual blockage of the account.
The user must take certain basic common sense precautions:

  • Inform IDRIS immediately of any attempted trespassing on your account.
  • Respect the recommendations for using SSH keys.
  • Protect your files by limiting UNIX access rights.
  • Do not use a password which is too simple.
  • Protect your personal work station.