Sangfor Cloud Platform (SCP)

Enterprise Cloud Computing Platform Built on Business-Centric HCI.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
6.11.3
Sangfor Cloud Platform (SCP) {{ breadTitle }} Virtual Machine Service VM Security and Authentication Authentication Management
{{sendMatomoQuery("Sangfor Cloud Platform (SCP)","Authentication Management")}}

Authentication Management

{{ $t('productDocDetail.updateTime') }}: 2025-12-18

 Reset Password

Introduction

The feature is used to recover the passwords that have been forgotten or to regularly update passwords, ensuring secure access to VMs. It applies to scenarios such as preventing password leak risks, account transfer due to employee offboarding, and compliance password rotation.

  1. vmTools is required for this feature (VMware Tools 13.0.5 or later, or open-vm-tools) to enable seamless interaction between the node and thin client. The system-level password change cannot be triggered if vmTools is not installed.
  2. The VM’s operating system type will be automatically identified on the system, and the default username will be entered: root for most Linux systems (ubuntu for Ubuntu systems), and Administrator for Windows systems.
  3. The password reset takes effect immediately without requiring a VM restart. However, all existing remote connections will require authentication again with the new password.

Constraints and Restrictions

  1. The feature is unavailable for VMs without the specified version of vmTools installed. vmTools must be installed, and the VM must be restarted after installation.
  2. The password must meet the following complexity requirements: The password must contain at least 8 characters and three types of the following characters: uppercase letters, lowercase letters, digits, and special characters. The new password must differ from the current password by at least 3 characters.
  3. If remote desktop password caching is enabled for Windows VMs, the cache must be cleared for using the new password to log in after password change. For Linux VMs, make sure the sshd service is running normally.

Steps

Step 1.Log in to SCP and go to Resource Center > VMs.

Step 2. Locate the VM you want to edit, click More in the Operation column, and select Reset Password.

Step 3. In the Reset Password pop-up window, check the VM name and username automatically identified by the system (the username can be manually modified to match the actual login account used in the operation).

Step 4.Enter the New Password and Confirm Password, making sure that they meet the complexity requirements. Click OK to complete the password reset.

Result Verification

Step 1.Open a remote connection tool (Example: Xshell, SecureCRT, Remote Desktop Connection). Enter the VM's IP address, username, and the new password for login.

Step 2.If you can log in to the VM's operating system successfully, or a successful password resetting record is displayed in the Tasks section on the VM details page. The operation will be confirmed to take effect.

 Bind Key Pair

Introduction

Refers to a secure authentication method based on asymmetric encryption technology. It enables login without password through public and private key pair verification, which is ideal for VMs in the production environment and automated O&M scenarios. This helps prevent the risk of password brute-force attacks.

  1. Supported key algorithms include RSA (recommended 4096-bit), ECDSA, and ED25519. The ED25519 algorithm provides higher security and forward secrecy.
  2. The key pair must be created on the platform or imported into the platform in advance: When a key pair is created, the algorithm and key length must be specified. The private key can only be downloaded once and must be stored locally with the permission set to 600 (read/write for owner only).
  3. After a key pair is bound for a Linux system, the public key will be automatically written to the ~/.ssh/authorized_keys file. For Windows systems, the OpenSSH service must be configured to support login by using the key pair.

Constraints and Restrictions

  1. A single VM can be bound to up to 3 key pairs. If the same key pair is bound again, all original configuration will be overwritten.
  2. By default, the ssh-rsa algorithm is disabled for OpenSSH 8.8 and later versions. To use a key pair created by this algorithm, manually add the PubkeyAcceptedAlgorithms +ssh-rsa command to the /etc/ssh/sshd_config file (not recommended because this will reduce security).
  3. The private key cannot be recovered if lost. The original key pair must be unbound to bind a new one. The leaked private key must be unbound immediately to prevent security risks.

Steps

Step 1.Log in to SCP and go to Resource Center > VMs.

Step 2.Locate the VM you want to edit, click More in the Operation column, and select Bind Key Pair.

Step 3.In the Bind Key Pair pop-up window, select an existing key pair in the Key Pair drop-down list. If no key pairs are available, create one on the key pair management page (See the Key Pair Management section of SCP - Security Management Guide).

Step 4.After the key pair information is confirmed correct, click OK to complete the binding.

Result Verification

Step 1.Linux system: Use the private key file to log in through the SSH command (ssh -i private key path username@VM IP). If login is successful without a password, the binding takes effect.