Password reset agent on Windows Server VMs
Yandex Cloud provides agents, which are a special kind of software that runs as a Windows Server service for password resets on Windows Server VMs. An agent generates a new VM user password and securely delivers it to the Yandex Cloud user that requested a password reset. For a detailed description of how agents work, see below.
The password reset agent and agent update software are part of standard Windows Server images. If you are using a custom image, follow this guide to install the password reset agent and its update software.
Note
Currently, you cannot reset a password on a Linux virtual machine using Yandex Cloud tools.
The following items are required to reset passwords using an agent:
-
The
compute.admin
service role, theeditor
primitive role, or any other role that inherits all permissions of these two. For more information about roles, see Access management in Compute Cloud. -
Running VM (with the
RUNNING
status).
Agent runtime logs, including status messages generated every minute, are available on serial port 4 (COM4).
How an agent resets a password
When a Yandex Cloud user requests a password reset:
-
On the user side (in a browser, if the reset is requested in the management console or through PowerShell), the RSA
algorithm is used to generate a public-private key pair. A request containing the public key and the VM username, for which the password is to be reset, is sent to the agent over an HTTPS connection. -
The agent on the VM performs the following:
- Obtains and verifies user request.
- Generates a new password.
- Creates a new user with administrator access, if a user with the specified name does not exist.
- Assigns the generated password to the VM user.
- Encrypts the password with the public key received in the request.
- Sends the password to the Yandex Cloud user over an HTTPS connection.
-
On the user side, the received password is decrypted with the private key and displayed in the management console or PowerShell.