10-Security Configuration Guide

HomeSupportResource CenterRoutersH3C SR8800 Series RoutersH3C SR8800Technical DocumentsConfigureConfiguration GuideH3C SR8800 Configuration Guide-Release3347-6W10310-Security Configuration Guide
05-Password Control Configuration
Title Size Download
05-Password Control Configuration 137.95 KB

Password control overview

Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes the password control functions in detail.

1.     Minimum password length

By setting a minimum password length, you can enforce users to use passwords long enough for system security. If a user specifies a shorter password, the system rejects the setting and prompts the user to re-specify a password.

2.     Minimum password update interval

This function allows you to set the minimum interval at which users can change their passwords. If a non-manage level user logs in to change the password but the time that elapses since the last change is less than this interval, the system denies the request. For example, if you set this interval to 48 hours, a non-manage level user cannot change the password twice within 48 hours. This prevents users from changing their passwords frequently.

 

 

NOTE:

·     This function is not effective for users of the manage level. For information about user levels, see Fundamentals Configuration Guide.

·     This function is not effective for a user who is prompted to change the password at the first login or a user whose password has just been aged out.

 

1.     Password aging

Password aging imposes a lifecycle on a user password. After the password aging time expires, the user needs to change the password.

If a user enters an expired password when logging in, the system displays an error message and prompts the user to provide a new password and to confirm it by entering it again. The new password must be a valid one and the user must enter exactly the same password when confirming it.

2.     Early notice on pending password expiration

When a user logs in, the system checks whether the password will expire in a time equal to or less than the specified period. If so, the system notifies the user of the expiry time and provides a choice for the user to change the password. If the user provides a new password that is qualified, the system records the new password and the time. If the user chooses to leave the password or the user fails to change it, the system allows the user to log in using the present password.

 

 

NOTE:

Telnet, SSH, and terminal users can change their passwords by themselves. FTP users, on the contrary, can only have their passwords changed by the administrator.

 

3.     Login with an expired password

You can allow a user to log in a certain number of times within a specific period of time after the password expires, so that the user does not need to change the password immediately. For example, if you set the maximum number of logins with an expired password to three and the time period to 15 days, a user can log in three times within 15 days after the password expires.

4.     Password history

With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the used ones to see whether it was used before and, if so, displays an error message.

You can set the maximum number of history password records for the system to maintain for each user. When the number of history password records exceeds your setting, the latest record will overwrite the earliest one.

5.     Login attempt limit

Limiting the number of consecutive failed login attempts can effectively prevent password guessing.

If an FTP or virtual terminal line (VTY) user fails authentication due to a password error, the system adds the user to a blacklist. If a user fails to provide the correct password after the specified number of consecutive attempts, the system takes action as configured:

¡     Prohibiting the user from logging in until the user is removed from the blacklist manually.

¡     Allowing the user to try continuously and removing the user from the blacklist when the user logs in to the system successfully or the blacklist entry times out (the blacklist entry aging time is one minute).

¡     Prohibiting the user from logging in within a configurable period of time, and allowing the user to log in again after the period of time elapses or the user is removed from the blacklist.

 

 

NOTE:

·     A blacklist can contain up to 1024 entries.

·     A login attempt using a wrong username will undoubtedly fail but the username will not be added into the blacklist.

·     Web users failing login authentication are not blacklisted. Users accessing the system through the Console or AUX interface are not blacklisted either, because the system is unable to obtain the IP addresses of these users and these users are privileged and therefore relatively secure to the system.

 

6.     Password composition checking

A password can be a combination of characters from the following four categories:

¡     Uppercase letters A to Z

¡     Lowercase letters a to z

¡     Digits 0 to 9

¡     32 special characters including blank space and tilde (~), exclamation mark (!), at sign (@), number sign (#), dollar sign ($), percent (%), caret (^), ampersand (&), asterisk (*), brackets ({ }, ( ),[ ], < >), hyphen (-), underscore (_), plus (+), equal sign (=), vertical bar (|), backslash (\), colon (:), semicolon (;), quotation mark (", '), comma (,), period (.), and slash (/).

Depending on the system security requirements, you can set the minimum number of categories a password must contain and the minimum number of characters of each category.

There are four password combination levels: 1, 2, 3, and 4, each representing the number of categories that a password must at least contain. Level 1 means that a password must contain characters of one category, level 2 at least two categories, and so on.

When a user sets or changes the password, the system checks if the password satisfies the composition requirement. If not, the system displays an error message.

7.     Password complexity checking

A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to make sure that all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password. If the password is not qualified, the system refuses the password and displays a password configuration failure message.

You can impose the following password complexity requirements:

¡     A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is unqualified.

¡     No character of the password is repeated three or more times consecutively. For example, password a111 is not qualified.

8.     Password display in the form of a string of *

For the sake of security, the password a user enters is displayed in the form of a string of *.

9.     Authentication timeout management

The authentication period is from when the server obtains the username to when the server finishes authenticating the user’s password. If a Telnet user fails to log in within the configured period of time, the system tears down the connection.

10.     Maximum account idle time

You can set the maximum account idle time to make accounts staying idle for this period of time become invalid and unable to log in again. For example, if you set the maximum account idle time to 60 days and user using the account test has never logged in successfully within 60 days after the last successful login, the account becomes invalid.

11.     Logging

The system logs all successful password changing events and user blacklisting events due to login failures.

Password control configuration task list

The password control functions can be configured in several views, and different views support different functions. The settings configured in different views or for different objects have different application ranges and different priorities:

·     Global settings in system view apply to all local user passwords and super passwords.

·     Settings in user group view apply to the passwords of all local users in the user group.

·     Settings in local user view apply to only the password of the local user.

·     Settings for super passwords apply to only super passwords.

The above four types of settings have different priorities:

·     For local user passwords, the settings with a smaller application range have a higher priority.

·     For super passwords, the settings configured specifically for super passwords, if any, override those configured in system view.

Complete the following tasks to configure password control:

 

Task

Remarks

Enabling password control

Required

Setting global password control parameters

Optional

Setting user group password control parameters

Optional

Setting local user password control parameters

Optional

Setting super password control parameters

Optional

Setting a local user password in interactive mode

Optional

 

Configuring password control

Enabling password control

To enable password control functions, you need to:

1.     Enable the password control feature in system view. Only after the password control feature is enabled globally, can password control configurations take effect.

2.     Enable password control functions. Some password control functions need to be enabled individually after the password control feature is enabled globally. These functions include:

¡     Password aging

¡     Minimum password length

¡     Password history

¡     Password composition checking

You must enable a function for its relevant configurations to take effect.

To enable password control:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable the password control feature.

password-control enable

Disabled by default.

3.     Enable a password control function individually.

password-control { aging | composition | history | length } enable

Optional.

All of the four password control functions are enabled by default.

 

 

NOTE:

After global password control is enabled, local user passwords configured on the device are not displayed when you use the corresponding display command.

 

Setting global password control parameters

To set global password control parameters:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the password aging time.

password-control aging aging-time

Optional.

90 days by default.

3.     Set the minimum password update interval.

password-control password update interval interval

Optional.

24 hours by default.

4.     Set the minimum password length.

password-control length length

Optional.

10 characters by default.

5.     Configure the password composition policy.

password-control composition type-number policy-type [ type-length type-length ]

Optional.

By default, the minimum number of password composition types is 1 and the minimum number of characters of a password composition type is 1 too.

6.     Configure the password complexity checking policy.

password-control complexity { same-character | user-name } check

Optional.

By default, the system does not perform password complexity checking.

7.     Set the maximum number of history password records for each user.

password-control history max-record-num

Optional.

4 by default.

8.     Specify the maximum number of login attempts and the action to be taken when a user fails to log in after the specified number of attempts.

password-control login-attempt login-times [ exceed { lock | unlock | lock-time time | unlock } ]

Optional.

By default, the maximum number of login attempts is 3 and a user failing to log in after the specified number of attempts must wait for one minute before trying again.

9.     Set the number of days during which the user is warned of the pending password expiration.

password-control alert-before-expire alert-time

Optional.

7 days by default.

10.     Set the maximum number of days and maximum number of times that a user can log in after the password expires.

password-control expired-user-login delay delay times times

Optional.

By default, a user can log in three times within 30 days after the password expires.

11.     Set the authentication timeout time.

password-control authentication-timeout authentication-timeout

Optional.

60 seconds by default.

12.     Set the maximum account idle time.

password-control login idle-time idle-time

Optional.

90 days by default.

 

CAUTION

CAUTION:

The specified action to be taken after a user fails to log in for the specified number of attempts takes effect immediately, and can thus affect the users already in the blacklist. Other password control configurations take effect only for users logging in later and passwords configured later.

 

Setting user group password control parameters

To set password control parameters for a user group:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a user group and enter user group view.

user-group group-name

N/A

3.     Configure the password aging time for the user group.

password-control aging aging-time

Optional.

By default, the password aging time configured in system view is used.

4.     Configure the minimum password length for the user group.

password-control length length

Optional.

By default, the minimum password length configured in system view is used.

5.     Configure the password composition policy for the user group.

password-control composition type-number type-number [ type-length type-length ]

Optional.

By default, the password composition policy configured in system view is used.

 

Setting local user password control parameters

To set password control parameters for a local user:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a local user and enter local user view.

local-user user-name

N/A

3.     Configure the password aging time for the local user.

password-control aging aging-time

Optional.

By default, the setting for the user group to which the local user belongs is used; if no aging time is configured for the user group, the setting in system view is used.

4.     Configure the minimum password length for the local user.

password-control length length

Optional.

By default, the setting for the user group to which the local user belongs is used; if no minimum password length is configured for the user group, the setting in system view is used.

5.     Configure the password composition policy for the local user.

password-control composition type-number type-number [ type-length type-length ]

Optional.

By default, the settings for the user group to which the local user belongs are used; if no password composition policy is configured for the user group, the settings in system view are used.

 

Setting super password control parameters

 

 

NOTE:

·     CLI commands fall into four levels: visit, monitor, system, and manage, in ascending order. Accordingly, login users fall into four levels, each corresponding to a command level. A user of a certain level can only use the commands at that level or lower levels.

·     To switch from a lower user level to a higher one, a user needs to enter a password for authentication. This password is called a super password. For more information about super passwords, see Fundamentals Configuration Guide.

 

To set super password control parameters:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the password aging time for super passwords.

password-control super aging aging-time

Optional.

90 days by default

3.     Configure the minimum length for super passwords.

password-control super length length

Optional.

10 characters by default.

4.     Configure the password composition policy for super passwords.

password-control super composition type-number type-number [ type-length type-length ]

Optional.

By default, the minimum number of password composition types is 1 and the minimum number of characters of a password composition type is 1 too.

 

Setting a local user password in interactive mode

You can set a password for a local user in interactive mode. When doing so, you need to confirm the password.

To set a password for a local user in interactive mode:

 

Step

Command

1.     Enter system view.

system-view

2.     Create a local user and enter local user view.

local-user user-name

3.     Set the password for the local user in interactive mode.

password

 

Displaying and maintaining password control

 

Task

Command

Remarks

Display password control configuration information.

display password-control [ super ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Display information about users blacklisted due to authentication failure.

display password-control blacklist [ user-name name | ip ipv4-address | ipv6 ipv6-address ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Delete users from the blacklist.

reset password-control blacklist [ user-name name ]

Available in user view

Clear history password records.

reset password-control history-record [ user-name name | super [ level level ] ]

Available in user view

 

 

NOTE:

The reset password-control history-record command can delete the history password records of one or all users even when the password history function is disabled.

 

Password control configuration example

Network requirements

Implementing the following global password control policy:

·     An FTP or VTY user failing to provide the correct password in two successive login attempts is permanently prohibited from logging in.

·     A user can log in five times within 60 days after the password expires.

·     The password aging time is 30 days.

·     The minimum password update interval is 36 hours.

·     The maximum account idle time is 30 days.

·     A password cannot contain the username or the reverse of the username.

·     No character occurs consecutively three or more times in a password.

Implementing the following super password control policy:

A super password must contain at least three types of valid characters, five or more of each type.

Implementing the following password control policy for local Telnet user test:

·     The password must contain at least 12 characters.

·     The password must consist of at least two types of valid characters, five or more of each type.

·     The password aging time is 20 days.

Configuration procedure

# Enable the password control feature globally.

<Sysname> system-view

[Sysname] password-control enable

# Prohibit the user from logging in forever after two successive login failures.

[Sysname] password-control login-attempt 2 exceed lock

# Set the password aging time to 30 days for all passwords.

[Sysname] password-control aging 30

# Set the minimum password update interval to 36 hours.

[Sysname] password-control password update interval 36

# Specify that a user can log in five times within 60 days after the password expires.

[Sysname] password-control expired-user-login delay 60 times 5

# Set the maximum account idle time to 30 days.

[Sysname] password-control login idle-time 30

# Refuse any password that contains the username or the reverse of the username.

[Sysname] password-control complexity user-name check

# Specify that no character of the password can be repeated three or more times consecutively.

[Sysname] password-control complexity same-character check

# Set the minimum number of composition types for super passwords to 3 and the minimum number of characters of each composition type to 5.

[Sysname] password-control super composition type-number 3 type-length 5

# Configure a super password.

[Sysname] super password level 3 simple 12345ABGFTweuix

# Create a local user named test.

[Sysname] local-user test

# Set the service type of the user to Telnet.

[Sysname-luser-test] service-type telnet

# Set the minimum password length to 12 for the local user.

[Sysname-luser-test] password-control length 12

# Set the minimum number of password composition types to 2 and the minimum number of characters of each password composition type to 5 for the local user.

[Sysname-luser-test] password-control composition type-number 2 type-length 5

# Set the password aging time to 20 days for the local user.

[Sysname-luser-test] password-control aging 20

# Configure the password of the local user in interactive mode.

[Sysname-luser-test] password

Password:***********

Confirm :***********

Updating user(s) information, please wait........

[Sysname-luser-test] quit

Verifying the configuration

# Display the global password control configuration information.

<Sysname> display password-control

Global password control configurations:

 Password control:                    Enabled

 Password aging:                      Enabled (30 days)

 Password length:                     Enabled (10 characters)

 Password composition:                Enabled (1 types,  1 characters per type)

 Password history:                    Enabled (max history record:4)

 Early notice on password expiration: 7 days

 User authentication timeout:         60 seconds

 Maximum failed login attempts:       2 times

 Login attempt-failed action:         Lock

 Minimum password update time:        36 hours

 User account idle-time:              30 days

 Login with aged password:            5 times in 60 day(s)

 Password complexity:                 Enabled (username checking)

                                      Enabled (repeated characters checking)

# Display the password control configuration information for super passwords.

<Sysname> display password-control super

 Super password control configurations:

 Password aging:                      Enabled (30 days)

 Password length:                     Enabled (10 characters)

 Password composition:                Enabled (3 types,  5 characters per type)

# Display the password control configuration information for local user test.

<Sysname> display local-user user-name test

The contents of local user test:

 State:                    Active

 ServiceType:              telnet

 Access-limit:             Disable           Current AccessNum: 0

 User-group:               system

 Bind attributes:

 Authorization attributes:

 Password aging:                       Enabled (20 days)

 Password length:                      Enabled (12 characters)

 Password composition:                 Enabled (2 types,  5 characters per type)

Total 1 local user(s) matched.