09-Security Configuration Guide

HomeSupportResource CenterSwitchesH3C S6300 Switch SeriesH3C S6300 Switch SeriesTechnical DocumentsConfigureConfiguration GuidesH3C S6300 Switch Series Configuration Guides-Release 243x-6W10009-Security Configuration Guide
06-Password control configuration
Title Size Download
06-Password control configuration 92.18 KB

Configuring password control

Overview

Password control allows you to implement the following features:

·           Manage login and super password setup, expirations, and updates for device management users.

·           Control user login status based on predefined policies.

Local users are divided into two types: device management users and network access users. This feature applies only to device management users. For more information about local users, see "Configuring AAA."

Password setting

Minimum password length

You can define the minimum length of user passwords. If a user enters a password that is shorter than the minimum length, the system rejects the password.

Password composition policy

A password can be a combination of characters from the following types:

·           Uppercase letters A to Z.

·           Lowercase letters a to z.

·           Digits 0 to 9.

·           Special characters. For information about special characters, see the password-control composition command in Security Command Reference.

Depending on the system's security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters for each type, as shown in Table 1.

Table 1 Password composition policy

Password combination level

Minimum number of character types

Minimum number of characters for each type

Level 1

One

One

Level 2

Two

One

Level 3

Three

One

Level 4

Four

One

 

In non-FIPS mode, all the combination levels are available for a password. In FIPS mode, only the level 4 combination is available for a password.

When a user sets or changes a password, the system checks if the password meets the combination requirement. If not, the operation fails.

Password complexity checking policy

A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to make sure all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail.

You can apply the following password complexity requirements:

·           A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.

·           A character or number cannot be included three or more times consecutively. For example, password a111 is not complex enough.

Password updating and expiration

Password updating

This feature allows you to set the minimum interval at which users can change their passwords. If a user logs in to change the password but the time passed since the last change is less than this interval, the system denies the request. For example, if you set this interval to 48 hours, a user cannot change the password twice within 48 hours.

The set minimum interval is not effective when a user is prompted to change the password at the first login or after its password aging time expires.

Password expiration

Password expiration imposes a lifecycle on a user password. After the password expires, the user needs to change the password.

If a user enters an expired password when logging in, the system displays an error message. The user is prompted to provide a new password and to confirm it by entering it again. The new password must be valid, and the user must enter exactly the same password when confirming it.

Telnet users, SSH users, and console users can change their own passwords. The administrator must change passwords for FTP users.

Early notice on pending password expiration

When a user logs in, the system checks whether the password will expire in a time equal to or less than the specified notification period. If so, the system notifies the user when the password will expire and provides a choice for the user to change the password. If the user sets a new password that is complexity-compliant, the system records the new password and the setup time. If the user chooses not to change the password or the user fails to change it, the system allows the user to log in using the current password.

Telnet users, SSH users, and console users can change their own passwords. The administrator must change passwords for FTP users.

Login with an expired password

You can allow a user to log in a certain number of times within a specific period of time after the password expires. For example, if you set the maximum number of logins with an expired password to 3 and the time period to 15 days, a user can log in three times within 15 days after the password expires.

Password history

With this feature enabled, the system stores passwords that a user has used. When a user changes the password, the system checks the new password against the current password and those stored in the password history records. The new password must be different from the current one and those stored in the history records by at least four characters. The four characters must be different from one another. Otherwise, the system will display an error message, and the password will not be changed.

You can set the maximum number of history password records for the system to maintain for each user. When the number of history password records exceeds your setting, the most recent record overwrites the earliest one.

Current login passwords of device management users are not stored in the password history. This is because a device management user password is saved in cipher text and cannot be recovered to a plaintext password.

User login control

First login

With the global password control feature enabled, users must change the password at first login before they can access the system. In this situation, password changes are not subject to the minimum change interval.

Login attempt limit

Limiting the number of consecutive failed login attempts can effectively prevent password guessing.

Login attempt limit takes effect on FTP and VTY users. It does not take effect on the following types of users:

·           Nonexistent users (users not configured on the device).

·           Users logging in to the device through console or AUX ports.

If a user fails to log in, the system adds the user account and the user's IP address to the password control blacklist. When the user fails to log in after making the maximum number of consecutive attempts, login attempt limit limits the user and user account in any of the following ways:

·           Disables the user account until the account is manually removed from the password control blacklist.

·           Allows the user to continue using the user account. The user's IP address and user account are removed from the password control blacklist when the user uses this account to successfully log in to the device.

·           Disables the user account for a period of time.

The user can use the account to log in when either of the following conditions exists:

¡  The locking timer expires.

¡  The account is manually removed from the password control blacklist before the locking timer expires.

 

 

NOTE:

This account is locked only for this user. Other users can still use this account, and the blacklisted user can use other user accounts.

 

Maximum account idle time

You can set the maximum account idle time for user accounts. When an account is idle for this period of time since the last successful login, the account becomes invalid.

Password not displayed in any form

For security purposes, nothing is displayed when a user enters a password.

Logging

The system logs all successful password changing events and user adding events to the password control blacklist.

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.

Password control configuration task list

The password control features can be configured in several different views, and different views support different features. The settings configured in different views or for different objects have the following application ranges:

·           Settings for super passwords apply only to super passwords.

·           Settings in local user view apply only to the password of the local user.

·           Settings in user group view apply to the passwords of the local users in the user group if you do not configure password policies for these users in local user view.

·           Global settings in system view apply to the passwords of the local users in all user groups if you do not configure password policies for these users in both local user view and user group view.

For local user passwords, the settings with a smaller application scope have higher priority.

To configure password control, perform the following tasks:

 

Tasks at a glance

(Required.) Enabling password control

(Optional.) Setting global password control parameters

(Optional.) Setting user group password control parameters

(Optional.) Setting local user password control parameters

(Optional.) Setting super password control parameters

 

Enabling password control

To successfully enable the global password control feature and allow device management users to log in to the device, the device must have sufficient storage space.

Enabling the global password control feature is the prerequisite for all password control configurations to take effect. Then, for a specific password control feature to take effect, enable this password control feature.

After the global password control feature is enabled, you cannot display the password and super password configurations for device management users by using the corresponding display commands. However, the configuration for network access user passwords can be displayed. The first password configured for device management users must contain at least four different characters.

To enable password control:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enable the global password control feature.

password-control enable

·          In non-FIPS mode, the global password control feature is disabled by default.

·          In FIPS mode, the global password control feature is enabled by default, and cannot be disabled.

3.      (Optional.) Enable a specific password control feature.

password-control { aging | composition | history | length } enable

By default, all four password control features are enabled.

 

Setting global password control parameters

The password expiration time, minimum password length, and password composition policy can be configured in system view, user group view, or local user view. The password settings with a smaller application scope have higher priority. Global settings in system view apply to the passwords of the local users in all user groups if you do not configure password policies for these users in both local user view and user group view.

The password-control login-attempt command takes effect immediately and can affect the users already in the password control blacklist. Other password control configurations do not take effect on users that have been logged in or passwords that have been configured.

To set global password control parameters:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Set the password expiration time.

password-control aging aging-time

The default setting is 90 days.

3.      Set the minimum password update interval.

password-control update-interval interval

The default setting is 24 hours.

4.      Set the minimum password length.

password-control length length

·          In non-FIPS mode, the default setting is 10 characters.

·          In FIPS mode, the default length is 15 characters.

5.      Configure the password composition policy.

password-control composition type-number type-number [ type-length type-length ]

·          In non-FIPS mode, by default, a password must contain at least one character type and at least one character for each type.

·          In FIPS mode, by default, a password must contain at least four character types and at least one character for each type.

6.      Configure the password complexity checking policy.

password-control complexity { same-character | user-name } check

By default, the system does not perform password complexity checking.

7.      Set the maximum number of history password records for each user.

password-control history max-record-num

The default setting is 4.

8.      Specify the maximum number of login attempts and the action to be taken when a user fails to log in after the specified number of attempts.

password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]

By default, the maximum number of login attempts is 3 and a user failing to log in after the specified number of attempts must wait for 1 minute before trying again.

9.      Set the number of days during which a user is notified of the pending password expiration.

password-control alert-before-expire alert-time

The default setting is 7 days.

10.   Set the maximum number of days and maximum number of times that a user can log in after the password expires.

password-control expired-user-login delay delay times times

By default, a user can log in three times within 30 days after the password expires.

11.   Set the maximum account idle time.

password-control login idle-time idle-time

The default setting is 90 days.

 

Setting user group password control parameters

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Create a user group and enter user group view.

user-group group-name

By default, no user group exists.

For information about how to configure a user group, see "Configuring AAA."

3.      Configure the password expiration time for the user group.

password-control aging aging-time

By default, the password expiration time of the user group equals the global password expiration time.

4.      Configure the minimum password length for the user group.

password-control length length

By default, the minimum password length of the user group equals the global minimum password length.

5.      Configure the password composition policy for the user group.

password-control composition type-number type-number [ type-length type-length ]

By default, the password composition policy of the user group equals the global password composition policy.

6.      Configure the password complexity checking policy for the user group.

password-control complexity { same-character | user-name } check

By default, the password complexity checking policy of the user group equals the global password complexity checking policy.

7.      Specify the maximum number of login attempts and the action to be taken when a user in the user group fails to log in after the specified number of attempts.

password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]

By default, the login-attempt policy of the user group equals the global login-attempt policy.

 

Setting local user password control parameters

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Create a device management user and enter local user view.

local-user user-name class manage

By default, no local user exists.

Local user password control applies to device management users instead of network access users.

For information about how to configure a local user, see "Configuring AAA."

3.      Configure the password expiration time for the local user.

password-control aging aging-time

By default, the setting equals that for the user group to which the local user belongs. If no expiration time is configured for the user group, the global setting applies to the local user.

4.      Configure the minimum password length for the local user.

password-control length length

By default, the setting equals that for the user group to which the local user belongs. If no minimum password length is configured for the user group, the global setting applies to the local user.

5.      Configure the password composition policy for the local user.

password-control composition type-number type-number [ type-length type-length ]

By default, the settings equal those for the user group to which the local user belongs. If no password composition policy is configured for the user group, the global settings apply to the local user.

6.      Configure the password complexity checking policy for the local user.

password-control complexity { same-character | user-name } check

By default, the settings equal those for the user group to which the local user belongs. If no password complexity checking policy is configured for the user group, the global settings apply to the local user.

7.      Specify the maximum number of login attempts and the action to be taken for the local user when the user fails to log in after the specified number of attempts.

password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]

By default, the settings equal those for the user group to which the local user belongs. If no login-attempt policy is configured for the user group, the global settings apply to the local user.

 

Setting super password control parameters

The super password allows you to obtain a temporary user role without reconnecting to the device. For more information about passwords for user roles, see Fundamentals Configuration Guide.

To set super password control parameters:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Set the password expiration time for super passwords.

password-control super aging aging-time

The default setting is 90 days.

3.      Configure the minimum length for super passwords.

password-control super length length

·          In non-FIPS mode, the default setting is 10 characters.

·          In FIPS mode, the default setting is 15 characters.

4.      Configure the password composition policy for super passwords.

password-control super composition type-number type-number [ type-length type-length ]

·          In non-FIPS mode, by default, a super password must contain at least one character type and at least one character for each type.

·          In FIPS mode, by default, a super password must contain at least four character types and at least one character for each type.

 

Displaying and maintaining password control

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display password control configuration.

display password-control [ super ]

Display information about users in the password control blacklist.

display password-control blacklist [ user-name name | ip ipv4-address | ipv6 ipv6-address ]

Delete users from the password control blacklist.

reset password-control blacklist [ user-name name ]

Clear history password records.

reset password-control history-record [ user-name name | super [ role role name ] ]

 

 

NOTE:

The reset password-control history-record command can delete the history password records of one or all users even when the password history feature is disabled.

 

Password control configuration example

Network requirements

Configure a global password control policy to meet the following requirements:

·           A password must contain at least 16 characters.

·           A password must contain at least four character types and at least four characters for each type.

·           An FTP or VTY user failing to provide the correct password in two successive login attempts is permanently prohibited from logging in.

·           A user can log in five times within 60 days after the password expires.

·           A password expires after 30 days.

·           The minimum password update interval is 36 hours.

·           The maximum account idle time is 30 days.

·           A password cannot contain the username or the reverse of the username.

·           No character appears consecutively three or more times in a password.

Configure a super password control policy for user role network-operator to meet the following requirements:

·           A super password must contain at least 24 characters.

·           A super password must contain at least four character types and at least five characters for each type.

Configure a password control policy for the local Telnet user test to meet the following requirements:

·           The password must contain at least 24 characters.

·           The password must contain at least four character types and at least five characters for each type.

·           The password for the local user expires after 20 days.

Configuration procedure

# Enable the password control feature globally.

<Sysname> system-view

[Sysname] password-control enable

# Disable a user account permanently if a user fails two consecutive login attempts on the user account.

[Sysname] password-control login-attempt 2 exceed lock

# Set all passwords to expire after 30 days.

[Sysname] password-control aging 30

# Globally set the minimum password length to 16 characters.

[Sysname] password-control length 16

# Set the minimum password update interval to 36 hours.

[Sysname] password-control update-interval 36

# Specify that a user can log in five times within 60 days after the password expires.

[Sysname] password-control expired-user-login delay 60 times 5

# Set the maximum account idle time to 30 days.

[Sysname] password-control login idle-time 30

# Refuse any password that contains the username or the reverse of the username.

[Sysname] password-control complexity user-name check

# Specify that no character can be included three or more times consecutively in a password.

[Sysname] password-control complexity same-character check

# Globally specify that all passwords must each contain at least four character types and at least four characters for each type.

[Sysname] password-control composition type-number 4 type-length 4

# Set the minimum super password length to 24 characters.

[Sysname] password-control super length 24

# Specify that a super password must contain at least four character types and at least five characters for each type.

[Sysname] password-control super composition type-number 4 type-length 5

# Configure a super password used for switching to user role network-operator as 123456789ABGFTweuix@#$%! in plain text.

[Sysname] super password role network-operator simple 123456789ABGFTweuix@#$%!

Updating user information. Please wait ... ...

# Create a device management user named test.

[Sysname] local-user test class manage

# Set the service type of the user to Telnet.

[Sysname-luser-manage-test] service-type telnet

# Set the minimum password length to 24 for the local user.

[Sysname-luser-manage-test] password-control length 24

# Specify that the password of the local user must contain at least four character types and at least five characters for each type.

[Sysname-luser-manage-test] password-control composition type-number 4 type-length 5

# Set the password for the local user to expire after 20 days.

[Sysname-luser-manage-test] password-control aging 20

# Configure the password of the local user in interactive mode.

[Sysname-luser-manage-test] password

Password:

Confirm :

Updating user information. Please wait ... ...

[Sysname-luser-manage-test] quit

Verifying the configuration

# Display the global password control configuration.

<Sysname> display password-control

 Global password control configurations:

 Password control:                     Enabled

 Password aging:                       Enabled (30 days)

 Password length:                      Enabled (16 characters)

 Password composition:                 Enabled (4 types, 4 characters per type)

 Password history:                     Enabled (max history record:4)

 Early notice on password expiration:  7 days

 Maximum login attempts:               2

 Action for exceeding login attempts:  Lock

 Minimum interval between two updates: 36 hours

 User account idle time:               30 days

 Logins with aged password:            5 times in 60 days

 Password complexity:                  Enabled (username checking)

                                       Enabled (repeated characters checking)

# Display the password control configuration for super passwords.

<Sysname> display password-control super

 Super password control configurations:

 Password aging:                       Enabled (90 days)

 Password length:                      Enabled (24 characters)

 Password composition:                 Enabled (4 types, 5 characters per type)

# Display the password control configuration for local user test.

<Sysname> display local-user user-name test class manage

Total 1 local users matched.

 

Device management user test:

 State:                    Active

 Service type:             Telnet

 User group:               system

 Bind attributes:

 Authorization attributes:

  Work directory:          flash:

  User role list:          network-operator

 Password control configurations:

  Password aging:          Enabled (20 days)

  Password length:         Enabled (24 characters)

  Password composition:    Enabled (4 types, 5 characters per type)