Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-Password Control Commands | 80.02 KB |
Table of Contents
Chapter 1 Password Control Configuration Commands
1.1 Password Control Configuration Commands
1.1.1 display password-control
1.1.2 display password-control blacklist
1.1.5 password-control alert-before-expire
1.1.6 password-control authentication-timeout
1.1.7 password-control composition
1.1.9 password-control history
1.1.10 password-control length
1.1.11 password-control login-attempt
1.1.12 password-control super aging
1.1.13 password-control super composition
1.1.14 password-control super length
1.1.15 reset password-control blacklist
1.1.16 reset password-control history-record
Chapter 1 Password Control Configuration Commands
1.1 Password Control Configuration Commands
1.1.1 display password-control
Syntax
display password-control [ super ]
View
Any view
Default Level
2: System level
Parameters
super: Displays the password control information of the super passwords. Without this keyword, the command displays the password control information for all passwords.
Description
Use the display password-control command to display password control configuration information.
Examples
# Display the global password control configuration information.
<Sysname> display password-control
Global password settings for all users:
Password aging: Enable(30 day(s))
Password length: Enable(10 character(s))
Password composition: Enable(1 type(s), 1 character(s) per type)
Password history: Enable(max history record:4)
Password alert before expire: 7 day(s)
Password authentication-timeout:60 second(s)
Password attempt time(s): 2 times
Password attempt-failed action: Lock for 120 minute(s)
Table 1-1 Description on the fields of the display password-control command
|
Field |
Description |
|
Password aging |
Whether password aging is enabled and, if enabled, the aging time |
|
Password length |
Whether the minimum password length restriction function is enabled and, if enabled, the setting |
|
Password composition |
Whether the password composition restriction function is enabled and, if enabled, the settings |
|
Password history |
Whether the password history function is enabled and, if enabled, the setting |
|
Password alert before expire |
Number of days during which the user is warned of the pending password expiration |
|
Password authentication-timeout |
Password authentication timeout time |
|
Password attempt time(s) |
Allowed maximum number of login attempts |
|
Password attempt-failed action |
Action to be taken when a user fails to login after the specified number of attempts |
1.1.2 display password-control blacklist
Syntax
display password-control blacklist [ user-name name | ip ip-address ]
View
Any view
Default Level
2: System level
Parameters
name: Username of a user, a string of 1 to 80 characters.
ip-address: IP address of a user.
Description
Use the display password-control blacklist command to display information about users blacklisted due to authentication failure.
With no arguments provided, this command displays information about all users in the blacklist.
Examples
# Display information about users blacklisted due to authentication failure.
<Sysname> display password-control blacklist
Username: test
IP: 192.168.44.1 Login failed times: 1 Lock flag: unlock
Total 1 blacklist item(s) matched. 1 listed.
Table 1-2 Description on the fields of display password-control blacklist
|
Field |
Description |
|
Username |
Username of the user |
|
IP |
IP address of the user |
|
Login failed times |
Number of login failures |
|
Lock flag |
Flag indicating whether the user is prohibited from logging in currently, unlock if prohibited and lock if not. |
1.1.3 password
Syntax
Password
undo password
View
Local user view
Default Level
2: System level
Parameters
None
Description
Use the password command to set a password for a local user in interactive mode.
Use the undo password command to remove the password of a local user.
By default, no password is set for a local user in interactive mode.
Note that:
l Valid characters for a local user password include uppercase letters A to Z, lowercase letters a to z, numbers 0 to 9, blank space, and these 31 symbols: ~`!@#$%^&*()_+-={}|[]\:”;’<>,./.
l A local user password configured in interactive mode must satisfy the password control requirement.
Examples
# Set a password for local user test in interactive mode.
<Sysname> system-view
[Sysname] local-user test
[Sysname-luser-test] password
Password:*****
Confirm :*****
Updating user(s) information, please wait....
1.1.4 password-control aging
Syntax
password-control aging aging-time
undo password-control aging
View
System view/local user view
Default Level
2: System level
Parameters
aging-time: Password aging time in days, in the range 1 to 365.
Description
Use the password-control aging command to set the password aging time.
Use the undo password-control aging command to remove the configured password aging time.
By default, the password aging time is 90 days.
Note that:
l The setting in system view has global significance, while that in local user view is only for the local user.
l If both global and local settings are specified, the local setting takes effect.
l Executing the undo password-control aging command in system view removes the global configuration and restores the default setting; executing this command in local user view removes the configuration of the current local user and restores the global configuration.
Examples
# Set the global password aging time to 80 days.
<Sysname> system-view
[Sysname] password-control aging 80
# Set the password aging time to 80 days for local user test.
<Sysname> system-view
[Sysname] local-user test
[Sysname-luser-test] password-control aging 80
1.1.5 password-control alert-before-expire
Syntax
password-control alert-before-expire alert-time
undo password-control alert-before-expire
View
System view
Default Level
2: System level
Parameters
alert-time: Number of days during which the user is warned of the pending password expiration, in the range 1 to 30.
Description
Use the password-control alert-before-expire command to set the number of days during which the user is warned of the pending password expiration.
Use the undo password-control alert-before-expire command to restore the default.
The default is 7 days.
Examples
# Set the number of days during which the user is warned of the pending password expiration to 10 days.
<Sysname> system-view
[Sysname] password-control alert-before-expire 10
1.1.6 password-control authentication-timeout
Syntax
password-control authentication-timeout authentication-timeout
undo password-control authentication-timeout
View
System view
Default Level
2: System level
Parameters
authentication-timeout: User authentication timeout time in seconds, in the range 30 to 120.
Description
Use the password-control authentication-timeout command to set the user authentication timeout time.
Use the undo password-control authentication-timeout command to restore the default.
By default, the user authentication timeout time is 60 seconds.
Examples
# Set the user authentication timeout time to 40 seconds.
<Sysname> system-view
[Sysname] password-control authentication-timeout 40
1.1.7 password-control composition
Syntax
password-control composition type-number type-number [ type-length type-length ]
undo password-control composition
View
System view/local user view
Default Level
2: System level
Parameters
type-number type-number: Specifies the minimum number of password composition types. The value of the type-number argument is in the range 1 to 4.
type-length type-length: Specifies the minimum number of characters of each password composition type. The value of the type-length argument is in the range 1 to 63.
Description
Use the password-control composition command to configure the password composition policy.
Use the undo password-control composition command to restore the default.
By default, the minimum number of password composition types is 1 and the minimum number of characters of a password composition type is 1 too.
Note that:
l The settings in system view have global significance, while those in local user view are only for the local user.
l If both global and local settings are specified, the local settings take effect. Parameters that are not configured in local user view use the global settings.
l Executing the undo password-control composition command in system view removes the global configuration and restores the default setting; executing this command in local user view removes the configuration of the current local user and restores the global configuration.
Examples
# Set the minimum number of password composition types to 3 and the minimum number of characters of each password composition type to 5 for all passwords.
<Sysname> system-view
[Sysname] password-control composition type-number 3 type-length 5
# Set the minimum number of password composition types to 3 and the minimum number of characters of each password composition type to 5 for local user test.
<Sysname> system-view
[Sysname] local-user test
[Sysname-luser-test] password-control composition type-number 3 type-length 5
1.1.8 password-control enable
Syntax
password-control { aging | composition | history | length } enable
undo password-control { aging | composition | history | length } enable
View
System view
Default Level
2: System level
Parameters
aging: Enables the password aging function.
composition: Enables the password composition restriction function.
history: Enables the password history function.
length: Enables the minimum password length restriction function.
Description
Use the password-control enable command to enable password control functions.
Use the undo password-control enable command to disable password control functions.
By default, the password control functions are enabled.
Note that:
l The system stops recording history passwords after you execute the undo password-control history enable command, but the prior records still exist.
l You must enable a function for its relevant configurations to take effect.
l A password can be a combination of characters from the following four categories: uppercase letters A to Z, lowercase letters a to z, digits 0 to 9, and 32 special characters including blank space and ~`!@#$%^&*()_+-={}|[]\:”;’<>,./. There are four password combination levels: 1, 2, 3, and 4, each representing the number of categories that a password must at least contain. Level 1 means that a password must contain characters of one category, level 2 at least two categories, and so on.
Examples
# Enable the password composition restriction function.
<Sysname> system-view
[Sysname] password-control composition enable
Password composition is enabled for all users.
# Enable the password aging function.
<Sysname> system-view
[Sysname] password-control aging enable
Password aging is enabled for all users.
# Enable the minimum password length restriction function.
<Sysname> system-view
[Sysname] password-control length enable
Password minimum length is enabled for all users.
# Enable the password history function.
<Sysname> system-view
[Sysname] password-control history enable
Password history is enabled for all users.
# Disable the password aging function.
<Sysname> system-view
[Sysname] undo password-control aging enable
Password aging is disabled for all users.
1.1.9 password-control history
Syntax
password-control history max-record-num
undo password-control history
View
System view
Default Level
2: System level
Parameters
max-record-num: Maximum number of history password records for each user, in the range 2 to 15.
Description
Use the password-control history command to set the maximum number of history password records for each user.
Use the undo password-control history command to restore the default.
By default, the maximum number of history password records for each user is 4.
Examples
# Set the maximum number of history password records for each user to 10.
<Sysname> system-view
[Sysname] password-control history 10
1.1.10 password-control length
Syntax
password-control length length
undo password-control length
View
System view/local user view
Default Level
2: System level
Parameters
length: Minimum password length in characters, in the range 4 to 32.
Description
Use the password-control length command to set the minimum password length.
Use the undo password-control length command to restore the default.
By default, the minimum password length is 10 characters.
Note that:
l The setting in system view has global significance, while that in local user view is only for the local user.
l If both global and local settings are specified, the local setting takes effect.
Examples
# Set the global minimum password length to 9 characters.
<Sysname> system-view
[Sysname] password-control length 9
# Set the minimum password length to 9 characters for local user test.
<Sysname> system-view
[Sysname] local-user test
[Sysname-luser-test] password-control length 9
1.1.11 password-control login-attempt
Syntax
password-control login-attempt login-times [ exceed { lock | unlock | lock-time time } ]
undo password-control { login-attempt | exceed }
View
System view
Default Level
2: System level
Parameters
login-times: Maximum number of login attempts, in the range 2 to 10.
exceed: Specifies the action to be taken when a user fails to login after the specified number of attempts.
lock: Prohibits a user that fails to login after the specified number of attempts from logging in permanently.
unlock: Allows a user that fails to login after the specified number of attempts to continue logging in.
lock-time time: Forces a user that fails to login after the specified number of attempts to wait for a period of time before trying again. The time argument is in minutes and in the range 3 to 360.
Description
Use the password-control login-attempt command to specify the maximum number of login attempts and the action to be taken when a user fails to login after the specified number of attempts.
Use the undo password-control command to restore the default.
By default, the maximum number of login attempts is 3 and a user failing to login after the specified number of attempts must wait for 120 minutes before trying again.
Examples
# Set the maximum login attempt number to 4 and prohibit a user failing to login in after four attempts from logging in.
<Sysname> system-view
[Sysname] password-control login-attempt 4 exceed lock
1.1.12 password-control super aging
Syntax
password-control super aging aging-time
undo password-control super aging
View
System view
Default Level
2: System level
Parameters
aging-time: Super password aging time in days, in the range 1 to 365.
Description
Use the password-control super aging command to set the aging time for super passwords.
Use the undo password-control super aging command to remove the setting.
By default, the aging time for super passwords is 90 days.
Note that the setting for super passwords, if present, overrides that for all passwords.
Examples
# Set the aging time for super passwords to 10 days.
<Sysname> system-view
[Sysname] password-control super aging 10
1.1.13 password-control super composition
Syntax
password-control super composition type-number type-number [ type-length type-length ]
undo password-control super composition
View
System view
Default Level
2: System level
Parameters
type-number type-number: Specifies the minimum number of super password composition types. The value of the type-number argument is in the range 1 to 4.
type-length type-length: Specifies the minimum number of characters of each super password composition type. The value of the type-length argument is in the range 1 to 63.
Description
Use the password-control super composition command to configure the composition policy for super passwords.
Use the undo password-control super composition command to remove the setting.
By default, the minimum number of password composition types is 1 and the minimum number of characters of a password composition type is 1 too.
Note that the settings for super passwords, if present, override those for all passwords.
Examples
# Set the minimum number of password composition types to 3 and the minimum number of characters of each password composition type to 5 for super passwords.
<Sysname> system-view
[Sysname] password-control super composition type-number 3 type-length 5
1.1.14 password-control super length
Syntax
password-control super length length
undo password-control super length
View
System view
Default Level
2: System level
Parameters
length: Minimum length for super passwords in characters, in the range 4 to 16.
Description
Use the password-control super length command to set the minimum length for super passwords.
Use the undo password-control super length command to remove the setting.
By default, the minimum super password length is 10 characters.
Note that the setting for super passwords, if present, overrides that for all passwords.
Examples
# Set the minimum length for super passwords to 10 characters.
<Sysname> system-view
[Sysname] password-control super length 10
1.1.15 reset password-control blacklist
Syntax
reset password-control blacklist [ user-name name ]
View
User view
Default Level
3: Manage level
Parameters
user-name name: Specifies the username of a user to be deleted from the blacklist. The name argument is a string of 1 to 80 characters.
Description
Use the reset password-control blacklist command to delete all or a user from the blacklist.
Examples
# Delete the user named test from the blacklist.
<Sysname> reset password-control blacklist user-name test
Are you sure to delete the specified user in blacklist?[Y/N]
1.1.16 reset password-control history-record
Syntax
reset password-control history-record [ user-name name | super [ level level ] ]
View
User view
Default Level
3: Manage level
Parameters
user-name name: Specifies the username of a user whose password records are to be deleted. The name argument is a string of 1 to 80 characters.
super: Deletes the super password history records specified by the level level combination.
Level level: Specifies the user level, which is in the range 1 to 3.
Description
Use the reset password-control history-record command to delete history password records.
Note that:
l With no arguments and keywords specified, this command deletes the history password records of all local users.
l With the super keyword specified but the level argument not specified, this command deletes the history records of all super passwords.
Examples
# Clear the history password records of all local users (enter Y to confirm).
<Sysname> reset password-control history-record
Are you sure to delete all local user's history records?[Y/N]
