Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-Password Control Configuration | 55.51 KB |
Chapter 1 Password Control Configuration
1.2 Password Control Configuration Task List
1.3 Configuring Password Control
1.3.1 Enabling Password Control
1.3.2 Setting Global Password Control Parameters
1.3.3 Setting Local User Password Control Parameters
1.3.4 Setting Super Password Control Parameters
1.3.5 Setting a Local User Password in Interactive Mode
1.4 Displaying and Maintaining Password Control
1.5 Password Control Configuration Example
Chapter 1 Password Control Configuration
When configuring password control, go to these sections for information you are interested in:
l Password Control Configuration Task List
l Configuring Password Control
l Displaying and Maintaining Password Control
l Password Control Configuration Example
1.1 Password Control Overview
1) Minimum password length
With this function, you can set a minimum password length as required for system security. As such, when a user enters a shorter password, the system considers it invalid and prompts the user to re-enter a password.
& Note:
l A password cannot exceed 63 characters.
l On the S9500 series switches, local user passwords are not displayed.
2) Password aging
Password aging imposes a lifecycle on a user password. After the password aging time expires, the user needs to change the password.
If a user enters an expired password, the system displays an error message and prompts the user to provide a new password and to confirm it by entering it again. The new password must be a valid one and the user must enter exactly the same password when confirming it. Otherwise, the login will fail.
3) Early notice on pending password expiration
When a user logs in, the system checks whether the password will expire in a time equal to or less than the specified period. If so, the system notifies the user of the expiry time and provides a choice for the user to change the password. If the user provides a new password, the system records the new password and the time. If the user chooses to leave the password or the user fails to change it, the system allows the user to log in using the present password until the password expires.
& Note:
Telnet, SSH, and terminal users can change their passwords by themselves. FTP users, on the contrary, can only have their passwords changed by the administrator.
4) Password history
With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the used ones to see whether it was used before and, if so, displays an error message.
You can set the maximum number of history password records for the system to maintain for each user. When the number of history password records exceeds your setting, the latest record will overwrite the earliest one.
5) Login attempt restriction
Limiting the times of entering wrong passwords can effectively prevent malicious password cracking.
Once a user fails to pass authentication, the system adds the user into a blacklist. When a user tries but fails to login for the allowed maximum number of successive authentication attempts, the system may prohibit or allow the user to login, depending on your choice:
l Prohibiting the user from logging into the system until the user is removed from the blacklist.
l Allowing the user to log in and removing the user from the blacklist when the user logs into the system or the blacklist entry times out (the blacklist entry aging time is 20 minutes).
l Prohibiting the user from logging in for a configurable period of time. After this period, the user will be deleted from the blacklist and can log into the system again.
& Note:
l A blacklist can contain up to 1,024 entries. A login attempt using a wrong username will undoubtedly fail but the username is not added into the blacklist.
l FTP users and virtual terminal line (VTY) users are blacklisted when they fail the authentication.
l Users accessing the system through the Console or AUX interface are never blacklisted. This is because the system is unable to obtain the IP addresses of these users and these users are privileged and therefore relatively secure to the system.
6) Password composition
A password can be a combination of characters from the following four categories:
l Uppercase letters A to Z
l Lowercase letters a to z
l Digits 0 to 9
l 32 special characters including blank space and ~`!@#$%^&*()_+-={}|[]\:”;’<>,./.
Depending on the system security requirements, you can set the minimum number of categories a password must contain and the minimum number of characters of each category.
There are four password combination levels: 1, 2, 3, and 4, each representing the number of categories that a password must at least contain. Level 1 means that a password must contain characters of one category, level 2 at least two categories, and so on.
When a user sets or changes the password, the system checks if the password satisfies the composition requirement. If not, the system displays an error message.
7) Password display in the form of a string of *
For the sake of security, the password a user enters is displayed in the form of a string of *.
8) Authentication timeout management
If a user fails to log in within a configurable period of time, the system tears down the connection.
This function applies to Telnet users only.
9) Logging
The system logs all successful password changing events.
1.2 Password Control Configuration Task List
|
Task |
Remarks |
|
Required |
|
|
Optional |
|
|
Optional |
|
|
Optional |
|
|
Optional |
1.3 Configuring Password Control
& Note:
l Global settings in system view apply to all local user passwords and super passwords.
l Settings in local user view apply to the local user password only.
l Settings for super passwords apply to super passwords only.
The above three types of settings have different priorities:
l For local user passwords, the settings in local user view override those in system view unless the former are not provided.
l For super passwords, the settings for super password override those in system view unless the former are not provided.
1.3.1 Enabling Password Control
l Password aging
l Minimum password length
l Password history
l Password composition
You must enable a function for its relevant configurations to take effect.
Follow these steps to enable a password control function:
|
To do… |
Use the command… |
Remarks |
|
system-view |
— |
|
|
Enable a password control function |
password-control { aging | composition | history | length } enable |
Optional All of the four password control functions are enabled by default. |
1.3.2 Setting Global Password Control Parameters
Follow these steps to set global password control parameters:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set the password aging time |
password-control aging aging-time |
Optional 90 days by default |
|
Set the minimum password length |
password-control length length |
Optional 10 characters by default |
|
Configure the password composition policy |
password-control composition type-number type-number [ type-length type-length ] |
Optional By default, the minimum number of password composition types is 1 and the minimum number of characters of a password composition type is 1 too. |
|
Set the maximum number of history password records for each user |
password-control history max-record-num |
Optional 4 by default |
|
Specify the maximum number of login attempts and the action to be taken when a user fails to login after the specified number of attempts |
password-control login-attempt login-times [ exceed { lock | unlock | lock-time time } ] |
Optional By default, the maximum number of login attempts is 3 and a user failing to login after the specified number of attempts must wait for 120 minutes before trying again. |
|
Set the number of days during which the user is warned of the pending password expiration |
password-control alert-before-expire alert-time |
Optional 7 days by default |
|
Set the authentication timeout time |
password-control authentication-timeout authentication-timeout |
Optional 60 seconds by default |
Caution:
Configuration for the action to be taken when a user fails to login after the specified number of attempts takes effect immediately, and can thus affect the users already in the blacklist.
1.3.3 Setting Local User Password Control Parameters
Follow these steps to set password control parameters for a local user:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a local user and enter local user view |
local-user user-name |
— |
|
Configure the password aging time for the local user |
password-control aging aging-time |
Optional 90 days by default |
|
Configure the minimum password length for the local user |
password-control length length |
Optional 10 characters by default |
|
Configure the password composition policy for the local user |
password-control composition type-number type-number [ type-length type-length ] |
Optional By default, the minimum number of password composition types is 1 and the minimum number of characters of a password composition type is 1 too. |
1.3.4 Setting Super Password Control Parameters
& Note:
CLI commands fall into four levels: visit, monitor, system, and manage. Accordingly, login users fall into four levels, each corresponding to a command level. A user of a certain level can only use the commands at that level or lower levels. To switch from a lower user level to a higher one, a user needs to enter a password for authentication. This password is called a super password. For details on super passwords, refer to Basic System Configuration in System Volume.
Follow these steps to set super password control parameters:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set the password aging time for super passwords |
password-control super aging aging-time |
Optional 90 days by default |
|
Configure the minimum length for super passwords |
password-control super length length |
Optional 10 characters by default |
|
Configure the password composition policy for super passwords |
password-control super composition type-number type-number [ type-length type-length ] |
Optional By default, the minimum number of password composition types is 1 and the minimum number of characters of a password composition type is 1 too. |
1.3.5 Setting a Local User Password in Interactive Mode
Follow these steps to set the password for a local user in interactive mode:
|
To do... |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a local user and enter local user view |
local-user user-name |
— |
|
Set the password for the local user |
password |
Required By default, no password is set for a local user in interactive mode |
1.4 Displaying and Maintaining Password Control
|
To do… |
Use the command… |
Remarks |
|
Display password control configuration information |
display password-control [ super ] |
Available in any view |
|
Display information about users blacklisted due to authentication failure |
display password-control blacklist [ user-name name | ip ip-address ] |
Available in any view |
|
Delete users from the blacklist |
reset password-control blacklist [ user-name name ] |
Available in user view |
|
Clear history password records |
reset password-control history-record [ user-name name | super [ level level ] ] |
Available in user view |
& Note:
The reset password-control history-record command can delete the history password records of one or all users even when the password history function is disabled.
1.5 Password Control Configuration Example
I. Network requirements
The following password control functions are required:
l A user is prohibited from logging in after two successive login failures; the password aging time is 30 days.
l A super password must contain at least three types of the valid characters and the valid characters of each type must not be less than five.
l The password of the local user named test must not be less than six characters and must consist of at least two types of the valid characters, with at least five characters of each type. The password aging time is 20 days.
II. Configuration procedure
# Enter system view.
<Sysname> system-view
# Prohibit the user from logging in after two successive login failures.
[Sysname] password-control login-attempt 2 exceed lock
# Set the password aging time to 30 days for all passwords.
[Sysname] password-control aging 30
# Set the minimum number of composition types for super passwords to 3 and the minimum number of characters of each composition type to 5.
[Sysname] password-control super composition type-number 3 type-length 5
# Configure a super password.
[Sysname] super password level 3 simple 11111AAAAAaaaaa
# Create a local user named test.
[Sysname] local-user test
# Set the minimum password length to 6 for the local user.
[Sysname-luser-test] password-control length 6
# Set the minimum number of password composition types to 2 and the minimum number of characters of each password composition type to 5 for the local user.
[Sysname-luser-test] password-control composition type-number 2 type-length 5
# Set the password aging time to 20 days for the local user.
[Sysname-luser-test] password-control aging 20
# Configure the password of the local user.
[Sysname-luser-test] password simple 11111#####
