Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-Password Control Commands | 40.98 KB |
Table of Contents
Chapter 1 Password Control Configuration Commands
1.1 Password Control Configuration Commands
1.1.1 display password-control
1.1.2 display password-control blacklist
1.1.3 display password-control super
1.1.8 reset password-control history-record
1.1.9 reset password-control history-record super
1.1.10 reset password-control blacklist
Chapter 1 Password Control Configuration Commands
1.1 Password Control Configuration Commands
1.1.1 display password-control
Syntax
display password-control
View
Any view
Parameters
None
Description
The display password-control command is used to view the password control information for all users, including the enabled/disabled state of password aging, the aging time, the enabled/disabled state of the minimum password length limitation and the configured minimum password length, the enabled/disabled state of history password recording, the maximum number of history records, the alert time before password expiration, the timeout time for password authentication, the maximum number of password input attempts, the processing mode after failed password input attempts, the time when the password history was last cleared, and so on
Examples
# Display the information about the current password control for all users.
<H3C> display password-control
Global password settings for all users:
Password alert-before-expire : 7 days
Password authentication-timeout : 60 seconds
Password attempt times : 3 times
Password attempt-failed action : Lock for 120 minutes
Password history was last reset 2 day(s) ago.
1.1.2 display password-control blacklist
Syntax
display password-control blacklist [ username username | ipaddress ipaddress ]
View
Any view
Parameters
username: User name added into the blacklist.
ipaddress: User IP address added into the blacklist.
Description
Use the display password-control blacklist command to view the user information added into the backlist based on the user name or IP address after failed attempts of entering passwords.
Examples
# Display the information of all users added into the blacklist after failed attempts of entering passwords.
<H3C> display password-control blacklist
USERNAME IP LOCKED-TIME
Jack 10.1.1.2 0 hour 5 min
The number of users in blacklist is :1
The above output means the user Jack is added to the blacklist. His IP address is 10.1.1.2. This user has been locked for five minutes.
If an error occurs to time calculation because the user changes the system time, for example, the current time is earlier than the blacklist record time, the system will display the following output:
<H3C> display password-control blacklist
USERNAME IP LOCKED-TIME
test 192.168.30.25 -- hour -- min
The number of users in blacklist is :1
1.1.3 display password-control super
Syntax
display password-control super
View
Any view
Parameters
None
Description
Use the display password-control super command to view the password control information for super passwords, including password aging time and the minimum password length.
Examples
# Display the super password control information.
<H3C> display password-control super
Super's password settings:
Password Aging : Enabled(10 days)
Password Length: Enabled(10 Characters)
1.1.4 password
Syntax
password [ simple | cipher ] password
undo password
View
Local user view
Parameters
simple: Plain text, a string containing 1 to 63 characters.
cipher: Cipher text, a string containing 1 to 88 characters.
password: Login password.
Description
Use the password command to configure the password for a local user.
Use the undo password command to delete the user password.
By default, no password is set for local users.
To access the FTP server through FTP, you must perform this configuration.
Related commands: password-control.
Examples
# Set the system login password to 9876543210.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] local-user test
[H3C-luser-test] password
Password:**********
confirm:**********
Updating the password file, please wait...
# Change the system login password to 0123456789.
[H3C-luser-test] password
Password:**********
Confirm :**********
Updating password-file ,please waiting ...
1.1.5 password-control
Syntax
password-control { aging aging-time | length length | login-attempt login-times [ exceed { lock | unlock | locktime
[ time ] } ]
| history max-record-num | alert-before-expire alert-time | authentication-timeout authentication-timeout }
undo password-control { aging | length | login-attempt | history | alert-before-expire | authentication-timeout | exceed { lock | unlock | locktime } }
View
System view
Parameters
aging-time: Configures the system password aging time. Value range 1 to 365 days, and the default value is 90 days.
Length: Configures the minimum password length. The value range is 4 to 32 characters, and the default value is 10.
login-times: Configures the maximum number of login attempts for each user. The value range is 2 to 10, and the default value is 3.
max-record-num: Configures the maximum number of history password records for each user. The value range is 2 to 10; default: 4.
alert-time: Configures the alert time before password expiration. The value range is 1 to 30 days, and the default value is 7 days.
authentication-timeout: Configures the timeout time for user authentication; The value range is 30 to 120 seconds, and the default value is 60 seconds.
exceed: Configures the processing mode after failed login attempts.
Lock: Locks the login user so that the user will not be able to log in to the switch until the administrator removes the user from the blacklist manually.
locktime [ time ]: Specifies the time during which the user is locked. The value range is 3 to 360 seconds, and the default value is 120 seconds. A locked user can log in to the switch again after the configured lock time.
unlock: The user can still log in after failed login attempts, without being locked.
The default processing mode is the unlock mode after password authentication fails. That is, the system will still allow the user to try to log in again after a failed login attempt.
Description
Use the password-control aging aging-time command to configure the aging time for system login passwords. This command can also be carried out in the local user view.
Use the password-control length length command to configure the minimum length for the system login passwords. This command can also be carried out in the local user view.
Use the password-control login-attempt login-times command to configure the number of password attempts allowed for each user.
Use the password-control history max-record-num command to configure the maximum number of history password records allowed for each user.
Use the password-control alert-before-expire alert-time command to configure the alert time before password expiration.
Use the password-control authentication-timeout authentication-timeout command to configure the timeout time for user password authentication.
Use the password-control login-attempt attempt-time exceed command to configure the processing mode used after password attempt fails.
Examples
# Configure the aging time of the system login passwords to 100 days.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] password-control aging 100
# Configure the minimum length of the system login passwords to 8 characters.
[H3C] password-control length 8
# Configure the number of password attempts allowed for each user to 5.
[H3C] password-control login-attempt 5
# Configure the maximum number of history password records allowed for each user to 10.
[H3C] password-control history 10
# Configure the alert time so that users are alerted 7 days before their passwords expire.
[H3C] password-control alert-before-expire 7
# Configure the timeout time of the user password authentication to 100 seconds.
[H3C] password-control authentication-timeout 100
# Configure the processing mode so that the system locks the user after failed password authentication attempts and allow the user to log in to the switch again 360 minutes later.
[H3C] password-control login-attempt 3 exceed locktime 360
1.1.6 password-control enable
Syntax
password-control { aging | length | history } enable
undo password-control { aging | length | history } enable
View
System view
Parameters
None
Description
Use the password-control enable commands to enable the password control function of the system. The specific usage is as follows:
Use the password-control aging enable command to enable password aging. By default, the password aging time is 90 days.
Use the password-control length enable command to enable the limitation of the minimum password length. By default, the minimum password length is 10 characters.
Use the password-control history enable command to enable history password recording. When a login password expires, the system will require the user to input a new password and will save the old password automatically to a file in the flash memory. By recording the history passwords, the system can prevent the user from using a single password or repeated passwords when modifying a password, thus to enhance the security.
Use the undo password-control { aging | length | history } enable command to disable password control functions, such as password aging, the limitation of the minimum password length, and history password recording.
By default, all the above-mentioned password control functions are disabled.
Related commands: password-control.
Examples
# Enable password aging.
[H3C] password-control aging enable
Password aging enabled for all users. Default: 90 days.
# Enable the limitation of the minimum password length.
[H3C] password-control length enable
Password minimum length enabled for all users. Default: 10 characters.
# Disable password aging.
[H3C] undo password-control aging
# Enable history password recording.
[H3C] password-control history enable
Password history enabled for all users. Default: 10 history records
# Disable history password recording.
[H3C] undo password-control history
1.1.7 password-control super
Syntax
password-control super { aging aging-time | length min-length }
undo password-control super { aging | length }
View
System view
Parameters
aging-time: Specifies the aging time for super passwords. The value range is 1 to 365 days and the default value is 90 days.
min-length: Specifies the minimum length for super passwords. It ranges from 4 to 16 characters, and the default value is 10 characters.
Description
Use the password-control super command to configure some password control parameters for super commands, including the password aging time and the minimum password length. Use the undo password-control super command to restore the default settings.
Examples
# Set the password aging time for super commands to 10 days.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] password-control super aging 10
1.1.8 reset password-control history-record
Syntax
reset password-control history-record [ username username ]
View
User view
Parameters
Username: Specifies a user whose history password record will be deleted.
Description
Use the reset password-control history-record command to delete the history password records of all users. Use the reset password-control history-record username username command to delete the history password record of a specified user.
After the history password record of a user is deleted, the configuration of a new password will not be restricted by the previously configured history password records.
Examples
# Delete the history password records of all users.
<H3C> reset password-control history-record
Are you sure to delete all the history record?[Y/N]
If you type "Y", the system will delete the history password records of all users and gives the following prompt:
Updating the password file, please wait...
All historical passwords have been cleared.
# Delete the history password records of user named test.
<H3C> reset password-control history-record user-name test
Are you sure to delete all the history record of user test ?[Y/N]
If you type "Y", the system will delete all the history password records of the specified user and gives the following prompt:
Updating the password file, please wait...
All historical passwords of this user have been cleared.
1.1.9 reset password-control history-record super
Syntax
reset password-control history-record super [ level level-value ]
View
User view
Parameters
level-value: Specifies to delete the history records of super passwords of users at a certain level. The value range is 1 to 3.
Description
Use the reset password-control history-record super level level-value command to delete the history records of the super passwords for the users at the specified level.
Use the reset password-control history-record super command to delete the history records of all super passwords.
After the history password record of a user is deleted, the configuration of a new password will not be restricted by the previously configured history password records.
Examples
# Delete the history records of super passwords for the users at level 2.
<H3C> reset password-control history-record super level 2
Are you sure to clear the specified-level super password history records?[Y/N]
If you type Y, the system will delete the history records of super passwords for users at level 2.
1.1.10 reset password-control blacklist
Syntax
reset password-control blacklist [ username username ]
View
User view
Parameters
username username: Specifies a user name.
Description
Use the reset password-control blacklist command to remove all the users from the blacklist.
Use the reset password-control blacklist username username command to remove the specified user from the blacklist.
Examples
# Check the user information in the blacklist. Suppose the blacklist contains three users: test, tes, and test2.
<H3C> display password-control blacklist
USERNAME IP
test 192.168.30.25
tes 192.168.30.24
test2 192.168.30.23
# Remove user test from the blacklist.
<H3C> reset password-control blacklist user-name test
Are you sure to delete the blacklist-users ?[Y/N]y
All the blacklist users have been cleared.
# Check the current user information in the blacklist and verify that user “test” has been removed.
<H3C> display password-control blacklist
USERNAME IP
tes 192.168.30.24
test2 192.168.30.23
