Login
- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X_Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05 Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Blacklist Commands
- 10-TCP and ICMP Attack Protection Commands
- 11-IP Source Guard Commands
- 12-ARP Attack Protection Commands
- 13-ND Attack Defense Commands
- 14-URPF Commands
- 15-PKI Commands
- 16-SSL Commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05 Password Control Commands | 159.27 KB |
Contents
Password control configuration commands
display password-control blacklist
password-control { aging | composition | history | length } enable
password-control alert-before-expire
password-control authentication-timeout
password-control expired-user-login
password-control login idle-time
password-control login-attempt
password-control password update interval
password-control super composition
reset password-control blacklist
reset password-control history-record
display password-control
Syntax
display password-control [ super ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
super: Displays the password control information of the super passwords. Without this keyword, the command displays the password control information for all passwords.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays the lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display password-control command to display password control configuration information.
Examples
# Display the global password control configuration information.
<Sysname> display password-control
Global password control configurations:
Password control: Disabled
Password aging: Enabled (90 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)
Password history: Enabled (max history records:4)
Early notice on password expiration: 7 days
User authentication timeout: 60 seconds
Maximum failed login attempts: 3 times
Login attempt-failed action: Lock for 1 minutes
Minimum password update time: 24 hours
User account idle-time: 90 days
Login with aged password: 3 times in 30 days
Password complexity: Disabled (username checking)
Disabled (repeated characters checking)
# Display the password control configuration information for super passwords.
<Sysname> display password-control super
Super password control configurations:
Password aging: Enabled (90 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)
Table 1 Output description
|
Field |
Description |
|
Password control |
Whether the password control feature is enabled. |
|
Password aging |
Whether password aging is enabled and, if enabled, the aging time. |
|
Password length |
Whether the minimum password length restriction function is enabled and, if enabled, the setting. |
|
Password composition |
Whether the password composition restriction function is enabled and, if enabled, the settings. |
|
Password history |
Whether the password history function is enabled and, if enabled, the setting. |
|
Early notice on password expiration |
Number of days during which the user is warned of the pending password expiration. |
|
User authentication timeout |
Password authentication timeout time. |
|
Maximum failed login attempts |
Allowed maximum number of consecutive failed login attempts for FTP and VTY users. |
|
Login attempt-failed action |
Action to be taken after a user fails to login for the specified number of attempts. |
|
Minimum password update time |
Minimum password update interval. |
|
User account idle-time |
Maximum account idle time. |
|
Login with aged password |
Number of times and maximum number of days a user can log in using an expired password. |
|
Password complexity |
Whether to check the password complexity, including: · Checking whether a password contains the username or the reverse of the username. · Checking whether a password contains any character that is repeated consecutively three or more times |
display password-control blacklist
Syntax
display password-control blacklist [ user-name name | ip ipv4-address | ipv6 ipv6-address ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
user-name name: Specifies a user by the name, a string of 1 to 80 characters.
ipv4-address: IPv4 address of a user.
ipv6-address: IPv6 address of a user.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays the lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display password-control blacklist command to display information about users blacklisted due to authentication failure.
With no arguments provided, this command displays information about all users in the blacklist.
Examples
# Display information about users blacklisted due to authentication failure.
<Sysname> display password-control blacklist
Username: test
IP: 192.168.44.1 Login failed times: 1 Lock flag: unlock
Total 1 blacklist item(s) matched. 1 listed.
Table 2 Output description
|
Field |
Description |
|
Username |
Username of the user. |
|
IP |
IP address of the user. |
|
Login failed times |
Number of login failures. |
|
Lock flag |
Whether the user is prohibited from logging in currently: · unlock—Not prohibited. · lock—Prohibited, temporarily or permanently, depending on the password-control login-attempt command. |
password
Syntax
Password
undo password
View
Local user view
Default level
2: System level
Parameters
None
Description
Use the password command to set a password for a local user in interactive mode.
Use the undo password command to remove the password for a local user.
Valid characters for a local user password include uppercase letters A to Z, lowercase letters a to z, numbers 0 to 9, blank space, and these 31 symbols: tilde (~), exclamation mark (!), at sign (@), number sign (#), dollar sign ($), percent (%), caret (^), ampersand (&), asterisk (*), brackets ({ }, ( ),[ ], < >), hyphen (-), underscore (_), plus (+), equal sign (=), vertical bar (|), backslash (\), colon (:), semicolon (;), prime ("), apostrophe ('),comma (,), period (.), slash (/).
A local user password configured in interactive mode must satisfy the password control requirement. For example, if the minimum password length is set to 8, the password must contain at least eight characters.
Examples
# Set a password for local user test in interactive mode.
<Sysname> system-view
[Sysname] local-user test
[Sysname-luser-test] password
Password:**********
Confirm :**********
Updating user(s) information, please wait....
password-control { aging | composition | history | length } enable
Syntax
password-control { aging | composition | history | length } enable
undo password-control { aging | composition | history | length } enable
View
System view
Default level
2: System level
Parameters
aging: Enables the password aging function.
composition: Enables the password composition restriction function.
history: Enables the password history function.
length: Enables the minimum password length restriction function.
Description
Use the password-control { aging | composition | history | length } enable command to enable the password aging, composition restriction, history, or minimum password length restriction function.
Use the undo password-control { aging | composition | history | length } enable command to disable the specified function.
By default, the four password control functions are all enabled.
For these four functions to take effect, the password control feature must be enabled globally.
You must enable a function for its relevant configurations to take effect. For example, if the minimum password length restriction function is not enabled, the setting by the password-control length command does not take effect.
The system stops recording history passwords after you execute the undo password-control history enable command, but the prior records still exist.
Related commands: password-control enable and display password-control.
Examples
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable
# Enable the password composition restriction function.
[Sysname] password-control composition enable
# Enable the password aging function.
[Sysname] password-control aging enable
# Enable the minimum password length restriction function.
[Sysname] password-control length enable
# Enable the password history function.
[Sysname] password-control history enable
password-control aging
Syntax
password-control aging aging-time
undo password-control aging
View
System view, user group view, local user view
Default level
2: System level
Parameters
aging-time: Password aging time in days, in the range of 1 to 365.
Description
Use the password-control aging command to set the password aging time.
Use the undo password-control aging command to restore the default.
By default, the global password aging time is 90 days, the password aging time of a user group equals the global setting, and the password aging time of a local user equals that of the user group to which the local user belongs.
The setting in system view has global significance and applies to all user groups, the setting in user group view applies to all local users in the user group, and the setting in local user view applies to only the local user.
A password aging time setting with a smaller application range has a higher priority. That is, the system prefers the setting for a local user. If there is no setting for the local user, the system will use the setting for the user group. If there is no setting for the user group, the system will use the global setting.
Related commands: display password-control, local-user, and user-group.
Examples
# Set the global password aging time to 80 days.
<Sysname> system-view
[Sysname] password-control aging 80
# Set the password aging time for user group test to 90 days.
[Sysname] user-group test
[Sysname-ugroup-test] password-control aging 90
[Sysname-ugroup-test] quit
# Set the password aging time for local user abc to 100 days.
[Sysname] local-user abc
[Sysname-luser-abc] password-control aging 100
password-control alert-before-expire
Syntax
password-control alert-before-expire alert-time
undo password-control alert-before-expire
View
System view
Default level
2: System level
Parameters
alert-time: Number of days before a user’s password expires during which the user is warned of the pending password expiration, in the range of 1 to 30.
Description
Use the password-control alert-before-expire command to set the number of days before a user’s password expires during which the user is warned of the pending password expiration.
Use the undo password-control alert-before-expire command to restore the default.
By default, a user is warned of pending password expiration 7 days before the user’s password expires.
Examples
# Configure the device to warn a user about pending password expiration 10 days before the user’s password expires.
<Sysname> system-view
[Sysname] password-control alert-before-expire 10
password-control authentication-timeout
Syntax
password-control authentication-timeout authentication-timeout
undo password-control authentication-timeout
View
System view
Default level
2: System level
Parameters
authentication-timeout: User authentication timeout time in seconds, in the range of 30 to 120.
Description
Use the password-control authentication-timeout command to set the user authentication timeout time.
Use the undo password-control authentication-timeout command to restore the default.
By default, the user authentication timeout time is 60 seconds.
Examples
# Set the user authentication timeout time to 40 seconds.
<Sysname> system-view
[Sysname] password-control authentication-timeout 40
password-control complexity
Syntax
password-control complexity { same-character | user-name } check
undo password-control complexity { same-character | user-name } check
View
System view
Default level
2: System level
Parameters
same-character: Refuses a password that contains any character repeated consecutively three or more times.
user-name: Refuses a password that contains the username or the reverse of the username.
Description
Use the password-control complexity command to configure the password complexity checking policy. Unqualified passwords will be refused.
Use the undo password-control complexity check command to remove a password complexity checking item.
By default, no user password complexity checking is performed, and a password can contain the username, the reverse of the username, or a character repeated three or more times consecutively.
Related commands: display password-control.
Examples
# Configure the password complexity checking policy, refusing any password that contains the username or the reverse of the username.
<Sysname> system-view
[Sysname] password-control complexity user-name check
password-control composition
Syntax
password-control composition type-number type-number [ type-length type-length ]
undo password-control composition
View
System view, user group view, local user view
Default level
2: System level
Parameters
type-number type-number: Specifies the minimum number of password composition types, in the range of 1 to 4.
type-length type-length: Specifies the minimum number of characters of each password composition type, in the range of 1 to 63.
Description
Use the password-control composition command to configure the password composition policy.
Use the undo password-control composition command to restore the default.
By default, the global password composition policy is as follows: the minimum number of password composition types is 1 and the minimum number of characters of a password composition type is also 1. The default password composition policy of a user group is the same as the global policy, and the default password composition policy of a local user is the same as that of the user group to which the local user belongs.
The settings in system view have global significance and apply to all user groups, the settings in user group view apply to all local users in the user group, and the settings in local user view apply to only the local user.
A password composition policy with a smaller application range has a higher priority. That is, the system prefers the settings for a local user. If there is no setting for the local user, the system will use the settings for the user group. If there is no setting for the user group, the system will use the global settings.
Related commands: display password-control, local-user, and user-group.
Examples
# Set the minimum number of password composition types to 3 and the minimum number of characters of each password composition type to 5 for all passwords.
<Sysname> system-view
[Sysname] password-control composition type-number 3 type-length 5
# Set the minimum number of password composition types to 3 and the minimum number of characters of each password composition type to 5 for user group test.
[Sysname] user-group test
[Sysname-ugroup-test] password-control composition type-number 3 type-length 5
[Sysname-ugroup-test] quit
# Set the minimum number of password composition types to 3 and the minimum number of characters of each password composition type to 5 for local user abc.
[Sysname] local-user abc
[Sysname-luser-abc] password-control composition type-number 3 type-length 5
password-control enable
Syntax
password-control enable
undo password-control enable
View
System view
Default level
2: System level
Parameters
None
Description
Use the password-control enable command to enable the password control feature globally.
Use the undo password-control enable command to disable the password control feature globally.
By default, the password control feature is disabled globally.
Only after the password control feature is enabled globally, do the password control functions take effect.
Related commands: display password-control.
Examples
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable
password-control expired-user-login
Syntax
password-control expired-user-login delay delay times times
undo password-control expired-user-login
View
System view
Default level
2: System level
Parameters
delay: Maximum number of days during which a user can log in using an expired password. It must be in the range of 1 to 90.
times: Maximum number of times a user can log in after the password expires, in the range of 0 to 10. 0 means that a user cannot log in after the password expires.
Description
Use the password-control expired-user-login command to set the maximum number of days and maximum number of times that a user can log in after the password expires.
Use the undo password-control expired-user-login command to restore the defaults.
By default, a user can log in three times within 30 days after the password expires.
Related commands: display password-control.
Examples
# Specify that a user can log in five times within 60 days after the password expires.
<Sysname> system-view
[Sysname] password-control expired-user-login delay 60 times 5
password-control history
Syntax
password-control history max-record-num
undo password-control history
View
System view
Default level
2: System level
Parameters
max-record-num: Maximum number of history password records for each user, in the range of 2 to 15.
Description
Use the password-control history command to set the maximum number of history password records for each user.
Use the undo password-control history command to restore the default.
By default, the maximum number of history password records for each user is 4.
Examples
# Set the maximum number of history password records for each user to 10.
<Sysname> system-view
[Sysname] password-control history 10
password-control length
Syntax
password-control length length
undo password-control length
View
System view, user group view, local user view
Default level
2: System level
Parameters
length: Minimum password length in characters, in the range of 4 to 32.
Description
Use the password-control length command to set the minimum password length.
Use the undo password-control length command to restore the default.
By default, the global minimum password length is 10 characters, the minimum password length of a user group equals the global setting, and the minimum password length of a local user equals that of the user group to which the local user belongs.
The setting in system view has global significance and applies to all user groups, the setting in user group view applies to all local users in the user group, and the setting in local user view applies to only the local user.
A minimum password length setting with a smaller application range has a higher priority. That is, the system prefers the setting for a local user. If there is no setting for the local user, the system will use the setting for the user group. If there is no setting for the user group, the system will use the global setting.
Related commands: display password-control, local-user, and user-group.
Examples
# Set the global minimum password length to 9 characters.
<Sysname> system-view
[Sysname] password-control length 9
# Set the minimum password length to 9 characters for user group test.
[Sysname] user-group test
[Sysname-ugroup-test] password-control length 9
[Sysname-ugroup-test] quit
# Set the minimum password length to 9 characters for local user abc.
[Sysname] local-user abc
[Sysname-luser-abc] password-control length 9
password-control login idle-time
Syntax
password-control login idle-time idle-time
undo password-control login idle-time
View
System view
Default level
2: System level
Parameters
idle-time: Maximum account idle time, in the range of 0 to 365, in days. 0 means no restriction for account idle time.
Description
Use the password-control login idle-time command to set the maximum account idle time. If a user account is idle for this period of time, it becomes invalid.
Use the undo password-control login idle-time command to restore the default.
By default, the maximum account idle time is 90 days.
Related commands: display password-control.
Examples
# Set the maximum account idle time to 30 days.
<Sysname> system-view
[Sysname] password-control login idle-time 30
password-control login-attempt
Syntax
password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]
undo password-control login-attempt
View
System view
Default level
2: System level
Parameters
login-times: Maximum number of consecutive failed login attempts, in the range of 2 to 10.
exceed: Specifies the action to be taken when a user fails to log in after the specified number of attempts.
lock: Permanently prohibits a user who fails to log in after the specified number of attempts from logging in.
lock-time time: Forces a user who fails to log in after the specified number of attempts to wait for a period of time before trying again. The time argument is in minutes and in the range of 1 to 360.
unlock: Allows a user who fails to log in after the specified number of attempts to continue trying to log in.
Description
Use the password-control login-attempt command to specify the maximum number of consecutive failed login attempts and the action to be taken when a user fails to log in after the specified number of attempts.
Use the undo password-control command to restore the default.
By default, the maximum number of consecutive failed login attempts is three and a user failing to log in after the specified number of attempts must wait for one minute before trying again.
If prohibited permanently, a user can log in only after you remove the user from the blacklist.
If prohibited temporarily, a user can log in again after the lock time elapses or an administrator removes the user from the blacklist.
If not prohibited to log in, a user is removed from the blacklist as long as the user logs in successfully or after the blacklist aging time (one minute) elapses.
Related commands: display password-control, display password-control blacklist, and reset password-control blacklist.
Examples
# Set the maximum number of login attempts to four and permanently prohibit a user failing to log in after four attempts from logging in.
<Sysname> system-view
[Sysname] password-control login-attempt 4 exceed lock
Later, if a user tries to log in but fails four times, you can find it in the blacklist, with its status changed from unlock to lock:
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1 Login failed times: 4 Lock flag: lock
Total 1 blacklist item(s) matched. 1 listed.
The user can no longer log in.
# Set the maximum number of login attempts to 2 and prohibit a user from logging in within three minutes if the user fails to log in after two attempts.
<Sysname> system-view
[Sysname] password-control login-attempt 2 exceed lock-time 3
Later, if a user tries to log in but fails two times, you can find it in the blacklist, with its status changed from unlock to lock:
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1 Login failed times: 2 Lock flag: lock
Total 1 blacklist item(s) matched. 1 listed.
After three minutes, the user is removed from the blacklist and can log in again.
password-control password update interval
Syntax
password-control password update interval interval
undo password-control password update interval
View
System view
Default level
2: System level
Parameters
interval: Minimum password update interval, in the range of 0 to 168, in hours. 0 means no requirements for password update interval.
Description
Use the password-control password update interval command to set the minimum password update interval, that is, the minimum interval at which users can change their passwords.
Use the undo password-control password update interval command to restore the default.
By default, the minimum password update interval is 24 hours.
This function is not effective in the case that a user is prompted to change the password when the user logs in for the first time or after the password is aged out.
Related commands: display password-control.
Examples
# Set the minimum password update interval to 36 hours.
<Sysname> system-view
[Sysname] password-control password update interval 36
password-control super aging
Syntax
password-control super aging aging-time
undo password-control super aging
View
System view
Default level
2: System level
Parameters
aging-time: Super password aging time in days, in the range of 1 to 365.
Description
Use the password-control super aging command to set the aging time for super passwords.
Use the undo password-control super aging command to restore the default.
By default, the aging time for super passwords is 90 days.
The setting for super passwords, if present, overrides that for all passwords.
Related commands: password-control aging.
Examples
# Set the aging time for super passwords to 10 days.
<Sysname> system-view
[Sysname] password-control super aging 10
password-control super composition
Syntax
password-control super composition type-number type-number [ type-length type-length ]
undo password-control super composition
View
System view
Default level
2: System level
Parameters
type-number type-number: Specifies the minimum number of composition types for super passwords, in the range of 1 to 4.
type-length type-length: Specifies the minimum number of characters of each composition type for super passwords, in the range of 1 to 16.
Description
Use the password-control super composition command to configure the composition policy for super passwords.
Use the undo password-control super composition command to restore the default.
By default, both the minimum number of composition types and the minimum number of characters of composition type are 1 for super passwords.
The settings for super passwords, if present, override those configured for all passwords.
Related commands: password-control composition.
Examples
# Set the minimum number of composition types to 3 and the minimum number of characters of each composition type to 5 for super passwords.
<Sysname> system-view
[Sysname] password-control super composition type-number 3 type-length 5
password-control super length
Syntax
password-control super length length
undo password-control super length
View
System view
Default level
2: System level
Parameters
length: Minimum length for super passwords in characters, in the range of 4 to 16.
Description
Use the password-control super length command to set the minimum length for super passwords.
Use the undo password-control super length command to restore the default.
By default, the minimum super password length is 10 characters.
The setting for super passwords, if present, overrides that for all passwords.
Related commands: password-control length.
Examples
# Set the minimum length for super passwords to 10 characters.
<Sysname> system-view
[Sysname] password-control super length 10
reset password-control blacklist
Syntax
reset password-control blacklist [ user-name name ]
View
User view
Default level
3: Manage level
Parameters
user-name name: Specifies the username of the user to be removed from the blacklist. name is a case-sensitive string of 1 to 80 characters.
Description
Use the reset password-control blacklist command to remove all or one user from the blacklist.
Related commands: display password-control blacklist.
Examples
# Delete the user named test from the blacklist.
<Sysname> reset password-control blacklist user-name test
Are you sure to delete the specified user in blacklist? [Y/N]:
reset password-control history-record
Syntax
reset password-control history-record [ user-name name | super [ level level ] ]
View
User view
Default level
3: Manage level
Parameters
user-name name: Specifies the username of the user whose password records are to be deleted. name is a case-sensitive string of 1 to 80 characters.
super: Deletes the history records of the super password specified by the level level option or the history records of all super passwords.
level level: Specifies a user level, in the range of 1 to 3.
Description
Use the reset password-control history-record command to delete history password records.
With no arguments or keywords specified, this command deletes the history password records of all local users.
With the super keyword specified but the level argument not specified, this command deletes the history records of all super passwords.
Examples
# Clear the history password records of all local users (enter Y to confirm).
<Sysname> reset password-control history-record
Are you sure to delete all local user's history records? [Y/N]:
