Login
- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05 Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Blacklist Commands
- 10-TCP and ICMP Attack Protection Commands
- 11-IP Source Guard Commands
- 12-ARP Attack Protection Commands
- 13-ND Attack Defense Commands
- 14-URPF Commands
- 15-PKI Commands
- 16-SSL Commands
- 17-FIPS Commands
- 18-Attack Detection and Protection Commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05 Password Control Commands | 167.18 KB |
Contents
display password-control blacklist
password-control { aging | composition | history | length } enable
password-control alert-before-expire
password-control authentication-timeout
password-control expired-user-login
password-control login idle-time
password-control login-attempt
password-control password update interval
password-control super composition
reset password-control blacklist
reset password-control history-record
The switch supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about the FIPS mode, see Security Configuration Guide.
display password-control
Syntax
display password-control [ super ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
super: Displays the password control information of the super passwords. Without this keyword, the command displays the global password control configuration.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays the lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display password-control to display password control configuration.
Examples
# Display the global password control configuration.
<Sysname> display password-control
Global password control configurations:
Password control: Disabled
Password aging: Enabled (90 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)
Password history: Enabled (max history records:4)
Early notice on password expiration: 7 days
User authentication timeout: 60 seconds
Maximum failed login attempts: 3 times
Login attempt-failed action: Lock for 1 minutes
Minimum password update time: 24 hours
User account idle-time: 90 days
Login with aged password: 3 times in 30 days
Password complexity: Disabled (username checking)
Disabled (repeated characters checking)
# Display the password control configuration for super passwords.
<Sysname> display password-control super
Super password control configurations:
Password aging: Enabled (90 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)
Table 1 Command output
|
Field |
Description |
|
Password control |
Whether the password control feature is enabled. |
|
Password aging |
Whether password aging is enabled and, if enabled, the aging time. |
|
Password length |
Whether the minimum password length restriction function is enabled and, if enabled, the setting. |
|
Password composition |
Whether the password composition restriction function is enabled and, if enabled, the settings. |
|
Password history |
Whether the password history function is enabled and, if enabled, the setting. |
|
Early notice on password expiration |
Number of days during which the user is warned of the pending password expiration. |
|
User authentication timeout |
Password authentication timeout time. |
|
Maximum failed login attempts |
Allowed maximum number of consecutive failed login attempts for FTP and VTY users. |
|
Login attempt-failed action |
Action to be taken after a user fails to login for the specified number of attempts. |
|
Minimum password update time |
Minimum password update interval. |
|
User account idle-time |
Maximum account idle time. |
|
Login with aged password |
Number of times and maximum number of days a user can log in using an expired password. |
|
Password complexity |
Whether the following password complexity checking is enabled: · username checking—Whether a password contains the username or the reverse of the username. · repeated characters checking—Whether a password contains any character that is repeated consecutively three or more times. |
display password-control blacklist
Syntax
display password-control blacklist [ user-name name | ip ipv4-address | ipv6 ipv6-address ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
user-name name: Specifies a user by the name, a string of 1 to 80 characters.
ip ipv4-address: Specifies the IPv4 address of a user.
ipv6 ipv6-address: Specifies the IPv6 address of a user.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays the lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display password-control blacklist to display information about users blacklisted due to authentication failure.
With no arguments provided, this command displays information about all users in the blacklist.
Examples
# Display information about users blacklisted due to authentication failure.
<Sysname> display password-control blacklist
Username: test
IP: 192.168.44.1 Login failed times: 1 Lock flag: unlock
Total 1 blacklist item(s) matched. 1 listed.
Table 2 Command output
|
Field |
Description |
|
Username |
Username of the user. |
|
IP |
IP address of the user. |
|
Login failed times |
Number of login failures. |
|
Lock flag |
Whether the user is prohibited from logging in: · unlock—Not prohibited. · lock—Prohibited, temporarily or permanently, depending on the password-control login-attempt command. |
password
Syntax
password
undo password
View
Local user view
Default level
2: System level
Parameters
None
Description
Use password to set a password for a local user in interactive mode.
Use undo password to remove the password for a local user.
Valid characters for a local user password are from the following four types:
· Uppercase letters A to Z.
· Lowercase letters a to z.
· Digits 0 to 9.
· Special characters in Table 3.
|
Character name |
Symbol |
Character name |
Symbol |
|
Ampersand sign |
& |
Apostrophe |
' |
|
Asterisk |
* |
At sign |
@ |
|
Back quote |
` |
Back slash |
\ |
|
Blank space |
N/A |
Caret |
^ |
|
Colon |
: |
Comma |
, |
|
Dollar sign |
$ |
Dot |
. |
|
Equal sign |
= |
Exclamation point |
! |
|
Left angle bracket |
< |
Left brace |
{ |
|
Left bracket |
[ |
Left parenthesis |
( |
|
Minus sign |
- |
Percent sign |
% |
|
Plus sign |
+ |
Pound sign |
# |
|
Quotation marks |
" |
Right angle bracket |
> |
|
Right brace |
} |
Right bracket |
] |
|
Right parenthesis |
) |
Semi-colon |
; |
|
Slash |
/ |
Tilde |
~ |
|
Underscore |
_ |
Vertical bar |
| |
A local user password configured in interactive mode must meet the password control requirement. For example, if the minimum password length is set to 8, the password must contain at least eight characters.
Examples
# Set a password for local user test in interactive mode.
<Sysname> system-view
[Sysname] local-user test
[Sysname-luser-test] password
Password:**********
Confirm :**********
Updating user(s) information, please wait....
password-control { aging | composition | history | length } enable
Syntax
password-control { aging | composition | history | length } enable
undo password-control { aging | composition | history | length } enable
View
System view
Default level
2: System level
Parameters
aging: Enables the password aging function.
composition: Enables the password composition restriction function.
history: Enables the password history function.
length: Enables the minimum password length restriction function.
Description
Use password-control { aging | composition | history | length } enable to enable the password aging, composition restriction, history, or minimum password length restriction function.
Use undo password-control { aging | composition | history | length } enable to disable the specified function.
By default, the four password control functions are all enabled.
For these four functions to take effect, the password control feature must be enabled globally.
You must enable a function for its relevant configurations to take effect. For example, if the minimum password length restriction function is not enabled, the setting by the password-control length command does not take effect.
The system stops recording history passwords after you execute the undo password-control history enable command, but it does not delete the prior records.
Related commands: password-control enable and display password-control.
Examples
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable
# Enable the password composition restriction function.
[Sysname] password-control composition enable
# Enable the password aging function.
[Sysname] password-control aging enable
# Enable the minimum password length restriction function.
[Sysname] password-control length enable
# Enable the password history function.
[Sysname] password-control history enable
password-control aging
Syntax
password-control aging aging-time
undo password-control aging
View
System view, user group view, local user view
Default level
2: System level
Parameters
aging-time: Specifies the password aging time in days, in the range of 1 to 365.
Description
Use password-control aging to set the password aging time.
Use undo password-control aging to restore the default.
By default, the global password aging time is 90 days, the password aging time of a user group equals the global setting, and the password aging time of a local user equals that of the user group to which the local user belongs.
A password aging time setting with a smaller application range has a higher priority. The system prefers the setting for a local user. If there is no setting for the local user, the system will use the setting for the user group. If there is no setting for the user group, the system will use the global setting.
If no super password aging time is specified, the default super password aging time is the same as the global password aging time.
Related commands: password-control super aging, display password-control, local-user, and user-group.
Examples
# Set the global password aging time to 80 days.
<Sysname> system-view
[Sysname] password-control aging 80
# Set the password aging time for user group test to 90 days.
[Sysname] user-group test
[Sysname-ugroup-test] password-control aging 90
[Sysname-ugroup-test] quit
# Set the password aging time for local user abc to 100 days.
[Sysname] local-user abc
[Sysname-luser-abc] password-control aging 100
password-control alert-before-expire
Syntax
password-control alert-before-expire alert-time
undo password-control alert-before-expire
View
System view
Default level
2: System level
Parameters
alert-time: Specifies the number of days before a user's password expires during which the user is notified of the pending password expiration. The value range is 1 to 30.
Description
Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration.
Use undo password-control alert-before-expire to restore the default.
By default, a user is notified of pending password expiration 7 days before the user's password expires.
Examples
# Configure the device to notify a user about pending password expiration 10 days before the user's password expires.
<Sysname> system-view
[Sysname] password-control alert-before-expire 10
password-control authentication-timeout
Syntax
password-control authentication-timeout authentication-timeout
undo password-control authentication-timeout
View
System view
Default level
2: System level
Parameters
authentication-timeout: Specifies the user authentication timeout time in seconds, in the range of 30 to 120.
Description
Use password-control authentication-timeout to set the user authentication timeout time.
Use undo password-control authentication-timeout to restore the default.
By default, the user authentication timeout time is 60 seconds.
Examples
# Set the user authentication timeout time to 40 seconds.
<Sysname> system-view
[Sysname] password-control authentication-timeout 40
password-control complexity
Syntax
password-control complexity { same-character | user-name } check
undo password-control complexity { same-character | user-name } check
View
System view
Default level
2: System level
Parameters
same-character: Refuses a password that contains any character repeated consecutively three or more times.
user-name: Refuses a password that contains the username or the reverse of the username.
Description
Use password-control complexity to configure the password complexity checking policy.
Use undo password-control complexity check to remove a password complexity checking item.
By default, no user password complexity checking is performed, and a password can contain the username, the reverse of the username, or a character repeated three or more times consecutively.
You can enable both username checking and repeated character checking.
After the password complexity checking is enabled, weak passwords will be refused.
Related commands: display password-control.
Examples
# Configure the password complexity checking policy, refusing any password that contains the username or the reverse of the username.
<Sysname> system-view
[Sysname] password-control complexity user-name check
password-control composition
Syntax
password-control composition type-number type-number [ type-length type-length ]
undo password-control composition
View
System view, user group view, local user view
Default level
2: System level
Parameters
type-number type-number: Specifies the minimum number of character types in a password. The value range for the type-number argument is 1 to 4 in non-FIPS mode. The value for the type-number argument is fixed to 4 in FIPS mode.
type-length type-length: Specifies the minimum number of characters that are from each character type in a password. The value range for the type-length argument is 1 to 63 in non-FIPS mode. The value range for the type-length argument is 1 to 15 in FIPS mode.
Description
Use password-control composition to configure the password composition policy.
Use undo password-control composition to restore the default.
In non-FIPS mode, the default global password composition policy is as follows: A password must contain at least one type of characters from uppercase letters, lowercase letters, digits or special characters (see "password"), and each type of characters in the password contains at least one character. The default password composition policy of a user group is the same as the global policy, and the default password composition policy of a local user is the same as that of the user group to which the local user belongs.
In FIPS mode, all passwords configured in any view must contain four types of characters from uppercase letters, lowercase letters, digits and special characters. The default global password composition policy is as follows: A password must contain four types of characters and each type must contain at least one character. The default password composition policy of a user group is the same as the global policy, and the default password composition policy of a local user is the same as that of the user group to which the local user belongs.
A password composition policy with a smaller application range has a higher priority. The system prefers the settings for a local user. If there is no setting for the local user, the system will use the settings for the user group. If there is no setting for the user group, the system will use the global settings.
If no super password composition policy is specified, the default super password composition policy is the same as the global password composition policy.
Related commands: password-control super composition, display password-control, local-user, and user-group.
Examples
# Specify that all passwords must each contain at least three types of characters and each type must contain at least five characters.
<Sysname> system-view
[Sysname] password-control composition type-number 3 type-length 5
# Specify that the passwords of user group test must each contain at least three types of characters and each type must contain at least five characters.
[Sysname] user-group test
[Sysname-ugroup-test] password-control composition type-number 3 type-length 5
[Sysname-ugroup-test] quit
# Specify that the passwords of local user abc must each contain at least three types of characters and each type must contain at least five characters.
[Sysname] local-user abc
[Sysname-luser-abc] password-control composition type-number 3 type-length 5
password-control enable
Syntax
password-control enable
undo password-control enable
View
System view
Default level
2: System level
Parameters
None
Description
Use password-control enable to enable the password control feature globally.
Use undo password-control enable to disable the password control feature globally.
By default, the password control feature is disabled globally.
The password control functions take effect only after the password control feature is enabled globally.
Disabling global password control (by using the undo password-control enable command) does not clear the history password records. To clear existing history password records, execute the reset password-control history-record command.
Related commands: display password-control.
Examples
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable
password-control expired-user-login
Syntax
password-control expired-user-login delay delay times times
undo password-control expired-user-login
View
System view
Default level
2: System level
Parameters
delay: Specifies the maximum number of days during which a user can log in using an expired password. It must be in the range of 1 to 90.
times: Specifies the maximum number of times a user can log in after the password expires. The value range is 0 to 10 and 0 means that a user cannot log in after the password expires.
Description
Use password-control expired-user-login to set the maximum number of days and maximum number of times that a user can log in after the password expires.
Use undo password-control expired-user-login to restore the defaults.
By default, a user can log in three times within 30 days after the password expires.
Related commands: display password-control.
Examples
# Specify that a user can log in five times within 60 days after the password expires.
<Sysname> system-view
[Sysname] password-control expired-user-login delay 60 times 5
password-control history
Syntax
password-control history max-record-num
undo password-control history
View
System view
Default level
2: System level
Parameters
max-record-num: Specifies the maximum number of history password records for each user. The value range is 2 to 15.
Description
Use password-control history to set the maximum number of history password records for each user.
Use undo password-control history to restore the default.
By default, the maximum number of history password records for each user is 4.
When the number of history password records exceeds your setting, the latest record overwrites the earliest one.
Examples
# Set the maximum number of history password records for each user to 10.
<Sysname> system-view
[Sysname] password-control history 10
password-control length
Syntax
password-control length length
undo password-control length
View
System view, user group view, local user view
Default level
2: System level
Parameters
length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32 in non-FIPS mode. The value range for this argument is 8 to 32 in FIPS mode.
Description
Use password-control length to set the minimum password length.
Use undo password-control length to restore the default.
By default, the global minimum password length is 10 characters, the minimum password length of a user group equals the global setting, and the minimum password length of a local user equals that of the user group to which the local user belongs.
A minimum password length setting with a smaller application range has a higher priority. The system prefers the setting for a local user. If there is no setting for the local user, the system will use the setting for the user group. If there is no setting for the user group, the system will use the global setting.
If no super password minimum length is specified, the default super password minimum length is the same as the global minimum password length.
Related commands: password-control super length, display password-control, local-user, and user-group.
Examples
# Set the global minimum password length to 9 characters.
<Sysname> system-view
[Sysname] password-control length 9
# Set the minimum password length to 9 characters for user group test.
[Sysname] user-group test
[Sysname-ugroup-test] password-control length 9
[Sysname-ugroup-test] quit
# Set the minimum password length to 9 characters for local user abc.
[Sysname] local-user abc
[Sysname-luser-abc] password-control length 9
password-control login idle-time
Syntax
password-control login idle-time idle-time
undo password-control login idle-time
View
System view
Default level
2: System level
Parameters
idle-time: Specifies the maximum account idle time in days, in the range of 0 to 365. 0 means no restriction for account idle time.
Description
Use password-control login idle-time to set the maximum account idle time. If a user account is idle for this period of time, it becomes invalid.
Use undo password-control login idle-time to restore the default.
By default, the maximum account idle time is 90 days.
Related commands: display password-control.
Examples
# Set the maximum account idle time to 30 days.
<Sysname> system-view
[Sysname] password-control login idle-time 30
password-control login-attempt
Syntax
password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]
undo password-control login-attempt
View
System view
Default level
2: System level
Parameters
login-times: Specifies the maximum number of consecutive failed login attempts, in the range of 2 to 10.
exceed: Specifies the action to be taken when a user fails to log in after the specified number of attempts.
lock: Permanently prohibits a user who fails to log in after the specified number of attempts from logging in.
lock-time time: Forces a user who fails to log in after the specified number of attempts to wait for a period of time before trying again. The time argument is in minutes and in the range of 1 to 360.
unlock: Allows a user who fails to log in after the specified number of attempts to continue trying to log in.
Description
Use password-control login-attempt to specify the maximum number of consecutive failed login attempts and the action to be taken when a user fails to log in after the specified number of attempts.
Use undo password-control to restore the default.
By default, the maximum number of consecutive failed login attempts is 3 and a user failing to log in after the specified number of attempts must wait for 1 minute before trying again.
If prohibited permanently, a user can log in only after you remove the user from the blacklist.
If prohibited temporarily, a user can log in again after the lock time elapses or an administrator removes the user from the blacklist.
If not prohibited to log in, a user is removed from the blacklist as long as the user logs in successfully or after the blacklist aging time (1 minute) elapses.
Related commands: display password-control, display password-control blacklist, and reset password-control blacklist.
Examples
# Set the maximum number of login attempts to 4 and permanently prohibit a user from logging in if the user fails to log in after four attempts.
<Sysname> system-view
[Sysname] password-control login-attempt 4 exceed lock
Later, if a user fails to log in after four attempts, you can find it in the blacklist, with its status changed from unlock to lock:
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1 Login failed times: 4 Lock flag: lock
Total 1 blacklist item(s) matched. 1 listed.
The user can no longer log in.
# Set the maximum number of login attempts to 2 and prohibit a user from logging in within 3 minutes if the user fails to log in after two attempts.
<Sysname> system-view
[Sysname] password-control login-attempt 2 exceed lock-time 3
Later, if a user tries to log in but fails two times, you can find it in the blacklist, with its status changed from unlock to lock:
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1 Login failed times: 2 Lock flag: lock
Total 1 blacklist item(s) matched. 1 listed.
After 3 minutes, the user is removed from the blacklist and can log in again.
password-control password update interval
Syntax
password-control password update interval interval
undo password-control password update interval
View
System view
Default level
2: System level
Parameters
interval: Specifies the minimum password update interval in hours, in the range of 0 to 168. 0 means no requirements for password update interval.
Description
Use password-control password update interval to set the minimum password update interval, that is, the minimum interval at which users can change their passwords.
Use undo password-control password update interval to restore the default.
By default, the minimum password update interval is 24 hours.
This function is not effective in the case that a user is prompted to change the password when the user logs in for the first time or after the password is aged out.
Related commands: display password-control.
Examples
# Set the minimum password update interval to 36 hours.
<Sysname> system-view
[Sysname] password-control password update interval 36
password-control super aging
Syntax
password-control super aging aging-time
undo password-control super aging
View
System view
Default level
2: System level
Parameters
aging-time: Specifies the super password aging time in days, in the range of 1 to 365.
Description
Use password-control super aging to set the aging time for super passwords.
Use undo password-control super aging to restore the default.
By default, the aging time of super passwords is the same as the global password aging time.
If you do not specify an aging time for super passwords, the system applies the global password aging time to super passwords.
If you have specified an aging time for super passwords, the system applies the aging time to super passwords.
Related commands: password-control aging.
Examples
# Set the aging time for super passwords to 10 days.
<Sysname> system-view
[Sysname] password-control super aging 10
password-control super composition
Syntax
password-control super composition type-number type-number [ type-length type-length ]
undo password-control super composition
View
System view
Default level
2: System level
Parameters
type-number type-number: Specifies the minimum number of character types for super passwords. The value range for the type-number argument is 1 to 4 in non-FIPS mode. The value range for the type-number argument is fixed to 4 in FIPS mode.
type-length type-length: Specifies the minimum length of characters that are from each character type for super passwords. The value range for the type-length argument is 1 to 16 in non-FIPS mode. The value range for the type-length argument is 1 to 4 in FIPS mode.
Description
Use password-control super composition to configure the composition policy for super passwords.
Use undo password-control super composition to restore the default.
By default, the composition policy of super passwords is the same as the global password composition policy.
If you do not specify a composition policy for super passwords, the system applies the global password composition policy to super passwords.
If you have specified a composition policy for super passwords, the system applies the composition policy to super passwords.
Related commands: password-control composition.
Examples
# Specify that all super passwords must each contain at least three types of characters and each type contains at least five characters.
<Sysname> system-view
[Sysname] password-control super composition type-number 3 type-length 5
password-control super length
Syntax
password-control super length length
undo password-control super length
View
System view
Default level
2: System level
Parameters
length: Specifies the minimum length of super passwords in characters. The value range for this argument is 4 to 16 in non-FIPS mode. The value range for this argument is 8 to 16 in FIPS mode.
Description
Use password-control super length to set the minimum length of super passwords.
Use undo password-control super length to restore the default.
By default, the minimum password length of super passwords is the same as the global minimum password length.
If you do not specify the minimum length of super passwords, the system applies the global minimum password length to super passwords.
If you have specified the minimum length of super passwords, the system applies the specified minimum length to super passwords.
Related commands: password-control length.
Examples
# Set the minimum length of super passwords to 10 characters.
<Sysname> system-view
[Sysname] password-control super length 10
reset password-control blacklist
Syntax
reset password-control blacklist [ all | user-name name ]
View
User view
Default level
3: Manage level
Parameters
all: Specifies all users in the blacklist.
user-name name: Specifies the username of the user to be removed from the blacklist. The name argument is a case-sensitive string of 1 to 80 characters.
Description
Use reset password-control blacklist to remove all or one user from the blacklist.
Related commands: display password-control blacklist.
Examples
# Delete the user named test from the blacklist.
<Sysname> reset password-control blacklist user-name test
Are you sure to delete the specified user in blacklist? [Y/N]:
reset password-control history-record
Syntax
reset password-control history-record [ user-name name | super [ level level ] ]
View
User view
Default level
3: Manage level
Parameters
user-name name: Specifies the username of the user whose password records are to be deleted. The name argument is a case-sensitive string of 1 to 80 characters.
super: Deletes the history records of the super password specified by the level level option or the history records of all super passwords.
level level: Specifies a user level in the range of 1 to 3.
Description
Use reset password-control history-record to delete history password records.
With no arguments or keywords specified, this command deletes the history password records of all local users.
With the super keyword specified but the level level option not specified, this command deletes the history records of all super passwords.
Examples
# Clear the history password records of all local users (enter Y to confirm).
<Sysname> reset password-control history-record
Are you sure to delete all local user's history records? [Y/N]:
