Login
- Table of Contents
-
- 07-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05-Port Security Commands
- 06-User Profile Commands
- 07-Password Control Commands
- 08-Public Key Commands
- 09-PKI Commands
- 10-SSH Commands
- 11-SSL Commands
- 12-SSL VPN Commands
- 13-TCP Attack Protection Commands
- 14-ARP Attack Protection Commands
- 15-IPsec Commands
- 16-ALG Commands
- 17-Firewall Commands
- 18-Session Management Commands
- 19-Web Filtering Commands
- 20-User Isolation Commands
- 21-Source IP Address Verification Commands
- 22-FIPS Commands
- 23-Protocol Packet Rate Limit Commands
- 24-Attack detection and protection commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-Password Control Commands | 135.47 KB |
display password-control blacklist
password-control { aging | composition | history | length } enable
password-control alert-before-expire
password-control authentication-timeout
password-control expired-user-login
password-control login idle-time
password-control login-attempt
password-control password update interval
password-control super composition
reset password-control blacklist
reset password-control history-record
Password control commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
Support for the commands in this chapter depends on the device model. For more information, see About the H3C Access Controllers Command References.
display password-control
Use display password-control to display password control configuration.
Syntax
display password-control [ super ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
super: Displays the password control information of the super passwords. Without this keyword, the command displays the password control information for all passwords.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the global password control configuration.
<Sysname> display password-control
Global password control configurations:
Password control: Disabled
Password aging: Enabled (90 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)
Password history: Enabled (max history records:4)
Early notice on password expiration: 7 days
User authentication timeout: 60 seconds
Maximum failed login attempts: 3 times
Login attempt-failed action: Lock for 1 minutes
Minimum password update time: 24 hours
User account idle-time: 90 days
Login with aged password: 3 times in 30 days
Password complexity: Disabled (username checking)
Disabled (repeated characters checking)
# Display the password control configuration for super passwords.
<Sysname> display password-control super
Super password control configurations:
Password aging: Enabled (90 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)
Table 1 Command output
|
Field |
Description |
|
Password control |
Whether the password control feature is enabled. |
|
Password aging |
Whether password aging is enabled and, if enabled, the aging time. |
|
Password length |
Whether the minimum password length restriction function is enabled and, if enabled, the setting. |
|
Password composition |
Whether the password composition restriction function is enabled and, if enabled, the settings. |
|
Password history |
Whether the password history function is enabled and, if enabled, the setting. |
|
Early notice on password expiration |
Number of days during which the user is warned of the pending password expiration. |
|
User authentication timeout |
Password authentication timeout time. |
|
Maximum failed login attempts |
Allowed maximum number of consecutive failed login attempts for FTP and VTY users. |
|
Login attempt-failed action |
Action to be taken after a user fails to login for the specified number of attempts. |
|
Minimum password update time |
Minimum password update interval. |
|
User account idle-time |
Maximum account idle time. |
|
Login with aged password |
Number of times and maximum number of days a user can log in using an expired password. |
|
Password complexity |
Whether the following password complexity checking is enabled: · username checking—Checks whether a password contains the username or the reverse of the username. · repeated characters checking—Checks whether a password contains any character that is repeated consecutively three or more times. |
display password-control blacklist
Use display password-control blacklist to display information about users added to the password control blacklist due to authentication failure.
Syntax
display password-control blacklist [ user-name name | ip ipv4-address | ipv6 ipv6-address ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
user-name name: Specifies a user by the name, a string of 1 to 80 characters.
ip ipv4-address: Specifies the IPv4 address of a user.
ipv6 ipv6-address: Specifies the IPv6 address of a user.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
With no arguments provided, this command displays information about all users in the password control blacklist.
Examples
# Display information about users in the password control blacklist.
<Sysname> display password-control blacklist
Username: test
IP: 192.168.44.1 Login failed times: 1 Lock flag: unlock
Total 1 blacklist item(s) matched. 1 listed.
Table 2 Command output
|
Field |
Description |
|
Username |
Username of the user. |
|
IP |
IP address of the user. |
|
Login failed times |
Number of login failures. |
|
Lock flag |
Whether the user is prohibited from logging in: · unlock—Not prohibited. · lock—Prohibited temporarily or permanently, depending on the password-control login-attempt command. |
|
blacklist item(s) matched |
Number of user entries in the blacklist. |
password
Use password to set a password for a local user in interactive mode.
Use undo password to remove the password for a local user.
Syntax
password
undo password
Views
Local user view
Default command level
2: System level
Usage guidelines
Valid characters for a local user password include the following types:
· Uppercase letters A to Z.
· Lowercase letters a to z.
· Digits 0 to 9
· Special characters in Table 3.
|
Character name |
Symbol |
Character name |
Symbol |
|
Ampersand sign |
& |
Apostrophe |
' |
|
Asterisk |
* |
At sign |
@ |
|
Back quote |
` |
Back slash |
\ |
|
Blank space |
N/A |
Caret |
^ |
|
Colon |
: |
Comma |
, |
|
Dollar sign |
$ |
Dot |
. |
|
Equal sign |
= |
Exclamation point |
! |
|
Left angle bracket |
< |
Left brace |
{ |
|
Left bracket |
[ |
Left parenthesis |
( |
|
Minus sign |
- |
Percent sign |
% |
|
Plus sign |
+ |
Pound sign |
# |
|
Quotation marks |
" |
Right angle bracket |
> |
|
Right brace |
} |
Right bracket |
] |
|
Right parenthesis |
) |
Semi-colon |
; |
|
Slash |
/ |
Tilde |
~ |
|
Underscore |
_ |
Vertical bar |
| |
A local user password configured in interactive mode must meet the password control requirement. For example, if the minimum password length is set to 8, the password must contain at least 8 characters.
Examples
# Set a password for local user test in interactive mode.
<Sysname> system-view
[Sysname] local-user test
[Sysname-luser-test] password
Password:**********
Confirm :**********
Updating user(s) information, please wait....
password-control { aging | composition | history | length } enable
Use password-control { aging | composition | history | length } enable to enable the password aging, composition restriction, history, or minimum password length restriction function.
Use undo password-control { aging | composition | history | length } enable to disable the specified function.
Syntax
password-control { aging | composition | history | length } enable
undo password-control { aging | composition | history | length } enable
Default
The password control functions (aging, composition, history, and length) are all enabled.
Views
System view
Default command level
2: System level
Parameters
aging: Enables the password aging function.
composition: Enables the password composition restriction function.
history: Enables the password history function.
length: Enables the minimum password length restriction function.
Usage guidelines
To enable a specific password control function, first enable the global password control feature.
The system stops recording history passwords after you execute the undo password-control history enable command, but it does not delete the previous records.
If the global password control feature is enabled but the minimum password length restriction function is disabled, the following rules apply:
· In non-FIPS mode, a password must contain at least four characters and at least four characters must be different.
· In FIPS mode, a password must contain at least eight characters and at least four characters must be different.
Examples
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable
# Enable the password composition restriction function.
[Sysname] password-control composition enable
# Enable the password aging function.
[Sysname] password-control aging enable
# Enable the minimum password length restriction function.
[Sysname] password-control length enable
# Enable the password history function.
[Sysname] password-control history enable
Related commands
· password-control enable
· display password-control
password-control aging
Use password-control aging to set the password aging time.
Use undo password-control aging to restore the default.
Syntax
password-control aging aging-time
undo password-control aging
Default
A password expires after 90 days. The password aging time for a user group equals the global setting, and the password aging time for a local user equals that of the user group to which the local user belongs.
Views
System view, user group view, local user view
Default command level
2: System level
Parameters
aging-time: Specifies the password aging time in days, in the range of 1 to 365.
Usage guidelines
The expiration time depends on the view:
· The time in system view has global significance and applies to all user groups.
· The time in user group view applies to all local users in the user group.
· The time in local user view applies only to the local user.
A password expiration time with a smaller application scope has higher priority. The system prefers to use the password expiration time in local user view for a local user. If no password expiration time is configured for the local user, the system uses the password expiration time for the user group to which the local user belongs. If no password expiration time is configured for the user group, the system uses the global password expiration time.
Examples
# Globally set the passwords to expire after 80 days.
<Sysname> system-view
[Sysname] password-control aging 80
# Set the passwords for user group test to expire after 90 days.
[Sysname] user-group test
[Sysname-ugroup-test] password-control aging 90
[Sysname-ugroup-test] quit
# Set the password for local user abc to expire after 100 days.
[Sysname] local-user abc
[Sysname-luser-abc] password-control aging 100
Related commands
· display password-control
· local-user
· password-control super aging
· user-group
password-control alert-before-expire
Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration.
Use undo password-control alert-before-expire to restore the default.
Syntax
password-control alert-before-expire alert-time
undo password-control alert-before-expire
Default
The default is 7 days.
Views
System view
Default command level
2: System level
Parameters
alert-time: Specifies the number of days before a user's password expires during which the user is notified of the pending password expiration. The value range is 1 to 30.
Examples
# Configure the device to notify a user about pending password expiration 10 days before the user's password expires.
<Sysname> system-view
[Sysname] password-control alert-before-expire 10
password-control authentication-timeout
Use password-control authentication-timeout to set the user authentication timeout time.
Use undo password-control authentication-timeout to restore the default.
Syntax
password-control authentication-timeout authentication-timeout
undo password-control authentication-timeout
Default
The default is 60 seconds.
Views
System view
Default command level
2: System level
Parameters
authentication-timeout: Specifies the user authentication timeout time in seconds, in the range of 30 to 120.
Examples
# Set the user authentication timeout time to 40 seconds.
<Sysname> system-view
[Sysname] password-control authentication-timeout 40
password-control complexity
Use password-control complexity to configure the password complexity checking policy.
Use undo password-control complexity check to remove a password complexity checking item.
Syntax
password-control complexity { same-character | user-name } check
undo password-control complexity { same-character | user-name } check
Default
No user password complexity checking is performed, and a password can contain the username, the reverse of the username, or a character repeated three or more times consecutively.
Views
System view
Default command level
2: System level
Parameters
same-character: Refuses a password that contains any character repeated consecutively three or more times.
user-name: Refuses a password that contains the username or the reverse of the username.
Usage guidelines
You can enable both username checking and repeated character checking.
After the password complexity checking is enabled, complexity-incompliant passwords will be refused.
Examples
# Configure the password complexity checking policy, refusing any password that contains the username or the reverse of the username.
<Sysname> system-view
[Sysname] password-control complexity user-name check
Related commands
display password-control
password-control composition
Use password-control composition to configure the password composition policy.
Use undo password-control composition to restore the default.
Syntax
password-control composition type-number type-number [ type-length type-length ]
undo password-control composition
Default
In non-FIPS mode, the password using the global composition policy must contain at least one character type and at least one character for each type.
In FIPS mode, the password using the global composition policy must contain four character types and at least one character for each type.
In both non-FIPS and FIPS modes, the password composition policy for a user group is the same as the global policy, and the password composition policy for a local user is the same as that of the user group to which the local user belongs.
Views
System view, user group view, local user view
Default command level
2: System level
Parameters
type-number type-number: Specifies the minimum number of character types that a password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode.
type-length type-length: Specifies the minimum number of characters that each type must contain. The value range for the type-length argument is 1 to 63.
Usage guidelines
The password composition policy depends on the view:
· The policy in system view has global significance and applies to all user groups.
· The policy in user group view applies to all local users in the user group.
· The policy in local user view applies only to the local user.
A password composition policy with a smaller application scope has higher priority. The system prefers to use the password composition policy in local user view for a local user. If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs. If no policy is configured for the user group, the system uses the global policy.
Examples
# Specify that all passwords must each contain at least three character types and at least five characters for each type.
<Sysname> system-view
[Sysname] password-control composition type-number 3 type-length 5
# Specify that passwords in user group test must contain at least three character types and at least five characters for each type.
[Sysname] user-group test
[Sysname-ugroup-test] password-control composition type-number 3 type-length 5
[Sysname-ugroup-test] quit
# # Specify that the password of local user abc must contain at least three character types and at least five characters for each type.
[Sysname] local-user abc
[Sysname-luser-abc] password-control composition type-number 3 type-length 5
Related commands
· display password-control
· local-user
· password-control super composition
· user-group
password-control enable
Use password-control enable to enable the password control feature globally.
Use undo password-control enable to disable the password control feature globally.
Syntax
password-control enable
undo password-control enable
Default
In non-FIPS mode, the password control feature is disabled globally.
In FIPS mode, the password control feature is enabled globally and cannot be disabled.
Views
System view
Default command level
2: System level
Usage guidelines
A specific password control function takes effect only after the password control feature is enabled globally.
Examples
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable
Related commands
display password-control
password-control expired-user-login
Use password-control expired-user-login to set the maximum number of days and maximum number of times that a user can log in after the password expires.
Use undo password-control expired-user-login to restore the defaults.
Syntax
password-control expired-user-login delay delay times times
undo password-control expired-user-login
Default
A user can log in three times within 30 days after the password expires.
Views
System view
Default command level
2: System level
Parameters
delay: Specifies the maximum number of days during which a user can log in using an expired password. The value range for the delay argument is 1 to 90.
times: Specifies the maximum number of times a user can log in after the password expires. The value range is 0 to 10 and 0 means that a user cannot log in after the password expires.
Examples
# Specify that a user can log in five times within 60 days after the password expires.
<Sysname> system-view
[Sysname] password-control expired-user-login delay 60 times 5
Related commands
display password-control
password-control history
Use password-control history to set the maximum number of history password records for each user.
Use undo password-control history to restore the default.
Syntax
password-control history max-record-num
undo password-control history
Default
The maximum number of history password records for each user is 4.
Views
System view
Default command level
2: System level
Parameters
max-record-num: Specifies the maximum number of history password records for each user. The value range is 2 to 15.
Examples
# Set the maximum number of history password records for each user to 10.
<Sysname> system-view
[Sysname] password-control history 10
password-control length
Use password-control length to set the minimum password length.
Use undo password-control length to restore the default.
Syntax
password-control length length
undo password-control length
Default
The global minimum password length is 10 characters. The minimum password length for a user group equals the global setting, and the minimum password length for a local user equals that of the user group to which the local user belongs.
Views
System view, user group view, local user view
Default command level
2: System level
Parameters
length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32 in non-FIPS mode, and 8 to 32 in FIPS mode.
Usage guidelines
The minimum length setting depends on the view:
· The setting in system view has global significance and applies to all user groups.
· The setting in user group view applies to all local users in the user group.
· The setting in local user view applies only to the local user.
A minimum password length setting with a smaller application scope has higher priority. The system prefers to use the minimum password length in local user view for a local user. If no minimum password length is configured for the local user, the system uses the minimum password length for the user group to which the local user belongs. If no minimum password length is configured for the user group, the system uses the global minimum password length.
Examples
# Set the global minimum password length to 9 characters.
<Sysname> system-view
[Sysname] password-control length 9
# Set the minimum password length to 9 characters for user group test.
[Sysname] user-group test
[Sysname-ugroup-test] password-control length 9
[Sysname-ugroup-test] quit
# Set the minimum password length to 9 characters for local user abc.
[Sysname] local-user abc
[Sysname-luser-abc] password-control length 9
Related commands
· display password-control
· local-user
· password-control super length
· user-group
password-control login idle-time
Use password-control login idle-time to set the maximum account idle time. If a user account is idle for this period of time, it becomes invalid and you can no longer use this account to log in to the device.
Use undo password-control login idle-time to restore the default.
Syntax
password-control login idle-time idle-time
undo password-control login idle-time
Default
You cannot use a user account to log in to the device if the account has been idle for 90 days.
Views
System view
Default command level
2: System level
Parameters
idle-time: Specifies the maximum account idle time, in the range of 0 to 365, in days. 0 means no restriction for account idle time.
Examples
# Set the maximum account idle time to 30 days.
<Sysname> system-view
[Sysname] password-control login idle-time 30
Related commands
display password-control
password-control login-attempt
Use password-control login-attempt to specify the maximum number of consecutive failed login attempts and the action to be taken when a user fails to log in after the specified number of attempts.
Use undo password-control login-attempt to restore the default.
Syntax
password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]
undo password-control login-attempt
Default
The maximum number of consecutive failed login attempts is 3 and a user failing to log in after the specified number of attempts must wait for 1 minute before trying again.
Views
System view
Default command level
2: System level
Parameters
login-times: Specifies the maximum number of consecutive failed login attempts, in the range of 2 to 10.
exceed: Specifies the action to be taken when a user fails to log in after the specified number of attempts.
lock: Permanently prohibits a user who fails to log in after the specified number of attempts from logging in.
lock-time time: Forces a user who fails to log in after the specified number of attempts to wait for a period of time before trying again. The time argument is in the range of 1 to 360 minutes.
unlock: Allows a user who fails to log in after the specified number of attempts to continue trying to log in.
Usage guidelines
If prohibited permanently, a user can log in only after you remove the user from the password control blacklist.
If prohibited temporarily, a user can log in again after the lock time elapses or an administrator removes the user from the password control blacklist.
If not prohibited to log in, a user is removed from the password control blacklist as long as the user logs in successfully or after the blacklist aging time (1 minute) elapses.
Examples
# Set the maximum number of login attempts to 4 and permanently prohibit a user from logging in if the user fails to log in after four attempts.
<Sysname> system-view
[Sysname] password-control login-attempt 4 exceed lock
Later, if a user tries to log in but fails four times, you can find it in the password control blacklist, with its status changed from unlock to lock:
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1 Login failed times: 4 Lock flag: lock
Total 1 blacklist item(s) matched. 1 listed.
The user can no longer log in.
# Set the maximum number of login attempts to 2 and prohibit a user from logging in within 3 minutes if the user fails to log in after two attempts.
<Sysname> system-view
[Sysname] password-control login-attempt 2 exceed lock-time 3
Later, if a user tries to log in but fails two times, you can find it in the password control blacklist, with its status changed from unlock to lock:
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1 Login failed times: 2 Lock flag: lock
Total 1 blacklist item(s) matched. 1 listed.
After 3 minutes, the user is removed from the password control blacklist and can log in again.
Related commands
· display password-control
· display password-control blacklist
· reset password-control blacklist
password-control password update interval
Use password-control password update interval to set the minimum password update interval, that is, the minimum interval at which users can change their passwords.
Use undo password-control password update interval to restore the default.
Syntax
password-control password update interval interval
undo password-control password update interval
Default
The minimum password update interval is 24 hours.
Views
System view
Default command level
2: System level
Parameters
interval: Specifies the minimum password update interval in hours, in the range of 0 to 168. 0 means no requirements for password update interval.
Usage guidelines
This function is not effective on a user who is prompted to change the password at the first login or after the password expires.
Examples
# Set the minimum password update interval to 36 hours.
<Sysname> system-view
[Sysname] password-control password update interval 36
Related commands
display password-control
password-control super aging
Use password-control super aging to set the aging time for super passwords.
Use undo password-control super aging to restore the default.
Syntax
password-control super aging aging-time
undo password-control super aging
Default
The aging time of super passwords is the same as the global aging time.
Views
System view
Default command level
2: System level
Parameters
aging-time: Specifies the super password aging time in days, in the range of 1 to 365.
Usage guidelines
If you do not specify an aging time for super passwords, the system applies the global password aging time to super passwords.
If you have specified an aging time for super passwords, the system applies the aging time to super passwords.
Examples
# Set the super passwords to expired after 10 days.
<Sysname> system-view
[Sysname] password-control super aging 10
Related commands
password-control aging
password-control super composition
Use password-control super composition to configure the composition policy for super passwords.
Use undo password-control super composition to restore the default.
Syntax
password-control super composition type-number type-number [ type-length type-length ]
undo password-control super composition
Default
The composition policy of super passwords is the same as the global policy.
Views
System view
Default command level
2: System level
Parameters
type-number type-number: Specifies the minimum number of character types that a super password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode.
type-length type-length: Specifies the minimum number of characters that each type must contain. The value range for the type-length argument is 1 to 16.
Usage guidelines
If you do not specify a composition policy for super passwords, the system applies the global password composition policy to super passwords.
If you have specified a composition policy for super passwords, the system applies the composition policy to super passwords.
Examples
# Specify that a super password must contain at least three character types and at least five characters for each type.
<Sysname> system-view
[Sysname] password-control super composition type-number 3 type-length 5
Related commands
password-control composition
password-control super length
Use password-control super length to set the minimum length for super passwords.
Use undo password-control super length to restore the default.
Syntax
password-control super length length
undo password-control super length
Default
The minimum super password length is the same as the global setting.
Views
System view
Default command level
2: System level
Parameters
length: Specifies the minimum length for super passwords in characters. The value range for this argument is 4 to 16 in non-FIPS mode, and 8 to 16 in FIPS mode.
Usage guidelines
If you do not specify the minimum length of super passwords, the system applies the global minimum password length to super passwords.
If you have specified the minimum length of super passwords, the system applies the specified minimum length to super passwords.
Examples
# Set the minimum length for super passwords to 10 characters.
<Sysname> system-view
[Sysname] password-control super length 10
Related commands
password-control length
reset password-control blacklist
Use reset password-control blacklist to remove all or one user from the password control blacklist.
Syntax
reset password-control blacklist { all | user-name name }
Views
User view
Default command level
3: Manage level
Parameters
all: Clears all users from the password control blacklist.
user-name name: Specifies the user to be removed from the password control blacklist. The name argument is the username, a case-sensitive string of 1 to 80 characters.
Examples
# Delete the user named test from the password control blacklist.
<Sysname> reset password-control blacklist user-name test
Are you sure to delete the specified user in blacklist? [Y/N]:
Related commands
display password-control blacklist
reset password-control history-record
Use reset password-control history-record to delete history password records.
Syntax
reset password-control history-record [ user-name name | super [ level level ] ]
Views
User view
Default command level
3: Manage level
Parameters
user-name name: Specifies the username of the user whose password records are to be deleted. name is a case-sensitive string of 1 to 80 characters.
super: Deletes the history records of the super password specified by the level level option or the history records of all super passwords.
level level: Specifies a user level, in the range of 1 to 3.
Usage guidelines
With no arguments or keywords specified, this command deletes the history password records of all local users.
With the super keyword specified but the level argument not specified, this command deletes the history records of all super passwords.
Examples
# Clear the history password records of all local users (enter Y to confirm).
<Sysname> reset password-control history-record
Are you sure to delete all local user's history records? [Y/N]:
