Login
- Table of Contents
-
- 07-Security Configuration Guide
- 00-Preface
- 01-Security Overview
- 02-AAA Configuration
- 03-802.1X Configuration
- 04-MAC Authentication Configuration
- 05-Portal Configuration
- 06-Port Security Configuration
- 07-User Profile Configuration
- 08-Password Control Configuration
- 09-Public Key Configuration
- 10-PKI Configuration
- 11-SSH Configuration
- 12-SSL Configuration
- 13-SSL VPN Configuration
- 14-TCP Attack Protection Configuration
- 15-ARP Attack Protection Configuration
- 16-IPsec Configuration
- 17-ALG Configuration
- 18-Firewall Configuration
- 19-Session Management Configuration
- 20-Web Filtering Configuration
- 21-User Isolation Configuration
- 22-Source IP Address Verification Configuration
- 23-FIPS Configuration
- 24-Protocol Packet Rate Limit Configuration
- 25-Attack detection and protection configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 08-Password Control Configuration | 81.48 KB |
Password control configuration task list
Setting global password control parameters
Setting user group password control parameters
Setting local user password control parameters
Setting super password control parameters
Setting a local user password in interactive mode
Displaying and maintaining password control
Password control configuration example
Configuring password control
Overview
Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes password control functions in detail.
· Minimum password length
By setting a minimum password length, you can enforce users to use passwords long enough for system security. If a user specifies a shorter password, the system rejects the setting and prompts the user to re-specify a password.
· Minimum password update interval
This function allows you to set the minimum interval at which users can change their passwords. If a non-manage level user logs in to change the password but the time elapsed since the last change is less than this interval, the system denies the request. For example, if you set this interval to 48 hours, a non-manage level user cannot change the password twice within 48 hours. This prevents users from changing their passwords frequently.
This function is not effective on users of the manage level. For information about user levels, see Fundamentals Configuration Guide.
This function is not effective on a user who is prompted to change the password at the first login or a user whose password has just been aged out.
· Password aging
Password aging imposes a lifecycle on a user password. After the password aging time expires, the user needs to change the password.
If a user enters an expired password when logging in, the system displays an error message and prompts the user to provide a new password and to confirm it by entering it again. The new password must be a valid one and the user must enter exactly the same password when confirming it.
· Early notice on pending password expiration
When a user logs in, the system checks whether the password will expire in a time equal to or less than the specified notification period. If so, the system notifies the user when the password will expire and provides a choice for the user to change the password. If the user sets a new password that is complexity-compliant, the system records the new password and the setup time. If the user chooses not to change the password or the user fails to change it, the system allows the user to log in using the current password.
Telnet, SSH, and terminal users (log in to the device through console or AUX interfaces) can change their passwords by themselves, but FTP users can only have their passwords changed by the administrator.
· Login with an expired password
You can allow a user to log in a certain number of times within a specific period of time after the password expires, so that the user does not need to change the password immediately. For example, if you set the maximum number of logins with an expired password to 3 and the time period to 15 days, a user can log in three times within 15 days after the password expires.
· Password history
With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the used ones. The new password must be different from the used ones by at least four characters and the four characters must not be the same. Otherwise, the user will fail to change the password and the system displays an error message.
You can set the maximum number of history password records for the system to maintain for each user. When the number of history password records exceeds your setting, the latest record overwrites the earliest one.
· Login attempt limit
Limiting the number of consecutive failed login attempts can effectively prevent password guessing.
If an FTP or VTY user fails authentication due to a password error, the system adds the user to a password control blacklist. If a user fails to provide the correct password after the specified number of consecutive attempts, the system takes action as configured:
¡ Prohibiting the user from logging in until the user is removed from the password control blacklist manually.
¡ Allowing the user to try continuously and removing the user from the password control blacklist when the user logs in to the system successfully or the blacklist entry times out (a blacklist entry times out after 1 minute).
¡ Prohibiting the user from logging in within a configurable period of time, and allowing the user to log in again after the period of time elapses or the user is removed from the password control blacklist.
A password control blacklist can contain up to 1024 entries.
A login attempt using a wrong username will undoubtedly fail, but the username will not be added into the password control blacklist.
Users accessing the system through the console or AUX interface are not blacklisted, because the system is unable to obtain the IP addresses of these users and these users are privileged and therefore relatively secure to the system.
· Password composition policy
A password can be a combination of characters from the following four types:
¡ Uppercase letters A to Z.
¡ Lowercase letters a to z.
¡ Digits 0 to 9.
¡ Special characters. For information about special characters, see the password command in Security Command Reference.
Depending on the system's security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters for each type, as shown in Table 1.
Table 1 Password composition policy
|
Password combination level |
Minimum number of character types |
Minimum number of characters for each type |
|
Level 1 |
One |
One |
|
Level 2 |
Two |
One |
|
Level 3 |
Three |
One |
|
Level 4 |
Four |
One |
In non-FIPS mode, all the combination levels are available for a password. In FIPS mode, only the level 4 combination is available for a password.
When a user sets or changes a password, the system checks if the password meets the composition requirement. If not, the system displays an error message.
· Password complexity checking policy
A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to make sure all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the system refuses the password and displays a password configuration failure message.
You can impose the following password complexity requirements:
¡ A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.
¡ No character appears three or more times consecutively in a password. For example, password a111 is not complex enough.
· Password display in the form of a string of asterisks (*)
For the sake of security, the password a user enters is displayed in the form of a string of asterisks (*).
· Authentication timeout management
Authentication timeout management is only for Telnet and Terminal users.
The authentication period is from when the server obtains the username to when the server finishes authenticating the user's password. If a user fails to log in within the configured period of time, the system tears down the connection.
· Maximum account idle time
You can set the maximum account idle time so that accounts staying idle for this period of time become invalid. For example, if you set the maximum account idle time to 60 days and the user of the account test has not logged in successfully within 60 days after the last successful login, the account becomes invalid and the user is unable to log in again.
· Logging
The system logs all successful password changing events and the events of adding users to the password control blacklist.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
Support for the commands in this chapter depends on the device model. For more information, see About the H3C Access Controllers Command References.
Password control configuration task list
The password control functions can be configured in several views, and different views support different functions. The settings configured in different views or for different objects have different application ranges and different priorities:
· Global settings in system view apply to all local user passwords and super passwords.
· Settings in user group view apply to the passwords of all local users in the user group.
· Settings in local user view apply to only the password of the local user.
· Settings for super passwords apply to only super passwords.
The previous four types of settings have the following priorities:
· For local user passwords, the settings with a smaller application scope have a higher priority.
· For super passwords, the settings configured specifically for super passwords, if any, override those configured in system view.
To configure password control:
|
Task at a glance |
|
(Required.) Enabling password control |
|
(Optional.) Setting global password control parameters |
|
(Optional.) Setting user group password control parameters |
|
(Optional.) Setting local user password control parameters |
|
(Optional.) Setting super password control parameters |
|
(Optional.) Setting a local user password in interactive mode |
Enabling password control
1. Enable the global password control feature in system view.
Password control configurations take effect only after the password control feature is enabled globally.
2. Enable password control functions individually.
The following password control functions need to be enabled individually after the password control feature is enabled globally:
¡ Password aging
¡ Minimum password length
¡ Password history
¡ Password composition checking
To enable password control:
|
Step |
Command |
Remarks |
|
system-view |
N/A |
|
|
2. Enable the global password control feature. |
password-control enable |
· In non-FIPS mode, the global password control feature is disabled by default. · In FIPS mode, the global password control feature is enabled and cannot be disabled by default. |
|
3. Enable a specific password control function. |
password-control { aging | composition | history | length } enable |
Optional. By default, all of the four password control functions are enabled. |
After global password control is enabled, local user passwords configured on the device are not displayed when you use the corresponding display command.
Setting global password control parameters
The password-control login-attempt command takes effect immediately and can affect the users already in the password control blacklist. Other password control configurations do not take effect on users that have been logged in or passwords that have been configured.
To set global password control parameters:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the password aging time. |
password-control aging aging-time |
Optional. 90 days by default. |
|
3. Set the minimum password update interval. |
password-control password update interval interval |
Optional. 24 hours by default. |
|
4. Set the minimum password length. |
password-control length length |
Optional. 10 characters by default. |
|
5. Configure the password composition policy. |
password-control composition type-number type-number [ type-length type-length ] |
Optional. · In non-FIPS mode, a default password must contain at least one character type and at least one character for each type. · In FIPS mode, a default password must contain four character types and at least one character for each type. |
|
6. Configure the password complexity checking policy. |
password-control complexity { same-character | user-name } check |
Optional. By default, the system does not perform password complexity checking. |
|
7. Set the maximum number of history password records for each user. |
password-control history max-record-num |
Optional. 4 by default. |
|
8. Specify the maximum number of login attempts and the action to be taken when a user fails to log in after the specified number of attempts. |
password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] |
Optional. By default, the maximum number of login attempts is 3 and a user failing to log in after the specified number of attempts must wait for 1 minute before trying again. |
|
9. Set the number of days during which the user is notified of the pending password expiration. |
password-control alert-before-expire alert-time |
Optional. 7 days by default. |
|
10. Set the maximum number of days and maximum number of times that a user can log in after the password expires. |
password-control expired-user-login delay delay times times |
Optional. By default, a user can log in three times within 30 days after the password expires. |
|
11. Set the authentication timeout time. |
password-control authentication-timeout authentication-timeout |
Optional. 60 seconds by default. |
|
12. Set the maximum account idle time. |
password-control login idle-time idle-time |
Optional. 90 days by default. |
Setting user group password control parameters
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a user group and enter user group view. |
user-group group-name |
N/A |
|
3. Configure the password aging time for the user group. |
password-control aging aging-time |
Optional. By default, the aging time of the user group is the same as the global password aging time. |
|
4. Configure the minimum password length for the user group. |
password-control length length |
Optional. By default, the minimum password length of the user group is the same as the global minimum password length. |
|
5. Configure the password composition policy for the user group. |
password-control composition type-number type-number [ type-length type-length ] |
Optional. By default, the password composition policy of the user group is the same as the global password composition policy. |
Setting local user password control parameters
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a local user and enter local user view. |
local-user user-name |
N/A |
|
3. Configure the password aging time for the local user. |
password-control aging aging-time |
Optional. By default, the setting equals that for the user group to which the local user belongs. If no aging time is configured for the user group, the global setting applies to the local user. |
|
4. Configure the minimum password length for the local user. |
password-control length length |
Optional. By default, the setting equals that for the user group to which the local user belongs. If no minimum password length is configured for the user group, the global setting applies to the local user. |
|
5. Configure the password composition policy for the local user. |
password-control composition type-number type-number [ type-length type-length ] |
Optional. By default, the settings equal those for the user group to which the local user belongs. If no password composition policy is configured for the user group, the global settings apply to the local user. |
Setting super password control parameters
CLI commands include four levels: visit, monitor, system, and manage, in ascending order. Accordingly, login users include four levels, each corresponding to a command level. A user of a certain level can only use the commands at that level or lower levels.
To switch from a lower user level to a higher one, a user needs to enter a password for authentication. This password is called a super password. For more information on super passwords, see Fundamentals Configuration Guide.
To set super password control parameters:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the password aging time for super passwords. |
password-control super aging aging-time |
Optional. By default, the super password aging time is the same as the global password aging time. |
|
3. Configure the minimum length for super passwords. |
password-control super length length |
Optional. By default, the minimum super password length is the same as the global minimum password length. |
|
4. Configure the password composition policy for super passwords. |
password-control super composition type-number type-number [ type-length type-length ] |
Optional. By default, the super password composition policy is the same as the global password composition policy. |
Setting a local user password in interactive mode
You can set a password for a local user in interactive mode. When doing so, you need to confirm the password.
To set a password for a local user in interactive mode:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Create a local user and enter local user view. |
local-user user-name |
|
3. Set the password for the local user in interactive mode. |
password |
Displaying and maintaining password control
|
Task |
Command |
Remarks |
|
Display password control configuration information. |
display password-control [ super ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display information about users in the password control blacklist. |
display password-control blacklist [ user-name name | ip ipv4-address | ipv6 ipv6-address ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Delete users from the password control blacklist. |
reset password-control blacklist { all | user-name name } |
Available in user view. |
|
Clear history password records. |
reset password-control history-record [ user-name name | super [ level level ] ] |
Available in user view. This command can delete the history password records of one or all users even when the password history function is disabled. |
Password control configuration example
Network requirements
Configure a global password control policy to meet the following requirements:
· An FTP or VTY user failing to provide the correct password in two successive login attempts is permanently prohibited from logging in.
· A user can log in 5 times within 60 days after the password expires.
· The password expires after 30 days.
· The minimum password update interval is 36 hours.
· An account becomes invalid if it has been idle for 30 days.
· A password cannot contain the username or the reverse of the username.
· No character occurs consecutively three or more times in a password.
Configure a super password control policy to meet the following requirements: A super password must contain at least three character types and at least five characters for each type.
Configure a password control policy for the local Telnet user test to meet the following requirements:
· The password must contain at least 12 characters.
· The password must contain at least two character types and at least five characters for each type.
· The password for the local user expires after 20 days.
Configuration procedure
# Enable the password control feature globally.
<AC> system-view
[AC] password-control enable
# Prohibit the user from logging in forever after two successive login failures.
[AC] password-control login-attempt 2 exceed lock
# Globally set all passwords to expire after 30 days.
[AC] password-control aging 30
# Set the minimum password update interval to 36 hours.
[AC] password-control password update interval 36
# Specify that a user can log in 5 times within 60 days after the password expires.
[AC] password-control expired-user-login delay 60 times 5
# Set the maximum account idle time to 30 days.
[AC] password-control login idle-time 30
# Refuse any password that contains the username or the reverse of the username.
[AC] password-control complexity user-name check
# Specify that no character can appear three or more times consecutively in a password.
[AC] password-control complexity same-character check
# Specify that a super password must contain at least three character types and at least five characters for each type.
[AC] password-control super composition type-number 3 type-length 5
# Configure a super password.
[AC] super password level 3 simple 12345ABGFTweuix
# Create a local user named test.
[AC] local-user test
# Set the service type of the user to Telnet.
[AC-luser-test] service-type telnet
# Set the minimum password length to 12 for the local user.
[AC-luser-test] password-control length 12
# Specify that the password of the local user must contain at least two character types and at least five characters for each type.
[AC-luser-test] password-control composition type-number 2 type-length 5
# Set the password for the local user to expire after 20 days.
[AC-luser-test] password-control aging 20
# Configure the password of the local user in interactive mode.
[AC-luser-test] password
Password:***********
Confirm :***********
Updating user(s) information, please wait........
[AC-luser-test] quit
Verifying the configuration
# Display the global password control configuration.
<AC> display password-control
Global password control configurations:
Password control: Enabled
Password aging: Enabled (30 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)
Password history: Enabled (max history record:4)
Early notice on password expiration: 7 days
User authentication timeout: 60 seconds
Maximum failed login attempts: 2 times
Login attempt-failed action: Lock
Minimum password update time: 36 hours
User account idle-time: 30 days
Login with aged password: 5 times in 60 day(s)
Password complexity: Enabled (username checking)
Enabled (repeated characters checking)
# Display the password control configuration for super passwords.
<AC> display password-control super
Super password control configurations:
Password aging: Enabled (30 days)
Password length: Enabled (10 characters)
Password composition: Enabled (3 types, 5 characters per type)
# Display the password control configuration for local user test.
<AC> display local-user user-name test
The contents of local user test:
State: Active
ServiceType: telnet
Access-limit: Disable Current AccessNum: 0
User-group: system
Bind attributes:
Authorization attributes:
Password aging: Enabled (20 days)
Password length: Enabled (12 characters)
Password composition: Enabled (2 types, 5 characters per type)
Total 1 local user(s) matched.
