In this section:

Use this object to manage account and password-related configurations. For password rules configuration, refer to Password Rules - CLI.

OS Account Aging

To minimize the possibility of an unauthorized user compromising inactive OS user account, configure this parameter to specify the number of days of OS account inactivity (OSAccountAgingPeriod) before the account is automatically disabled.

Note

These users are exempted from OS account aging: root, linuxadmin, cnxipmadmin and postgres.

Command Syntax

OS Account Aging
% set system admin <SYSTEM NAME> accountManagement OSAccountAging
	OSAccountAgingPeriod <7-712 days>
	state <disabled | enabled>

Command Parameters

OS Account Aging Parameters

Parameter

Length/Range

Description

OSAccountAgingPeriod7-712 days<period> (default = 30) – The number of days of inactivity before the OS user is disabled.
stateN/A

Enable this flag to apply the account aging period to OS users.

  • disabled
  • enabled (default)

Account Aging

Command Syntax

Account Aging
% set system admin <SYSTEM NAME> accountManagement accountAging
	accountAgingPeriod <30-180 days>
	state <disabled | enabled>

Command Parameters

Account Aging Parameters

Parameter

Length/Range

Description

accountAgingPeriod30-180 days

<period> (default = 30) – Use this parameter to specify the number of days to elapse, after which the account is locked if left unused for accounts other than OS management users.

state N/A

Set flag to "enabled" to enable account aging system-wide.

  • disabled
  • enabled (default)

Account Removal

Use this parameter to configure the account removal period.

Command Syntax

Account Removal
% set system admin <SYSTEM NAME> accountManagement accountRemoval
	accountRemovalPeriod <60-360 days>
	state <disabled | enabled>

Command Parameters

Brute Force Attack Parameters

Parameter

Length/Range

Description

accountRemovalPeriod60-360 days<period> – The number of days to elapse for an unused user account before it is automatically (default = 270 days).
stateN/A

Administrative state of this feature.

  • disabled (default)
  • enabled

NOTE: Refer to Local Authentication - CLI to enable/disable this feature for a specific user.

Brute Force Attack

Configuration for defense against brute force OAM password guessing attempts.

Command Syntax

Brute Force Attack
% set system admin <SYSTEM NAME> accountManagement bruteForceAttack
	allowAutoUnlock <disabled | enabled>
	consecutiveFailedAttemptAllowed <1-10>
	state <disabled | enabled>
	unlockTime <30-3600 seconds>

Command Parameters

Brute Force Attack Parameters

Parameter

Length/Range

Description

allowAutoUnlockN/A

Enable Auto Unlock of an account blocked due to consecutive wrong password attempts.

  • disabled
  • enabled (default)
consecutiveFailedAttemptAllowed1-10

<number of attempts> (default = 3) – Number of consecutive failed login attempts allowed before account is locked. As a safety measure, the system will not lock out the last/only active Administrator user on SBC platform.

stateN/A

Enable/disable defense against brute force OAM password guessing attempts.

  • disabled 
  • enabled (default)
unlockTime30-3600 seconds

<unlock time> (default = 30) – If allowAutoUnlock flag is enabled, this parameter specifies the time (in seconds) to elapse before a locked account automatically unlocks.

NOTE: You must first set state to 'disabled' before changing the value of consecutiveFailedAttemptAllowed.

Brute Force Attack OS

Use this configuration to defend against brute force attacks to Linux OS.

Command Syntax

Brute Force Attack OS
% set system admin <SYSTEM NAME> accountManagement bruteForceAttackOS
	OSstate <disabled | enabled>
	allowOSAutoUnlock <disabled | enabled>
	consecutiveFailedOSAttemptAllowed <1-10>
	unlockOSTime <30-5400 seconds>

Command Parameters

Brute Force Attack Parameters

Parameter

Length/Range

Description

OSstateN/A

Enable this flag to defend the Linux OS against brute force attacks.

  • disabled
  • enabled (default)
allowOSAutoUnlockN/A

Enable this flag to automatically unlock the Linux OS account after a configurable number of seconds set by unlockOSTime parameter.

  • disabled
  • enabled (default)
consecutiveFailedOSAttemptAllowed1-10

<Number of failed attempts> (default = 3) – Number of consecutive failed login attempts allowed before account is locked.

unlockOSTime30-5400 seconds

< time interval> (default = 30 seconds) – Time interval after which the disabled Linux OS account will automatically unlock.

Max Sessions

Command Syntax

Max Sessions
% set system admin <SYSTEM NAME> accountManagement maxSessions <1-5>

Command Parameters

Max Sessions Parameters

Parameter

Length/Range

Description

maxSessions1-5

Maximum number of simultaneous sessions allowed per user (default = 2).

Password Aging

Password expiration related configuration.

Command Syntax

Password Aging
% set system admin <SYSTEM NAME> accountManagement passwordAging
	OSstate <disabled | enabled>
	passwordAgingPeriod <1-365 days>
	passwordExpiryWarningPeriod <3-14 days>
	passwordMinimumAge <1-365 days> 
	state <disabled | enabled>

Command Parameters

Password Aging Parameters

Parameter

Length/Range

Description

OSstateN/A

Enable/disable password aging for OS users.

  • disabled
  • enabled (default)
passwordAgingPeriod1-365 days

<number of days> (default = 90) – The number of days to elapse, after which a password expires.

passwordExpiryWarningPeriod3-14 days

<number of days> (default = 12) – The number of days prior to the password expiry date on which the user receives a warning to change the password.

passwordMinimumAge1-365 days<number of days> (default = 1) – Specify the number of days to elapse before a password is changeable by a non-Administrator user.
stateN/A

Use this flag to enable/disable passwordAging feature.

  • disabled
  • enabled (default)

Session Idle Timeout

Session idle timeout related configuration.

Command Syntax

Session Idle Timeout
% set system admin <SYSTEM NAME> accountManagement sessionIdleTimeout
	idleTimeout <1-120>
	state <disabled | enabled>


Command Parameters

Session Idle Timeout

Parameter

Length/Range

Description

idleTimeout1-120 minutes

<number of minutes> (default = 10) – The amount of idle time, in minutes, to elapse before ending a session due to inactivity.

stateN/A

To use this feature, set this flag to "enabled".

  • disabled
  • enabled (default)

SFTP Admin (Removed)

The sftpadmin account was removed in release 7.1 for user account security purposes.

Related EMA Note

Note Regarding EMA

If only keys (no password) are injected for the admin CLI user, then passwordLoginSupport is disabled by default. If standalone EMA access is required, then enable passwordLoginSupport and use the generated password to invoke the EMA. You are not required to enable passwordLoginSupport if the EMA is accessed via RAMP.

Related RAMP Note

With the removal of sftpadmin, the RAMP uses an alternate CLI account in its Administrator group (e.g., admin) for SBC registration. This does not impact SBC cloud networks because RAMP uses emssftp by default. Refer to the Security Best Practices sections in the current RAMP documentation.


Command Example

The following example uses the Account Management feature to accomplish the following actions:

  • Allows a locked account to unlock after five minutes
  • Enables SBC to defend against brute force attacks
  • Sets the number of consecutive failed attempts to "3"
% set system admin MYSBC accountManagement bruteForceAttack state enabled allowAutoUnlock enabled consecutiveFailedAttemptAllowed 3 unlockTime 300

% show system admin MYSBC accountManagement bruteForceAttack
state                           enabled;
consecutiveFailedAttemptAllowed 3;
allowAutoUnlock                 enabled;
unlockTime                      300;