In this section:

Use this object to configure and manage account and password-related configurations. For password rules configuration, refer to Password Rules - CLI.

Command Syntax

The Account Management syntax is provided below:

% set system admin <SYSTEM NAME> accountManagement 
	OSAccountAging 
	    OSAccountAgingPeriod <7-712>
	    state <disabled | enabled>
	accountAging <30-180>
	accountRemoval <60-360>
	allowMultipleLogins <disabled | enabled>
	bruteForceAttack
 		allowAutoUnlock <disabled | enabled>
		consecutiveFailedAttemptAllowed <1-10>
		state <disabled | enabled>
		unlockTime <30-3600 seconds>
	bruteForceAttackOS
 		OSstate <disabled | enabled>
		allowOSAutoUnlock <disabled | enabled>
		consecutiveFailedOSAttemptAllowed <1-10>
		unlockOSTime <30-5400 seconds>
	maxSessions <1-5>
	passwordAging
 	OSstate <disabled | enabled>
		passwordAgingPeriod <1-365 days>
		passwordExpiryWarningPeriod <3-14 days>
		passwordMinimumAge <1-365 days> 
		state <disabled | enabled>
	sessionIdleTimeout
	 	idleTimeout <1-120>
		state <disabled | enabled>

Command Parameters

Parameter

Length/Range

Description

OSAccountAging

N/A

To minimize the possibility of an unauthorized user compromising inactive OS user account, configure this parameter to specify the number of days of OS account inactivity (OSAccountAgingPeriod) before the account is automatically disabled.

Note

The following users are exempt from OS account aging: root, linuxadmin, cnxipmadmin and postgres.

Use this parameter to configure and enable the account aging period for OS management users.

  • OSAccountAgingPeriod  – The number of days of inactivity before the OS user is disabled.
    (Range: 7-712 | Default = 30)
  • state – Enable this flag to use OS account aging system-wide. 
    • disabled
    • enabled (default)
accountAgingN/A

Use this parameter to specify the number of days to elapse, after which the account is locked if left unused for accounts other than OS management users.

  • accountAgingPeriodThe number of days of inactivity before the user is disabled.
    (Range: 20-180 | Default = 30)
  • state – Enable this flag to use account aging system-wide.
    • disabled
    • enabled (default)
accountRemovalN/A

Use this parameter to configure the account removal period.

  • accountRemovalPeriod  – The number of days to elapse for an unused user account before it is automatically
    (Range: 60-360 | Default = 270 days)
  • state   – The administrative state of this feature.
    • disabled (default)
    • enabled

NOTE: Refer to Local Authentication - CLI to enable/disable this feature for a specific user.

allowMultipleLoginsN/A

 Configure your system to allow multiple concurrent logins (enabled), or to kick previous logins (disabled) when a new user accesses the SBC.

  • disabled (default)
  • enabled   

For additional information, refer to "Managing the Number of Sessions" in Managing SBC Core Users and Accounts.

Modified: for 12.1.1

bruteForceAttackN/A

Configuration for defense against brute force OAM password guessing attempts.

  • allowAutoUnlock – Enable Auto Unlock of an account blocked due to consecutive wrong password attempts.
    • disabled
    • enabled (default)
  • consecutiveFailedAttemptAllowed – Enter the number of consecutive failed login attempts to allow before accounts are locked. As a safety measure, the system will not lock out the last/only active Administrator user on the SBC platform.
    (Range: 1-10 | Default = 3) 
  • state – Enable/disable defense against brute force OAM password guessing attempts.
    • disabled
    • enabled (default)
  • unlockTime – If the allowAutoUnlock flag is enabled, this parameter specifies the time (in seconds) to elapse before a locked account automatically unlocks. (Range: 30-3600 seconds | Default = 30)

    NOTE: You must first set state to 'disabled' before changing the value of consecutiveFailedAttemptAllowed.

bruteForceAttackOSN/A

Use this feature to defend against brute force attacks to the Linux OS.

  • OSstate – Enable this flag to defend the Linux OS against brute force attacks.
    • disabled 
    • enabled (default)
  • allowOSAutoUnlock – Enable this flag to automatically unlock the Linux OS account after a configurable number of seconds set by unlockOSTime parameter. 
    • disabled
    • enabled (default)
  • consecutiveFailedOSAttemptAllowed – Specify the number of consecutive failed login attempts allowed before account is locked.
    (Range: 1-10 | Default = 3)
  • unlockOSTime – Enter the time interval in seconds after which the disabled Linux OS account will automatically unlock.
    (Range: 30-5400 | Default = 30>
maxSessions1-5

Enter the maximum number of simultaneous sessions allowed for users.
(Range: 1-5 | Default = 2)

passwordAgingN/A

Use this feature to configure system-wide password aging.

  • OSstate – Enable/disable password aging for OS users.
    • disabled
    • enabled (default)
  • passwordAgingPeriod – The number of days to elapse, after which a password expires.
    (Range: 1-365 | Default = 90)
  • passwordExpiryWarningPeriod – The number of days prior to the password expiry date on which the user receives a warning to change the password.
    Range: 3-14 days | Default = 12)
  • passwordMinimumAgeSpecify the number of days to elapse before a password is changeable by a non-Administrator user.
    (Range: 1-365 days | Default = 1)
  • state – Use this flag to enable/disable the passwordAging feature. 
    • disabled
    • enabled (default)

sessionIdleTimeout 

N/A

Use this parameter to specify the number of minutes to pass before an idle session times out.

  • idleTimeout – The amount of idle time, in minutes, to elapse before ending a session due to inactivity.
    (Range: 1-120 | Default = 10)
  • state – To use Session Idle Timeout, set this flag to "enabled". 
    • disabled
    • enabled (default)


Command Example

The following example uses the Account Management feature to:

  • Allow a locked account to unlock after five minutes
  • Enable SBC to defend against brute force attacks
  • Set the number of consecutive failed attempts to "3"
% set system admin MYSBC accountManagement bruteForceAttack state enabled allowAutoUnlock enabled consecutiveFailedAttemptAllowed 3 unlockTime 300

% show system admin MYSBC accountManagement bruteForceAttack
state                           enabled;
consecutiveFailedAttemptAllowed 3;
allowAutoUnlock                 enabled;
unlockTime                      300;


Notes


SFTP Admin Account Removed

The sftpadmin account was removed in release 7.1 for user account security purposes.


Note Regarding EMA

If only keys (no password) are injected for the admin CLI user, then passwordLoginSupport is disabled by default. If standalone EMA access is required, then enable passwordLoginSupport and use the generated password to invoke the EMA. You are not required to enable passwordLoginSupport if the EMA is accessed via RAMP.


Note Regarding RAMP

With the removal of sftpadmin, the RAMP uses an alternate CLI account in its Administrator group (e.g., admin) for SBC registration. This does not impact SBC cloud networks because RAMP uses emssftp by default. Refer to the Security Best Practices sections in the current RAMP documentation.