In this section:
Use this object to manage account and password-related configurations. For password rules configuration, refer to Password Rules - CLI.
To minimize the possibility of an unauthorized user compromising inactive OS user accounts (sftpadmin/rss), configure this parameter to specify the number of days of OS account inactivity (OSAccountAgingPeriod
) before the account is automatically disabled.
The OS Account Aging affects only the sftpadmin and rss OS users.
% set system admin <SYSTEM NAME> accountManagement OSAccountAging OSAccountAgingPeriod <7-712 days> state <disabled | enabled>
% set system admin <SYSTEM NAME> accountManagement accountAging accountAgingPeriod <30-180 days> state <disabled | enabled>
Use this parameter to configure the account removal period.
% set system admin <SYSTEM NAME> accountManagement accountRemoval accountRemovalPeriod <60-360 days> state <disabled | enabled>
Configuration for defense against brute force OAM password guessing attempts.
% set system admin <SYSTEM NAME> accountManagement bruteForceAttack allowAutoUnlock <disabled | enabled> consecutiveFailedAttemptAllowed <1-10> state <disabled | enabled> unlockTime <30-3600 seconds>
Use this configuration to defend against brute force attacks to Linux OS.
% set system admin <SYSTEM NAME> accountManagement bruteForceAttackOS OSstate <disabled | enabled> allowOSAutoUnlock <disabled | enabled> consecutiveFailedOSAttemptAllowed <1-10> unlockOSTime <30-5400 seconds>
% set system admin <SYSTEM NAME> accountManagement maxSessions <1-5>
Password expiration related configuration.
% set system admin <SYSTEM NAME> accountManagement passwordAging OSstate <disabled | enabled> passwordAgingPeriod <1-365 days> passwordExpiryWarningPeriod <3-14 days> passwordMinimumAge <1-365 days> state <disabled | enabled>
Session idle timeout related configuration.
% set system admin <SYSTEM NAME> accountManagement sessionIdleTimeout idleTimeout <1-120> state <disabled | enabled>
Use this flag to enable/disable the sftpadmin login. The default value is "true" (enabled).
% set system admin <admin-name> accountManagement sftpadminLoginEnabled <false | true>
The following example uses the Account Management feature to accomplish the following actions:
% set system admin MYSBC accountManagement bruteForceAttack state enabled allowAutoUnlock enabled consecutiveFailedAttemptAllowed 3 unlockTime 300 % show system admin MYSBC accountManagement bruteForceAttack state enabled; consecutiveFailedAttemptAllowed 3; allowAutoUnlock enabled; unlockTime 300;