Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel

In this section:

Table of Contents
maxLevel2


Use this object to manage account and password-related configurations. For password rules configuration, refer to Password Rules - CLI.

OS Account Aging

To minimize the possibility of an unauthorized user compromising inactive OS user account (rss), configure this parameter to specify the number of days of OS account inactivity (OSAccountAgingPeriod) before the account is automatically disabled.

Info
titleNote

The OS Account Aging affects only the rss OS user.

Command Syntax

Code Block
titleOS Account Aging
% set system admin <SYSTEM NAME> accountManagement OSAccountAging
	OSAccountAgingPeriod <7-712 days>
	state <disabled | enabled>

Command Parameters

Caption
0Table
1OS Account Aging Parameters
3OS Account Aging Parameters


Parameter

Length/Range

Description

OSAccountAgingPeriod7-712 days<period> (default = 30) – The number of days of inactivity before the OS user is disabled.
stateN/A

Enable this flag to apply the account aging period to OS users.

  • disabled
  • enabled (default)


Account Aging

Command Syntax

Code Block
titleAccount Aging
% set system admin <SYSTEM NAME> accountManagement accountAging
	accountAgingPeriod <30-180 days>
	state <disabled | enabled>

Command Parameters

Caption
0Table
1Account Aging Parameters
3Account Aging Parameters


Parameter

Length/Range

Description

accountAgingPeriod30-180 days

<period> (default = 30) – Use this parameter to specify the number of days to elapse, after which the account is locked if left unused for accounts other than OS management users.

state N/A

Set flag to "enabled" to enable account aging system-wide.

  • disabled
  • enabled (default)


Account Removal

Use this parameter to configure the account removal period.

Command Syntax

Code Block
titleAccount Removal
% set system admin <SYSTEM NAME> accountManagement accountRemoval
	accountRemovalPeriod <60-360 days>
	state <disabled | enabled>

Command Parameters

Caption
0Table
1Brute Force Attack Parameters
3Brute Force Attack Parameters


Parameter

Length/Range

Description

accountRemovalPeriod60-360 days<period> – The number of days to elapse for an unused user account before it is automatically (default = 270 days).
stateN/A

Administrative state of this feature.

  • disabled (default)
  • enabled

NOTE: Refer to Local Authentication - CLI to enable/disable this feature for a specific user.


Brute Force Attack

Configuration for defense against brute force OAM password guessing attempts.

Command Syntax

Code Block
titleBrute Force Attack
% set system admin <SYSTEM NAME> accountManagement bruteForceAttack
	allowAutoUnlock <disabled | enabled>
	consecutiveFailedAttemptAllowed <1-10>
	state <disabled | enabled>
	unlockTime <30-3600 seconds>

Command Parameters

Caption
0Table
1Brute Force Attack Parameters
3Brute Force Attack Parameters


Parameter

Length/Range

Description

allowAutoUnlockN/A

Enable Auto Unlock of an account blocked due to consecutive wrong password attempts.

  • disabled
  • enabled (default)
consecutiveFailedAttemptAllowed1-10

<number of attempts> (default = 3) – Number of consecutive failed login attempts allowed before account is locked. As a safety measure, the system will not lock out the last/only active Administrator user on 

Spacevars
0product
platform.

stateN/A

Enable/disable defense against brute force OAM password guessing attempts.

  • disabled 
  • enabled (default)
unlockTime30-3600 seconds

<unlock time> (default = 30) – If allowAutoUnlock flag is enabled, this parameter specifies the time (in seconds) to elapse before a locked account automatically unlocks.

NOTE: You must first set state to 'disabled' before changing the value of consecutiveFailedAttemptAllowed.


Brute Force Attack OS

Use this configuration to defend against brute force attacks to Linux OS.

Command Syntax

Code Block
titleBrute Force Attack OS
% set system admin <SYSTEM NAME> accountManagement bruteForceAttackOS
	OSstate <disabled | enabled>
	allowOSAutoUnlock <disabled | enabled>
	consecutiveFailedOSAttemptAllowed <1-10>
	unlockOSTime <30-5400 seconds>

Command Parameters

Caption
0Table
1Brute Force Attack Parameters
3Brute Force Attack Parameters


Parameter

Length/Range

Description

OSstateN/A

Enable this flag to defend the Linux OS against brute force attacks.

  • disabled
  • enabled (default)
allowOSAutoUnlockN/A

Enable this flag to automatically unlock the Linux OS account after a configurable number of seconds set by unlockOSTime parameter.

  • disabled
  • enabled (default)
consecutiveFailedOSAttemptAllowed1-10

<Number of failed attempts> (default = 3) – Number of consecutive failed login attempts allowed before account is locked.

unlockOSTime30-5400 seconds

< time interval> (default = 30 seconds) – Time interval after which the disabled Linux OS account will automatically unlock.


Max Sessions

Command Syntax

Code Block
titleMax Sessions
% set system admin <SYSTEM NAME> accountManagement maxSessions <1-5>

Command Parameters

Caption
0Table
1Max Sessions Parameters
3Max Sessions Parameters


Parameter

Length/Range

Description

maxSessions1-5

Maximum number of simultaneous sessions allowed per user (default = 2).


Password Aging

Password expiration related configuration.

Command Syntax

Code Block
titlePassword Aging
% set system admin <SYSTEM NAME> accountManagement passwordAging
	OSstate <disabled | enabled>
	passwordAgingPeriod <1-365 days>
	passwordExpiryWarningPeriod <3-14 days>
	passwordMinimumAge <1-365 days> 
	state <disabled | enabled>

Command Parameters

Caption
0Table
1Password Aging Parameters
3Password Aging Parameters


Parameter

Length/Range

Description

OSstateN/A

Enable/disable password aging for OS users.

  • disabled
  • enabled (default)
passwordAgingPeriod1-365 days

<number of days> (default = 90)– The number of days to elapse, after which a password expires.

passwordExpiryWarningPeriod3-14 days

<number of days> (default = 12) – The number of days prior to the password expiry date on which the user receives a warning to change the password.

passwordMinimumAge1-365 days<number of days> (default = 1) – Specify the number of days to elapse before a password is changeable by a non-Administrator user.
stateN/A

Use this flag to enable/disable passwordAging feature.

  • disabled
  • enabled (default)


Session Idle Timeout

Session idle timeout related configuration.

Command Syntax

Code Block
titleSession Idle Timeout
% set system admin <SYSTEM NAME> accountManagement sessionIdleTimeout
	idleTimeout <1-120>
	state <disabled | enabled>


Command Parameters

Caption
0Table
1Session Idle Timeout
3Session Idle Timeout


Parameter

Length/Range

Description

idleTimeout1-120 minutes

<number of minutes> (default = 10) – The amount of idle time, in minutes, to elapse before ending a session due to inactivity.

stateN/A

To use this feature, set this flag to "enabled".

  • disabled
  • enabled (default)


SFTP Admin Removed

The SFTP Admin account has been removed.

Related EMA Note

Info
titleNote Regarding EMA

 If only keys (no password) are injected for the admin CLI user, then passwordLoginSupport is disabled by default. If standalone EMA access is required then this can be enabled and the generated password can be used to invoke EMA. Enabling  passwordLoginSupport is not needed in case EMA is accessed via EMS.

Related EMS Note

Info

Since sftpadmin is removed, the EMS will use an alternate CLI account in its Administrator group (like admin) for SBC registration. There is no Cloud SBC impact because it uses emssftp. Refer to the Security and Security Best Practices sections in current EMS documentation.

 

 


Command Example

The following example uses the Account Management feature to accomplish the following actions:

  • Allows a locked account to unlock after five minutes
  • Enables 
    Spacevars
    0product
     to defend against brute force attacks
  • Sets the number of consecutive failed attempts to "3"
Code Block
languagenone
% set system admin MYSBC accountManagement bruteForceAttack state enabled allowAutoUnlock enabled consecutiveFailedAttemptAllowed 3 unlockTime 300

% show system admin MYSBC accountManagement bruteForceAttack
state                           enabled;
consecutiveFailedAttemptAllowed 3;
allowAutoUnlock                 enabled;
unlockTime                      300;


Pagebreak