Panel | ||||
---|---|---|---|---|
In this section:
|
Use this object to manage account and password-related configurations. For password rules configuration, refer to Password Rules - CLI.
To minimize the possibility of an unauthorized user compromising inactive OS user accounts (root/linuxadmin/sftpadmin/rss)account, configure this parameter to specify the number of days of OS account inactivity (OSAccountAgingPeriod
) before the account is automatically disabled.
Info | ||
---|---|---|
| ||
These users are exempted from OS account aging: root, linuxadmin, cnxipmadmin and postgres. |
Code Block | ||
---|---|---|
| ||
% set system admin <SYSTEM NAME> accountManagement OSAccountAging OSAccountAgingPeriod <7-712 days> state <disabled | enabled> |
Caption | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
|
|
Code Block | ||
---|---|---|
| ||
% set system admin <SYSTEM NAME> accountManagement accountAging accountAgingPeriod <30-180 days> state <disabled | enabled> |
Caption | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
|
Use this parameter to configure the account removal period.
Code Block | ||
---|---|---|
| ||
% set system admin <SYSTEM NAME> accountManagement accountRemoval accountRemovalPeriod <60-360 days> state <disabled | enabled> |
Caption | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
|
Configuration for defense against brute force OAM password guessing attempts.
Code Block | ||
---|---|---|
| ||
% set system admin <SYSTEM NAME> accountManagement bruteForceAttack allowAutoUnlock <disabled | enabled> consecutiveFailedAttemptAllowed <1-10> state <disabled | enabled> unlockTime <30-3600 seconds> |
Caption | |||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||
enabled
enabled
|
Use this configuration to defend against brute force attacks to Linux OS.
Code Block | ||
---|---|---|
| ||
% set system admin <SYSTEM NAME> accountManagement bruteForceAttackOS OSstate <disabled | enabled> allowOSAutoUnlock <disabled | enabled> consecutiveFailedOSAttemptAllowed <1-10> unlockOSTime <30-5400 seconds> |
Caption | |||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||
disabled
disabled
|
Code Block | ||
---|---|---|
| ||
% set system admin <SYSTEM NAME> accountManagement maxSessions <1-5> |
Caption | ||||||
---|---|---|---|---|---|---|
| ||||||
|
Password expiration related configuration.
Code Block | ||
---|---|---|
| ||
% set system admin <SYSTEM NAME> accountManagement passwordAging OSstate <disabled | enabled> passwordAgingPeriod <1-365 days> passwordExpiryWarningPeriod <3-14 days> passwordMinimumAge <1-365 days> state <disabled | enabled> |
Caption | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||
|
Session idle timeout related configuration.
Code Block | ||
---|---|---|
| ||
% set system admin <SYSTEM NAME> accountManagement sessionIdleTimeout idleTimeout <1-120> state <disabled | enabled> |
Caption | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
|
The SFTP Admin account has been removed.
Info | ||
---|---|---|
| ||
If only keys (no password) |
are injected for the admin CLI user, then passwordLoginSupport is disabled by default. If standalone EMA access is required then enable it and use the generated password to invoke the EMA. There is no need to enable passwordLoginSupport if the EMA is accessed via the EMS. |
Info |
---|
As sftpadmin is removed, the EMS uses an alternate CLI account in its Administrator group (like admin) for the SBC registration. There is no Cloud SBC impact because it uses emssftp. Refer to the Security and Security Best Practices sections in the current EMS documentation. |
The following This example uses the Account Management feature to accomplish the following actions:
Spacevars | ||
---|---|---|
|
Code Block | ||
---|---|---|
| ||
% set system admin MYSBC accountManagement bruteForceAttack state enabled allowAutoUnlock enabled consecutiveFailedAttemptAllowed 3 unlockTime 300 % show system admin MYSBC accountManagement bruteForceAttack state enabled; consecutiveFailedAttemptAllowed 3; allowAutoUnlock enabled; unlockTime 300; |
Pagebreak |
---|