In this section:
Use this object to manage account and password-related configurations. For password rules configuration, refer to Password Rules - CLI.
To minimize the possibility of an unauthorized user compromising inactive OS user account (rss), configure this parameter to specify the number of days of OS account inactivity (OSAccountAgingPeriod
) before the account is automatically disabled.
The OS Account Aging affects only the rss OS user.
% set system admin <SYSTEM NAME> accountManagement OSAccountAging OSAccountAgingPeriod <7-712 days> state <disabled | enabled>
% set system admin <SYSTEM NAME> accountManagement accountAging accountAgingPeriod <30-180 days> state <disabled | enabled>
Use this parameter to configure the account removal period.
% set system admin <SYSTEM NAME> accountManagement accountRemoval accountRemovalPeriod <60-360 days> state <disabled | enabled>
Configuration for defense against brute force OAM password guessing attempts.
% set system admin <SYSTEM NAME> accountManagement bruteForceAttack allowAutoUnlock <disabled | enabled> consecutiveFailedAttemptAllowed <1-10> state <disabled | enabled> unlockTime <30-3600 seconds>
Use this configuration to defend against brute force attacks to Linux OS.
% set system admin <SYSTEM NAME> accountManagement bruteForceAttackOS OSstate <disabled | enabled> allowOSAutoUnlock <disabled | enabled> consecutiveFailedOSAttemptAllowed <1-10> unlockOSTime <30-5400 seconds>
% set system admin <SYSTEM NAME> accountManagement maxSessions <1-5>
Password expiration related configuration.
% set system admin <SYSTEM NAME> accountManagement passwordAging OSstate <disabled | enabled> passwordAgingPeriod <1-365 days> passwordExpiryWarningPeriod <3-14 days> passwordMinimumAge <1-365 days> state <disabled | enabled>
Session idle timeout related configuration.
% set system admin <SYSTEM NAME> accountManagement sessionIdleTimeout idleTimeout <1-120> state <disabled | enabled>
The SFTP Admin account has been removed.
If only keys (no password) are injected for the admin CLI user, then passwordLoginSupport is disabled by default. If standalone EMA access is required then this can be enabled and the generated password can be used to invoke EMA. Enabling passwordLoginSupport is not needed in case EMA is accessed via EMS.
Since sftpadmin is removed, the EMS will use an alternate CLI account in its Administrator group (like admin) for SBC registration. There is no Cloud SBC impact because it uses emssftp. Refer to the Security and Security Best Practices sections in current EMS documentation.
The following example uses the Account Management feature to accomplish the following actions:
% set system admin MYSBC accountManagement bruteForceAttack state enabled allowAutoUnlock enabled consecutiveFailedAttemptAllowed 3 unlockTime 300 % show system admin MYSBC accountManagement bruteForceAttack state enabled; consecutiveFailedAttemptAllowed 3; allowAutoUnlock enabled; unlockTime 300;