In this section:
Use this object to manage account and password-related configurations. For password rules configuration, refer to Password Rules - CLI.
To minimize the possibility of an unauthorized user compromising inactive OS user account, configure this parameter to specify the number of days of OS account inactivity (OSAccountAgingPeriod
) before the account is automatically disabled.
These users are exempted from OS account aging: root, linuxadmin, cnxipmadmin and postgres.
% set system admin <SYSTEM NAME> accountManagement OSAccountAging OSAccountAgingPeriod <7-712 days> state <disabled | enabled>
% set system admin <SYSTEM NAME> accountManagement accountAging accountAgingPeriod <30-180 days> state <disabled | enabled>
Use this parameter to configure the account removal period.
% set system admin <SYSTEM NAME> accountManagement accountRemoval accountRemovalPeriod <60-360 days> state <disabled | enabled>
Configuration for defense against brute force OAM password guessing attempts.
% set system admin <SYSTEM NAME> accountManagement bruteForceAttack allowAutoUnlock <disabled | enabled> consecutiveFailedAttemptAllowed <1-10> state <disabled | enabled> unlockTime <30-3600 seconds>
Use this configuration to defend against brute force attacks to Linux OS.
% set system admin <SYSTEM NAME> accountManagement bruteForceAttackOS OSstate <disabled | enabled> allowOSAutoUnlock <disabled | enabled> consecutiveFailedOSAttemptAllowed <1-10> unlockOSTime <30-5400 seconds>
% set system admin <SYSTEM NAME> accountManagement maxSessions <1-5>
Password expiration related configuration.
% set system admin <SYSTEM NAME> accountManagement passwordAging OSstate <disabled | enabled> passwordAgingPeriod <1-365 days> passwordExpiryWarningPeriod <3-14 days> passwordMinimumAge <1-365 days> state <disabled | enabled>
Session idle timeout related configuration.
% set system admin <SYSTEM NAME> accountManagement sessionIdleTimeout idleTimeout <1-120> state <disabled | enabled>
The SFTP Admin account has been removed.
If only keys (no password) are injected for the admin CLI user, then passwordLoginSupport is disabled by default. If standalone EMA access is required then enable it and use the generated password to invoke the EMA. There is no need to enable passwordLoginSupport if the EMA is accessed via the EMS.
As sftpadmin is removed, the EMS uses an alternate CLI account in its Administrator group (like admin) for the SBC registration. There is no Cloud SBC impact because it uses emssftp. Refer to the Security and Security Best Practices sections in the current EMS documentation.
This example uses the Account Management feature to accomplish the following actions:
% set system admin MYSBC accountManagement bruteForceAttack state enabled allowAutoUnlock enabled consecutiveFailedAttemptAllowed 3 unlockTime 300 % show system admin MYSBC accountManagement bruteForceAttack state enabled; consecutiveFailedAttemptAllowed 3; allowAutoUnlock enabled; unlockTime 300;