In this section:
Use this object to manage account and password-related configurations. For password rules configuration, refer to Password Rules - CLI.
OS Account Aging
To minimize the possibility of an unauthorized user compromising inactive OS user account, configure this parameter to specify the number of days of OS account inactivity (OSAccountAgingPeriod
) before the account is automatically disabled.
These users are exempted from OS account aging: root, linuxadmin, cnxipmadmin and postgres.
Command Syntax
% set system admin <SYSTEM NAME> accountManagement OSAccountAging OSAccountAgingPeriod <7-712 days> state <disabled | enabled>
Command Parameters
Account Aging
Command Syntax
% set system admin <SYSTEM NAME> accountManagement accountAging accountAgingPeriod <30-180 days> state <disabled | enabled>
Command Parameters
Account Removal
Use this parameter to configure the account removal period.
Command Syntax
% set system admin <SYSTEM NAME> accountManagement accountRemoval accountRemovalPeriod <60-360 days> state <disabled | enabled>
Command Parameters
Brute Force Attack
Configuration for defense against brute force OAM password guessing attempts.
Command Syntax
% set system admin <SYSTEM NAME> accountManagement bruteForceAttack allowAutoUnlock <disabled | enabled> consecutiveFailedAttemptAllowed <1-10> state <disabled | enabled> unlockTime <30-3600 seconds>
Command Parameters
Brute Force Attack OS
Use this configuration to defend against brute force attacks to Linux OS.
Command Syntax
% set system admin <SYSTEM NAME> accountManagement bruteForceAttackOS OSstate <disabled | enabled> allowOSAutoUnlock <disabled | enabled> consecutiveFailedOSAttemptAllowed <1-10> unlockOSTime <30-5400 seconds>
Command Parameters
Max Sessions
Command Syntax
% set system admin <SYSTEM NAME> accountManagement maxSessions <1-5>
Command Parameters
Password Aging
Password expiration related configuration.
Command Syntax
% set system admin <SYSTEM NAME> accountManagement passwordAging OSstate <disabled | enabled> passwordAgingPeriod <1-365 days> passwordExpiryWarningPeriod <3-14 days> passwordMinimumAge <1-365 days> state <disabled | enabled>
Command Parameters
Session Idle Timeout
Session idle timeout related configuration.
Command Syntax
% set system admin <SYSTEM NAME> accountManagement sessionIdleTimeout idleTimeout <1-120> state <disabled | enabled>
Command Parameters
SFTP Admin Removed
The SFTP Admin account has been removed.
Related EMA Note
If only keys (no password) are injected for the admin CLI user, then passwordLoginSupport is disabled by default. If standalone EMA access is required then enable it and use the generated password to invoke the EMA. There is no need to enable passwordLoginSupport if the EMA is accessed via the EMS.
Related EMS Note
As sftpadmin is removed, the EMS uses an alternate CLI account in its Administrator group (like admin) for the SBC registration. There is no Cloud SBC impact because it uses emssftp. Refer to the Security and Security Best Practices sections in the current EMS documentation.
Command Example
The following example uses the Account Management feature to accomplish the following actions:
- Allows a locked account to unlock after five minutes
- Enables SBC to defend against brute force attacks
- Sets the number of consecutive failed attempts to "3"
% set system admin MYSBC accountManagement bruteForceAttack state enabled allowAutoUnlock enabled consecutiveFailedAttemptAllowed 3 unlockTime 300 % show system admin MYSBC accountManagement bruteForceAttack state enabled; consecutiveFailedAttemptAllowed 3; allowAutoUnlock enabled; unlockTime 300;