Managing the password policy from the command-line interface
You can customize the password policies by setting rules for the passwords that are used by the Access Appliance local users. You can set rules for password complexity, password age, and password lockout. Password complexity specifies the number and type of characters a password must include. Password age defines the duration for which the password is valid. Password lockout specifies the number of failed attempts because of incorrect usage of passwords after which a user is prevented from logging in to the account.
To view the password policy, use the following command:
system password-policy get
To set the password policy, use the following command:
system password-policy set minlen ucredit maxclassrepeat dcredit ocredit minclass lcredit maxrepeatdifok pass_min_days pass_max_days pass_warn_age remember deny unlock_time fail_interval
where
Table:
Parameter | Description |
|---|---|
minlen | Minimum characters. Range is 6 - 100. |
ucredit | Minimum upper case characters. Range is 1 - 100 . |
maxclassrepeat | Maximum repetitive characters of same class. Range is 1 - 100. |
dcredit | Minimum numbers. Range is 1 - 100. |
ocredit | Minimum special characters. Range is 1 - 100. |
minclass | Minimum character classes. Range is 1 - 4. |
lcredit | Minimum lower case characters. Range is 1 - 100. |
maxrepeat | Maximum repetitive characters. Range is 1 - 100. |
difok | Character difference with old password. Range is 1 - 100. |
pass_min_days | Days after which password can be changed. Range is 1 - 100. |
pass_max_days | Days after which password must be changed. Range is 1 - 100. |
pass_warn_age | Days before warning message Range is 1 - 100. |
remember | Minimum different password before allowing reuse. Range is 1 - 100. |
deny | Number of incorrect login attempts before lockout. Range is 1 - 100. From version 8.2, when you enable STIG or set the password policy, the SSH session is terminated each time you enter an incorrect password. You must open a new SSH session to log on. Previously, the SSH session was terminated only after the total number of failed attempts was reached. |
unlock_time | Time before locked account is reenabled(seconds). Range is 1 - 604800. |
fail_interval | Time before login failures before account locked out (seconds). Range is 1 - 3600. |
To display the current password policy:
- Log on to the Access command-line interface by opening an SSH session to the management console IP as an administrator.
- In the Access command-line interface, run the following command:
system password-policy get
access-clus> system password-policy get Password policy setup on the system... Password complexity: =================== Minimum characters: 8 Minimum upper case characters: 1 Maximum repetitive characters of the same class: - Minimum numbers: 1 Minimum special characters: 1 Minimum character classes: - Minimum lower case characters: 1 Maximum repetitive characters: - Character difference with old password: - Password age: ============ Days after which password can be changed: - Days after which password must be changed: - Days before warning message: - Minimum different password before allowing reuse: - Password lockout: ================ Number of incorrect login attempts before lockout: - Time before locked account is reenabled(seconds): - Time before login failures before account locked out(seconds): -
Note:
Initially, the default set rules are displayed.
To set the password policy:
- Log on to the Access command-line interface by opening an SSH session to the management console IP as an administrator.
- In the Access command-line interface, run the following command:
system password-policy set
For example:
access-clus> system password-policy set minlen=8 ucredit=1 maxclassrepeat=4 dcredit=1 ocredit=1 minclass=4 lcredit=1 maxrepeat=2 difok=8 pass_min_days=1 pass_max_days=60 pass_warn_age=7 remember=7 deny=3 unlock_time=300 fail_interval=900 Access Appliance password-policy SUCCESS V-493-10-0 Password policy updated successfully.
The newly set policy can be displayed using the system password-policy get command:
access-clus> system password-policy get Password policy setup on the system... Password complexity: =================== Minimum characters: 8 Minimum upper case characters: 1 Maximum repetitive characters of the same class: 4 Minimum numbers: 1 Minimum special characters: 1 Minimum character classes: 4 Minimum lower case characters: 1 Maximum repetitive characters: 2 Character difference with old password: 8 Password age: ============ Days after which password can be changed: 1 Days after which password must be changed: 60 Days before warning message: 7 Minimum different password before allowing reuse: 7 Password lockout: ================ Number of incorrect login attempts before lockout: 3 Time before locked account is reenabled(seconds): 300 Time before login failures before account locked out(seconds): 900
Note:
If STIG is enabled on the system, you cannot change the custom password-policy rules.
accessclus> system password-rules set maxrepeat=3 maxclassrepeat=vxdefault dcredit=vxdefault minlen=15 ucredit=vxdefault ocredit=vxdefault lcredit=vxdefault difok=vxdefault minclass=5 pass_min_days=vxdefault pass_max_days=vxdefault pass_warn_age=vxdefault deny=3 unlock_time=vxdefault fail_interval=vxdefault remember=vxdefault ACCESS PasswordRules ERROR V-493-10-0 The password rules cannot be set as the cluster is STIG enabled.
Note:
Setting the parameter to vxdefault is equivalent to setting the value to no or None.