User Security and Security Policy Management¶
Upon installation, user passwords are restricted as follows:
- Minimum number of days between password change : 1
- Maximum number of days between password change : 60
- Number of days of warning before password expires : 14
Other user password and account security settings and policy details can be configured. In particular, commands are available to manage:
- password length
- automatic account locking after inactivity
- number of days between password change
The following commands are available to show the current length and set the default minimum password length:
- user password length
- user password length <min_length>
The value of <min_length>
can be set from 8 to 127 characters.
By default, it is 8 characters.
For other password rules, refer to Password Strength Rules.
The setting also applies to backup passphrases.
By default, any account that is created has the inactive lock set to 35 days.
To set the number of days between user password expiration:
user password expiry <username> [60-365,never]
Valid values for days is from 60 to 365.
If never
is typed in, the password does not expire
and when typing user passwordinfo <username>, the
Maximum number of days between password change
value
shows as -1
.
The password re-use frequency is 6, which means that the last 6 passwords cannot be re-used.
The commands below are available to carry out these tasks and to manage users.
user passwordinfo <username>
Show details such as password expiry in days for a user, for example:
$ user passwordinfo joebrown Last password change : Nov 30, 2015 Password expires : Feb 28, 2016 Password inactive : Apr 03, 2016 Account expires : never Minimum number of days between password change : 1 Maximum number of days between password change : 60 Number of days of warning before password expires : 14
user inactivelock <days> <user>
Set the number of days of inactivity before a user account is locked, for example:
$ user inactivelock 35 joebrown A 35 day inactive logon policy has been set for user: joebrown
user lock <user>
Manually lock a user account, for example:
$ user lock joebrown passwd: password expiry information changed.
user unlock <user>
Manually unlock a user account, for example:
$ user unlock joebrown passwd: password expiry information changed.
user password view_lock <user>
The command output is different in accordance with the event that locked the user account:
Not a manual user lock:
$ user password view_lock joebrown There is no password lock applied for user joebrown. Please run 'system ssh fail_limit view joebrown' to ensure the account is not locked because the user has reached the maximum number of failed attempts .
Manual user lock:
$ user password view_lock joebrown The password for user: joebrown has been locked. Please run 'user unlock joebrown' and 'system ssh fail_limit reset joebrown' to ensure you unlock and reset lock limits for this user account
user lastlogon <username>
Show details of the last logon for:
a user who has logged in before:
$ user lastlogon joebrown joebrown 172.29.90.74 Thu Dec 3 11:04:54.
a user who has not logged in before:
$ user lastlogon joebrown joebrown logged in***
Use the user help command to see the general user management options such as user list, add, grant or revoke rights and remove users.
The command user list provides rights and security policy details of all users, while user list <username> provides details for a single user. For example:
$ user list
user:
joebrown:
rights:
mail
app
janedoe:
rights: value not set
billsmith:
rights: value not set
security_policy:
user:
platform:
auto_inactive_account_lockout: 35
joebrown:
account_locked: No
auto_inactive_account_lockout: 35
janedoe:
auto_inactive_account_lockout: 35
billsmith:
account_locked: No
In addition, a system wide account security setting can be configured and displayed. The setting will then apply to all new users and override the default inactive lock setting of 35 days.
The following commands are available:
system inactivelock: show the current system wide inactive lock default:
$ system inactivelock Newly added users will have their inactivity lock set to 35 days.
system inactivelock <num of days>: set the system wide inactive lock default for all new user accounts, in other words, for users created after the setting of the system wide inactive lock:
$ system inactivelock 35 Newly added users will have their inactivity lock set to 35 days.