User Security and Security Policy Management

Upon installation, user passwords are restricted as follows:

• Password length : 8
• Minimum number of days between password change : 1
• Maximum number of days between password change : 60
• Number of days of warning before password expires : 14
• Number number of days between password change: 10

User password and account security settings and policy details can also be configured. Commands are available to manage:

• password length
• automatic account locking after inactivity
• number of days between password change - valid values are from 5 to 20

The following commands are available to show the current length and set the default minimum password length:

• user password length
• user password length <min_length>

The value of <min_length> can be set from 8 to 127 characters. By default, it is 8 characters. For other password rules, refer to Password Strength Rules. The setting also applies to backup passphrases.

By default, any account that is created has the inactive lock set to 35 days.

To set the number of days between user password expiration:

user password expiry <username> [60-365,never]

Valid values for days is from 60 to 365. If never is typed in, the password does not expire and when typing user passwordinfo <username>, the Maximum number of days between password change value shows as -1.

The password re-use frequency default is 10 passwords, which means that the last 10 passwords cannot be re-used, unless this is set, using:

user password history <number-of-passwords>

where 5 <= <number-of-passwords> <= 20.

To see the current <number-of-passwords> re-use frequency:

user password history

The commands below are available to carry out these tasks and to manage users.

• user passwordinfo <username>

  Show details such as password expiry in days for a user, for example:

  $ user passwordinfo joebrown
  Last password change                                    : Nov 30, 2015
  Password expires                                        : Feb 28, 2016
  Password inactive                                       : Apr 03, 2016
  Account expires                                         : never
  Minimum number of days between password change          : 1
  Maximum number of days between password change          : 60
  Number of days of warning before password expires       : 14
  

• user inactivelock <days> <user>

  Set the number of days of inactivity before a user account is locked, for example:

  $ user inactivelock 35 joebrown
  A 35 day inactive logon policy has been set for user: joebrown
  

• user lock <user>

  Manually lock a user account, for example:

  $ user lock joebrown
  passwd: password expiry information changed.
  

• user unlock <user>

  Manually unlock a user account, for example:

  $ user unlock joebrown
  passwd: password expiry information changed.
  

• user password view_lock <user>

  The command output is different in accordance with the event that locked the user account:

  Not a manual user lock:

  $ user password view_lock joebrown
  There is no password lock applied for user joebrown.
   Please run 'system ssh fail_limit view joebrown' to
   ensure the account is not locked because the user has
   reached the maximum number of failed attempts .
  

  Manual user lock:

  $ user password view_lock joebrown
  The password for user: joebrown has been locked.
   Please run 'user unlock joebrown' and
   'system ssh fail_limit reset joebrown' to ensure
   you unlock and reset lock limits for this user account
  

• user lastlogon <username>

  Show details of the last logon for:

  • a user who has logged in before:

    $ user lastlogon joebrown
    joebrown 172.29.90.74 Thu Dec 3 11:04:54.
    

  • a user who has not logged in before:

    $ user lastlogon joebrown
    joebrown logged in***
    

Use the user help command to see the general user management options such as user list, add, grant or revoke rights and remove users.

The command user list provides rights and security policy details of all users, while user list <username> provides details for a single user. For example:

$ user list
  user:
      joebrown:
          rights:
              mail
              app
      janedoe:
          rights: value not set
      billsmith:
          rights: value not set


  security_policy:
      user:
          platform:
              auto_inactive_account_lockout: 35
          joebrown:
              account_locked: No
              auto_inactive_account_lockout: 35
          janedoe:
              auto_inactive_account_lockout: 35
          billsmith:
              account_locked: No

In addition, a system wide account security setting can be configured and displayed. The setting will then apply to all new users and override the default inactive lock setting of 35 days.

The following commands are available:

• system inactivelock: show the current system wide inactive lock default:

  $ system inactivelock
  Newly added users will have their inactivity lock set to 35 days.
  

• system inactivelock <num of days>: set the system wide inactive lock default for all new user accounts, in other words, for users created after the setting of the system wide inactive lock:

  $ system inactivelock 35
  Newly added users will have their inactivity lock set to 35 days.