.. _user_security_and_security_policy_management: User Security and Security Policy Management -------------------------------------------- .. index:: user;user password .. index:: user;user password expiry .. index:: user;user password history .. index:: user;user passwordinfo .. index:: user;user inactivelock .. index:: user;user lock .. index:: user;user unlock .. index:: user;user lastlogon .. index:: user;user list .. index:: system;system inactivelock .. _19.1.1|DOC-145: .. _12.5(1)|VOSS-356: .. _19.3.4|EKB-6734: Upon installation, user passwords are restricted as follows: * Password length : 8 * Minimum number of days between password change : 1 * Maximum number of days between password change : 60 * Number of days of warning before password expires : 14 * Number number of days between password change: 10 User password and account security settings and policy details can also be configured. Commands are available to manage: * password length * automatic account locking after inactivity * number of days between password change - valid values are from 5 to 20 The following commands are available to show the current length and set the default minimum password length: * **user password length** * **user password length ** The value of ```` can be set from 8 to 127 characters. By default, it is 8 characters. For other password rules, refer to Password Strength Rules. The setting also applies to backup passphrases. By default, any account that is created has the inactive lock set to 35 days. To set the number of days between user password expiration: **user password expiry [60-365,never]** Valid values for days is from 60 to 365. If ``never`` is typed in, the password does not expire and when typing **user passwordinfo **, the ``Maximum number of days between password change`` value shows as ``-1``. The password re-use frequency default is 10 passwords, which means that the last 10 passwords cannot be re-used, unless this is set, using: **user password history ** where 5 <= ```` <= 20. To see the current ```` re-use frequency: **user password history** For example: :: platform@VOSS:~$ user password history The default password history is set to 10. The commands below are available to carry out these tasks and to manage users. * **user passwordinfo ** Show details such as password expiry in days for a user, for example: :: $ user passwordinfo joebrown Last password change : Nov 30, 2015 Password expires : Feb 28, 2016 Password inactive : Apr 03, 2016 Account expires : never Minimum number of days between password change : 1 Maximum number of days between password change : 60 Number of days of warning before password expires : 14 * **user inactivelock ** Set the number of days of inactivity before a user account is locked, for example: :: $ user inactivelock 35 joebrown A 35 day inactive logon policy has been set for user: joebrown * **user lock ** Manually lock a user account, for example: :: $ user lock joebrown passwd: password expiry information changed. * **user unlock ** Manually unlock a user account, for example: :: $ user unlock joebrown passwd: password expiry information changed. To unlock users who exceeded allowed number of failed login attempts: :: $ system ssh fail_limit reset joebrown $ user unlock joebrown passwd: password expiry information changed. * **user password view_lock ** The command output is different in accordance with the event that locked the user account: Not a manual user lock: :: $ user password view_lock joebrown There is no password lock applied for user joebrown. Please run 'system ssh fail_limit view joebrown' to ensure the account is not locked because the user has reached the maximum number of failed attempts . Manual user lock: :: $ user password view_lock joebrown The password for user: joebrown has been locked. Please run 'user unlock joebrown' and 'system ssh fail_limit reset joebrown' to ensure you unlock and reset lock limits for this user account * **user lastlogon ** Show details of the last logon for: * a user who has logged in before: :: $ user lastlogon joebrown joebrown 172.29.90.74 Thu Dec 3 11:04:54. * a user who has not logged in before: :: $ user lastlogon joebrown joebrown logged in*** Use the **user help** command to see the general user management options such as user list, add, grant or revoke rights and remove users. The command **user list** provides rights and security policy details of *all* users, while **user list ** provides details for a single user. For example: :: $ user list user: joebrown: rights: mail app janedoe: rights: value not set billsmith: rights: value not set security_policy: user: platform: auto_inactive_account_lockout: 35 joebrown: account_locked: No auto_inactive_account_lockout: 35 janedoe: auto_inactive_account_lockout: 35 billsmith: account_locked: No In addition, a system wide account security setting can be configured and displayed. The setting will then apply to all *new* users and override the default inactive lock setting of 35 days. The following commands are available: * **system inactivelock**: show the current system wide inactive lock default: :: $ system inactivelock Newly added users will have their inactivity lock set to 35 days. * **system inactivelock **: set the system wide inactive lock default for all new user accounts, in other words, for users created *after* the setting of the system wide inactive lock: :: $ system inactivelock 35 Newly added users will have their inactivity lock set to 35 days.