Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

set system password

Use this command to configure system password parameters.

Syntax

set system password [aging {days | disable}] [history {size}] [length characters] [min-required-chars {[uppercase characters] [lowercase characters] [numeric characters] [special characters]}][require-at-creation {yes | no}] [allow-duplicates {yes | no}] [allow-user-id {yes | no}] [substring-match-len characters] [allow-repeating-chars {num | yes | no}] [change-first-login {yes | no} [all]] [change-frequency minutes [all]] [expire-warning days] [grace-period {logins num | time days}]

Parameters

aging days | disable Specifies the number of days to age the password.
  • days — Valid values are 1–365
  • disable — Aging is not taken into account for user account passwords.
history size Specifies the number of passwords to keep in the password history for a user account. Valid values: 0–10.
  • If the security profile = C2, the default value is 8 entries
  • If the security profile = normal, the default value is 0 entries
length characters Specifies the minimum number of characters in a user account password.
min-required-
chars Specifies the minimum number of characters of the specified type that must be present in a user account password as follows:
  • uppercase characters — minimum number of upper case characters
  • lowercase characters — minimum number of lower case characters
  • numeric characters — minimum number of numeric characters
  • special characters — minimum number of special characters

Valid values: 0–40 in all cases.
require-at-creation Specifies whether a password is required at the time of user account creation:
  • yes — Password is required when creating a user account
  • no — Password is not required when creating a user account
allow-duplicates Specifies whether multiple accounts can share the same password:
  • yes — Specifies that multiple accounts may share the same password
  • no — Specifies that multiple accounts may not share the same password
allow-user-id Allows the password to contain, repeat, or reverse the account name:
  • yes – Specifies that the contents of the password can contain, repeat, or reverse the content of the account name (default).
  • no – Specifies that the contents of the password can not contain, repeat, or reverse the content of the account name.
substring-match-
len characters Specifies the length of any substring present in the most previous password for this account that may not be used in a new password. Valid values: 0–40. Default value is 4 characters.
allow-repeating-
chars Specifies whether the same character may appear consecutively in the same password:
  • num – Specifies the number of repeating characters allowed. Valid values are 0 - 40.
  • yes — specifies that the same character may appear consecutively in a password with no maximum character limit (default).
  • no — specifies that the same character may not appear consecutively in a password.
change-first-login Specifies whether new users are required to change their password upon first login:
  • yes — specifies that new users must change the password for this account upon first login
  • no — specifies that new users are not required to change the password for this account upon first login
  • all – (Optional) specifies that this new setting is applied to all user modes; by default this setting only applies to read-write and read-only.
change-frequency minutes [all] Specifies a minimum interval in minutes between password changes allowed for non-superusers. Valid values: 0–65535. The all option specifies that this new setting is applied to all user modes; by default this setting only applies to read-write and read-only.
  • If the security profile = C2, the default value is 1440 (24 hours)
  • If the security profile = normal, the default value is 0
expire-warning days Specifies the number of days (1-28) before password expiration to display a warning of the impending expiration. Valid values are 1 - 28 days. Default value is 21 days.
grace-period logins num | time days Sets a grace period in either the number of logins or days before the password is locked out:

logins num – Number of logins after a password expires allowed before the password is locked out. Valid values are 0 - 5. Default value is 3 for C2 security mode and 0 (no limit) for normal security mode.

time days – Number of days after a password expires before the password is locked out. Valid values are 0 - 30 days. Default value is 30 days for C2 security mode and 0 (no limit) for normal security mode.

Defaults

  • aging: disable
  • history: normal mode: 0 passwords; C2 mode: 8
  • length: 8 characters
  • min-required-chars: 0 characters for all cases
  • require-at-creation: No. Password is not required at user account creation.
  • allow-duplicates: Yes. Multiple accounts may use the same password.
  • allow-user-id: Yes.
  • substring-match-len: 0 characters.
  • allow-repeating-chars: Yes. Consecutive use of the same character in a password is allowed.
  • change-first-login: No. The password does not have to be changed upon first login.
  • change-frequency: 0 minutes.
  • expire-warning: 21 days.
  • grace-period: 3 logins or 30 days for C2 security mode; unlimited logins or days for normal security mode.

Mode

All command modes, Super User.

Usage

The set of special characters recognized by this command is: !@#$%^&*()-=[]\;?,./`.

If the require-at-creation option is enabled, the set system login command will interactively prompt for a cleartext password upon creation of a new user account. It will be as if a set password username command was implicitly executed. The new account will not be successfully created until a valid password has been specified. A cleartext password will not be solicited if an encrypted password is already specified by way of the set system login command‘s password option.

If the allow-duplicates option is set to no, a user will not be able to select as a new password one which is already being used by another user.

If a substring-match-len option is set to zero, no substring matching will be performed when validating new passwords. If the substring-match-len option is configured with a nonzero length, any substring of the specified length appearing in the current password for this user may not appear in a new password. If the configured history size is nonzero, then all historical passwords up to that size will also be compared with the input of the new password. Any substring of the configured length appearing in any of the historical passwords may not be used in the new password. This option is not enforced when a password is changed by a superuser.

A password change-frequency interval of zero means there is no restriction on the frequency of password changes.

A configured minimum change-frequency interval applies only to users without super-user privileges attempting to change their own passwords unless the all option is specified. Users with super-user privileges may change their passwords at any time if the all option is not specified.

Example

This example shows how to set the age of a system password for 60 days, the minimum length of the password to 6 and that the same character can not repeat consecutively in the same password:

System(su)->set system password age 60 length 6 allow-repeating-chars no
Published May 2016prev | next

Email this topicEmail this topic

Print this pagePrint this page