Several enhancements have been implemented to support Joint Interoperability Test Command (JITC) compliance.
The following table lists the enhancements for JITC compliance.
| Vuln ID | JITC Requirement | New ExtremeXOS Behavior |
|---|---|---|
| V-55055 | The network device must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. | Three successive failed logons locks the account for 15 minutes. |
| V-55061 | Upon successful logon, the network device must notify the administrator of the date and time of the last logon. | After successfully logging on, the time of the last successful logon appears. |
| V-55063 | Upon successful logon, the network device must notify the administrator of the number of unsuccessful logon attempts since the last successful logon. | After successfully logging on, the number of unsuccessful logons appears. |
| V-55127 | The network device must require that when a password is changed that at least eight characters are changed in the new password. | New command (see below) provided to configure the minimum number of different characters for changed passwords. |
| V-55135 | The network device must enforce 24 hours as the minimum password lifetime. | New command (see below) provided to configure the minimum lifespan for passwords. |
| V-55291 | The network device must notify the administrator of the number of successful logon attempts occurring during an organization-defined time period. | The number of logons since the previous reboot of the switch appears after logging on successfully. |
Additionally, OpenSSH server and client is upgraded from 7.5p1 to 8.1p1. Also, a new command is provided that configures a grace timeout period. When this timeout period expires, the server disconnects if the user has not completed logon attempt.
ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, X670-G2, X690, X695, and X870 series switches.
configure ssh2 login-grace-timeout seconds
configure account [all|name] password-policy min-different-characters [count]
configure account [all | name] password-policy min-age [num_days | none]
The following show command now shows logon grace timeout period:
show ssh2
The following commands no longer have the unsupported ciphers and MACs as options:
configure ssh2 enable [cipher [cipher |all] |mac [ mac |all]]
scp2 {cipher cipher} {mac mac} {compression [on | off]} {port portnum} {vr vr_name} user [hostname | ipaddress]:remote_file local_file
ssh2 {cipher cipher} {mac mac} {port portnum} {compression [on | off]} {user username} {username} [host | ipaddress] {remote command } {vr vr_name}
The following show command now shows the minimum different password characters:
show accounts password-policy