password-attributes
Configures global password attributes.
Syntax
password-attributes
{
[
max-logins
maxlogins
][
max-retry
maxretry
]
[
min-length
minlen
]
[
max-logins
maxlogin][
history
number]
[repeat
minnum
]
[
sequence
number]
[
login-notify-duration
hours]
[
admin-lockout
|
character-restriction
{
[
lower
numlower
]
[
numeric
numdigits
]
[
special-char
numsplchars
]
[
upper
numupper
]
[
force-default-password-change
][
max-password-age
number-of-days
]
}
no
password-attributes
{
[
max-logins
maxlogins
][
max-retry
maxretry
]
[
min-length
minlen
]
[
max-logins
maxlogin][
history
number]
[repeat
minnum
]
[
sequence
number]
[
login-notify-duration
hours]
[
admin-lockout
|
character-restriction
{
[
lower
numlower
]
[
numeric
numdigits
]
[
special-char
numsplchars
]
[
upper
numupper
]
}
]
[
force-default-password-change
][
max-password-age
number-of-days
] }
Command Default
The default for min-length is 8. All other
defaults are 0.
Parameters
-
admin-lockout
- Enables lockout for admin
role accounts.
-
character-restriction
- Configures the restriction on
various types of characters.
- lower
numlower
- Specifies the
minimum number of lowercase alphabetic characters that must
occur in the password. Values range from 0 through 32
characters. The default value is 0.
- numeric
numdigits
- Specifies the
minimum number of numeric characters that must occur in the
password. Values range from 0 through 32 characters. The default
is 0.
- special-char
numsplchars
- Specifies the
number of punctuation characters that must occur in the
password. All printable, non-alphanumeric punctuation
characters, except colon (:) are allowed. Values range from 0
through 32 characters. The default value is 0.
- upper
numupper
- Specifies the
minimum number of uppercase alphabetic characters that must
occur in the password. Values range from 0 through 32
characters. The default value is 0.
-
max-logins
maxlogins
- Specifies the maximum number
of log-in sessions for a user. Values range from 0 through 10. The default
value is 0.
-
max-retry
maxretry
- Specifies the number of
failed password log-ins permitted before a user is locked out. Values range
from 0 through 16. The default value is 0.
-
min-length
minlen
- Specifies the minimum length
of the password. Valid values range from 8 through 32 characters. The
default is 8 characters.
-
max-logins
maxlogin
- Specifies the maximum number
of log-in sessions allowed per local user. Valid values range from 0 through
10. The default is 0, representing an infinite number of log-ins.
-
history
number
- Specifies the number of old
passwords against which a newly configured password is checked. The new
password is discarded if it matches an old password. Valid values range from
0 through 10. The default is 0.
-
repeat
minimum
- Specifies the minimum number
of consecutive repetitive characters in a newly configured password. The new
password is discarded if it has consecutive repetitive characters (for
example, aaa, xxx,1111). Configure 1 for disabling. The default is 1.
-
sequence
number
- Specifies the minimum number
of consecutive sequential characters both in forward and reverse direction
(for example, abc, cba) in a newly configured password. The new password is
discarded if it has consecutive sequential characters (for example, abc,
xyz, fedc). Configure 1 for disabling. The default is 1.
-
login-notify-duration
hours
- Specifies the duration in
hours for which admin is notified of the number of last successful attempts.
Use value 0 to disable the notification. Valid values range from is from 0
through 120. The default is 0.
-
force-default-password-change
- Force the user to change password at first login. This is applicable to all
default accounts on the system.
-
max-password-age
number-of-days
- Specifies the number of days after which the
user is forced to change the password. The default value is zero (0)
indicating that the password does not expire and need not be changed.
Modes
Global configuration mode
Usage Guidelines
To reset password attributes to their
default values, run the no form of this command.
If you use PuTTY to open a telnet session and then close the session by closing the
PuTTY window, the max-logins feature does not count the session as closed because the
client does not send an application layer closure message to be processed by the PAM
module. Therefore, if max-logins is enabled when you use PuTTY to open a telnet session,
use the exit
command to close the session.
The max-logins
feature does not apply to REST log-ins and RESTCONF log-ins.
Examples
The following example configures
global password attributes and verifies the configuration.
device#configure terminal
device(config)# password-attributes max-retry 4
device(config)# password-attributes character-restriction lower 2
device(config)# password-attributes character-restriction upper 1 numeric 1 special-char 1
device(config)# exit
device# show running-config password-attributes
password-attributes max-retry 4
password-attributes character-restriction upper 1
password-attributes character-restriction lower 2
password-attributes character-restriction numeric 1
password-attributes character-restriction special-char 1
The following example resets the
character restriction attributes and verifies the configuration.
device#configure terminal
device(config)# no password-attributes character-restriction lower
device(config)# no password-attributes character-restriction upper
device(config)# exit
device# show running-config password-attributes
password-attributes max-retry 4
password-attributes character-restriction numeric 1
password-attributes character-restriction special-char 1
The following example clears all
global password attributes.
device#configure terminal
device(config)# no password-attributes
device(config)# exit
device# show running-config password-attributes
% No entries found.
The following example sets the
maximum number of retries to 3 and enables lockout policy for admin role
accounts.
device#configure terminal
device(config)# password-attributes max-retry 3 admin-lockout
Example
The following example shows the configuration to force a user to change their login password
the first time they login in.
Enable forcing default password change:
SLX(config)# password-attributes force-default-password-change
Display password-attribute configuration:
SLX# show running-config password-attributes
password-attributes force-default-password-change
SLX#
Example
The following example displays how the user can set the maximum number of days for the user
account password. After the maximum no. of days have reached, the user should change
the password. The default value is 0 which means, the password expiration is
disabled.
Configure Maximum password age parameter:
SLX(config)# password-attributes max-password-age 4
Remove Maximum password age configuration:
SLX(config)# no password-attributes max-password-age
Display Maximum password age configuration:
SLX# show running-config password-attributes
password-attributes max-password-age 4
SLX#
