Fabric OS Administrator's Guide v6.4.0 (53-1001763-01, June 2010)

94 Fabric OS Administrator’s Guide
53-1001763-01
Password policies
5
The following commands are used to manage the account lockout policy.
userConfig --change account_name -u
passwdCfg --disableadminlockout
Note that the account-locked state is distinct from the account-disabled state.
Use the following attributes to set the account lockout policy:
LockoutThreshold
Specifies the number of times a user can attempt to log in using an incorrect password before
the account is locked. The number of failed login attempts is counted from the last successful
login. LockoutThreshold values range from 0 to 999, and the default value is 0. Setting the
value to 0 disables the lockout mechanism.
LockoutDuration
Specifies the time, in minutes, after which a previously locked account is automatically
unlocked. LockoutDuration values range from 0 to 99999, and the default value is 30. Setting
the value to 0 disables lockout duration, and would require a user to seek administrative
action to unlock the account. The lockout duration begins with the first login attempt after the
LockoutThreshold has been reached. Subsequent failed login attempts do not extend the
lockout period.
Enabling the admin lockout policy
1. Log in to the switch using an account that is an Admin role or securityAdmin role.
2. Enter the passwdCfg
--enableadminlockout command.
Unlocking an account
1. Log in to the switch using an account that is an Admin role or securityAdmin role.
2. Enter the userConfig
--change account_name -u command specifying the name of the user
account that is locked out.
Disabling the admin lockout policy
1. Log in to the switch using an account that is an Admin role or securityAdmin role.
2. Enter the passwdCfg --disableadminlockout command.
Denial of service implications
The account lockout mechanism may be used to create a denial of service condition by repeatedly
attempting to log in to an account using an incorrect password. Selected privileged accounts are
exempted from the account lockout policy to prevent them from being locked out from a denial of
service attack. However these privileged accounts may then become the target of password
guessing attacks. Audit logs should be examined to monitor if such attacks are attempted.