HP StorageWorks Fabric OS 6.2 administrator guide (5697-0016, May 2009)
78 Managing user accounts
The following commands manage the account lock out policy.
• userConfig
--change account_name -u
• passwdCfg
--disableadminlockout
Note that the account-locked state is distinct from the account-disabled state.
Use the following attributes to set the account lockout policy:
• LockoutThreshold
Specifies the number of times a user can attempt to log in using an incorrect password before the
account is locked. The number of failed login attempts is counted from the last successful login.
LockoutThreshold values range from 0 to 999, and the default value is 0. Setting the value to 0 disables
the lockout mechanism.
• LockoutDuration
Specifies the time, in minutes, after which a previously locked account is automatically unlocked.
LockoutDuration values range from 0 to 99999, and the default value is 30. Setting the value to 0
disables lockout duration, and would require a user to seek administrative action to unlock the account.
The lockout duration begins with the first login attempt after the LockoutThreshold has been reached.
Subsequent failed login attempts do not extend the lockout period.
Enabling the admin lockout policy
1. Log in to the switch using an account that is an Admin role or securityAdmin role.
2. Enter the following command:
passwdCfg
--enableadminlockout
The policy is now enabled.
Unlocking an account
1. Log in to the switch using an account that is an Admin role or securityAdmin role.
2. Enter the following command:
userConfig
--change account_name -u
where account_name is the name of the user account that is locked out.
The account is now unlocked.
Disabling the admin lockout policy
1. Log in to the switch using an account that is an Admin role or securityAdmin role.
2. Enter the following command:
passwdCfg --disableadminlockout
The policy is now disabled.
Denial of service implications
The account lockout mechanism may be used to create a denial of service condition by repeatedly
attempting to log in to an account using an incorrect password. Selected privileged accounts are exempted
from the account lockout policy to prevent them from being locked out from a denial of service attack.
However these privileged accounts may then become the target of password guessing attacks. Audit logs
should be examined to monitor if such attacks are attempted.
The boot PROM password
The boot PROM password provides an additional layer of security by protecting the boot PROM from
unauthorized use. Setting a recovery string for the boot PROM password enables you to recover a lost boot
PROM password by contacting your switch service provider. Without the recovery string, a lost boot PROM
password cannot be recovered.