Configuring Password Policy in Gaia Clish
Use these commands to configure a policy for managing user passwords.
|
Important:
|
Password Strength
-
To configure the password strength:
set password-controls
complexity <1-4>
min-password-length <6-128>
palindrome-check {on |off}
-
To show the configured password strength:
show password-controls
complexity
min-password-length
palindrome-check
show password-controls all
Parameter |
Description |
---|---|
|
The required number of character types:
Character types are:
Changes to this setting do not affect existing passwords.
|
|
The minimum number of characters in a Gaia user, or an SNMP user password. Does not apply to passwords that were already configured.
|
|
A palindrome is a sequence of letters, numbers, or characters that can be read the same in each direction.
|
Password History
-
To configure the password history:
set password-controls
history-checking {on | off}
history-length <1-1000>
-
To show the configured password history:
show password-controls
history-checking
history-length
show password-controls all
Parameter |
Description |
---|---|
|
Check for reuse of passwords for all users. Enables or disables password history checking and password history recording. When a user's password is changed, the new password is checked against the recent passwords for the user. An identical password is not allowed. The number of passwords kept in the record is set by Does not apply to SNMP passwords.
|
|
The number of former passwords to keep and check against when a new password is configured for a user.
|
Mandatory Password Change
-
To configure the mandatory password change:
set password-controls
expiration-lockout-days <1-1827 | never>
expiration-warning-days <1-366>
force-change-when {no | password}
password-expiration <1-1827 | never>
-
To show the configured mandatory password change:
show password-controls
expiration-lockout-days
expiration-warning-days
force-change-when
password-expiration
show password-controls all
Parameter |
Description |
---|---|
|
Lockout users after password expiration. After a user's password has expired, user has this number of days to log in and change it. If a user does not change the password within that number of days, the user is unable to log in - the user is locked out. The administrator can unlock a user that is locked out from the User Management > Users page.
|
|
How many days before the user's password expires to start generating warnings to the user that user must change the password. A user that does not log in, does not see this warning.
|
|
Forces a user to change password at first login, after the user's password was changed using the command "
|
|
The number of days, for which a password is valid. After that time, the password expires. The count starts when the user changes the password. Users are required to change an expired password the next time they log in. Does not apply to SNMP users.
|
|
Note - To see when Gaia OS changed the password for a specific user, run this command in the Expert mode:
Example:
|
Denying Access to Unused Accounts
-
To configure the denial of access to unused accounts based on the number of days:
set password-controls deny-on-nonuse
allowed-days <30-1827>
enable {on | off}
-
To show the configured denial of access to unused accounts:
show password-controls deny-on-nonuse
show password-controls all
Parameter |
Description |
---|---|
|
Configures the number of days of non-use before locking out the unused account. This only takes effect, if the "
|
|
Denies access to unused accounts. If there were no successful login attempts within a set time, the user is locked out and cannot log in.
|
Denying Access After Failed Login Attempts
-
To configure the denial of access to unused accounts based on the number of failed login attempts:
set password-controls deny-on-fail
allow-after <60-604800>
block-admin {on | off}
enable {on | off}
failures-allowed <2-1000>
-
To show the configured denial of access to unused accounts:
show password-controls deny-on-fail
show password-controls all
Parameter |
Description |
||
---|---|---|---|
|
Allow access again after a user was locked out (due to failed login attempts). The user is allowed access after the configured time, if there were no login attempts during that time.
Examples:
|
||
|
This only takes effect if " If the configured limit of failed login attempts for the
|
||
|
If the configured limit is reached, the user is locked out (unable to log in) for a configured time.
|
||
|
This only takes effect if " The number of failed login attempts that a user is allowed before being locked out. After making that many successive failed attempts, future attempts fail. When one login attempt succeeds, counting of failed attempts stops, and the count is reset to zero,
|
Configuring Hashing Algorithm
-
To configure the hashing algorithm:
set password-controls password-hash-type {SHA256 | SHA512}
-
To show the configured hashing algorithm:
show password-controls password-hash-type
show password-controls all
Parameter |
Description |
---|---|
|
Configures the hashing algorithm to store new passwords in the Gaia database.
|