Configuring Password Policy in Gaia Clish

Use these commands to configure a policy for managing user passwords.

Password Strength

Syntax

To configure the password strength:

set password-controls

complexity <1-4>

min-password-length <6-128>

palindrome-check {on |off}

To show the configured password strength:

show password-controls

complexity

min-password-length

palindrome-check

show password-controls all

Parameters

Parameter	Description
`complexity <1-4>`	The required number of character types: `1` - Don't check `2` - Require two character types (default) `3` - Require three character types `4` - Require four character types Character types are: Upper case alphabetic (A-Z) Lower case alphabetic (a-z) Digits (0-9) Other (everything else) Changes to this setting do not affect existing passwords. Range: 1 - 4 Default: 2
`min-password-length <6-128>`	The minimum number of characters in a Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. user, or an SNMP user password. Does not apply to passwords that were already configured. Range: 6 - 128 Default: 2
`palindrome-check {on \| off}`	A palindrome is a sequence of letters, numbers, or characters that can be read the same in each direction. Range: `on`, or `off` Default: `on`

Parameter

Description

complexity <1-4>

The required number of character types:

1 - Don't check
2 - Require two character types (default)
3 - Require three character types
4 - Require four character types

Character types are:

Upper case alphabetic (A-Z)
Lower case alphabetic (a-z)
Digits (0-9)
Other (everything else)

Changes to this setting do not affect existing passwords.

Range: 1 - 4
Default: 2

min-password-length <6-128>

The minimum number of characters in a Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. user, or an SNMP user password.

Does not apply to passwords that were already configured.

Range: 6 - 128
Default: 2

palindrome-check {on | off}

A palindrome is a sequence of letters, numbers, or characters that can be read the same in each direction.

Range: on, or off
Default: on

Password History

Syntax

To configure the password history:

set password-controls

history-checking {on | off}

history-length <1-1000>

To show the configured password history:

show password-controls

history-checking

history-length

show password-controls all

Parameters

Parameter	Description
`history-checking {on \| off}`	Check for reuse of passwords for all users. Enables or disables password history checking and password history recording. When a user's password is changed, the new password is checked against the recent passwords for the user. An identical password is not allowed. The number of passwords kept in the record is set by `history-length`. Does not apply to SNMP passwords. Range: `on`, or `off` Default: `on`
`history-length <1-1000>`	The number of former passwords to keep and check against when a new password is configured for a user. Range: 1 - 1000 Default: 10

Parameter

Description

history-checking {on | off}

Check for reuse of passwords for all users.

Enables or disables password history checking and password history recording.

When a user's password is changed, the new password is checked against the recent passwords for the user. An identical password is not allowed. The number of passwords kept in the record is set by history-length.

Does not apply to SNMP passwords.

Range: on, or off
Default: on

history-length <1-1000>

The number of former passwords to keep and check against when a new password is configured for a user.

Range: 1 - 1000
Default: 10

Mandatory Password Change

Syntax

To configure the mandatory password change:

set password-controls

expiration-lockout-days <1-1827 | never>

expiration-warning-days <1-366>

force-change-when {no | password}

password-expiration <1-1827 | never>

To show the configured mandatory password change:

show password-controls

expiration-lockout-days

expiration-warning-days

force-change-when

password-expiration

show password-controls all

Parameters

Parameter	Description
`expiration-lockout-days <1-1827 \| never>`	Lockout users after password expiration. After a user's password has expired, user has this number of days to log in and change it. If a user does not change the password within that number of days, the user is unable to log in - the user is locked out. The administrator can unlock a user that is locked out from the User Management > Users page. Range: `1 - 1827`, or `never` Default: `never`
`expiration-warning-days <1-366>`	How many days before the user's password expires to start generating warnings to the user that user must change the password. A user that does not log in, does not see this warning. Range: 1 - 366 Default: 7
`force-change-when {no \| password}`	Forces a user to change password at first login, after the user's password was changed using the command "`set user <UserName> password`", or from the Gaia Portal Web interface for the Check Point Gaia operating system. User Management > Users page. Range: `no` - Disables this functionality. `password` - Forces users to change their password after their password was changed. Default: `no`
`password-expiration <1-1827 \| never>`	The number of days, for which a password is valid. After that time, the password expires. The count starts when the user changes the password. Users are required to change an expired password the next time they log in. Does not apply to SNMP users. Range: `1-1827`, or `never` Default: `never`

Note - To see when Gaia OS changed the password for a specific user, run this command in the Expert mode:

date -d @"$(dbget passwd:<username>:lastchg)"

The command "dbget passwd:<username>:lastchg" returns the time stamp in the Epoch format.
The command "date -d @<Epoch Time>" converts it to the human-readable time stamp.

Example:

[Expert@MyGaia:0] date -d @"$(dbget passwd:admin:lastchg)"

Mon May 24 15:39:46 UTC 2021

[Expert@MyGaia:0]

Denying Access to Unused Accounts

Syntax

To configure the denial of access to unused accounts based on the number of days:

set password-controls deny-on-nonuse

allowed-days <30-1827>

enable {on | off}

To show the configured denial of access to unused accounts:

show password-controls deny-on-nonuse

show password-controls all

Parameters

Parameter	Description
`deny-on-nonuse allowed-days <30-1827>`	Configures the number of days of non-use before locking out the unused account. This only takes effect, if the "`set password-controls deny-on-nonuse enable`" is set to "`on`". Range: 30 - 1827 Default: 365
`deny-on-nonuse enable {on \| off}`	Denies access to unused accounts. If there were no successful login attempts within a set time, the user is locked out and cannot log in. Range: `on`, or `off` Default: `off`

Parameter

Description

deny-on-nonuse allowed-days <30-1827>

Configures the number of days of non-use before locking out the unused account.

This only takes effect, if the "set password-controls deny-on-nonuse enable" is set to "on".

Range: 30 - 1827
Default: 365

deny-on-nonuse enable {on | off}

Denies access to unused accounts. If there were no successful login attempts within a set time, the user is locked out and cannot log in.

Range: on, or off
Default: off

Denying Access After Failed Login Attempts

Syntax

To configure the denial of access to unused accounts based on the number of failed login attempts:

set password-controls deny-on-fail

allow-after <60-604800>

block-admin {on | off}

enable {on | off}

failures-allowed <2-1000>

To show the configured denial of access to unused accounts:

show password-controls deny-on-fail

show password-controls all

Parameters

Parameter

Description

allow-after <60-604800>

Allow access again after a user was locked out (due to failed login attempts).

The user is allowed access after the configured time, if there were no login attempts during that time.

Range: 60 - 604800 seconds
Default: 1200 seconds (20 minutes)

Examples:

60 = 1 minute
300 = 5 minutes
3600 = 1 hour
86400 = 1 day
604800 = 1 week

block-admin {on | off}

This only takes effect if "set password-controls deny-on-fail enable" is set to "on".

If the configured limit of failed login attempts for the admin user is reached, the admin user is locked out (unable to log in) for a configured time.

Range: on, or off
Default: off

enable {on | off}

If the configured limit is reached, the user is locked out (unable to log in) for a configured time.

Warning - Enabling this leaves you open to a "denial of service" - if an attacker makes unsuccessful login attempts often enough, the affected user account is locked out. Consider the advantages and disadvantages of this option, in light of your security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., before enabling it.

Range: on, or off
Default: off

failures-allowed <2-1000>

This only takes effect if "set password-controls deny-on-fail enable" is set to "on".

The number of failed login attempts that a user is allowed before being locked out.

After making that many successive failed attempts, future attempts fail.

When one login attempt succeeds, counting of failed attempts stops, and the count is reset to zero,

Range: 2 - 1000
Default: 10

Configuring Hashing Algorithm

Parameters

Parameter	Description
`{SHA256 \| SHA512}`	Configures the hashing algorithm to store new passwords in the Gaia database. Range: `SHA256`, or `SHA512` Default: `SHA512`

Parameter

Description

{SHA256 | SHA512}

Configures the hashing algorithm to store new passwords in the Gaia database.

Range: SHA256, or SHA512
Default: SHA512