beautypg.com

Password encryption policy, Account lockout policy – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

Page 266

background image

Password policy parameters (Continued)

TABLE 45

Parameter

Description

max-retry

Specifies the number of failed password logins permitted before a user is locked out. The
lockout threshold can range from 0 through 16. The default value is 0. When a password fails
more than one of the strength attributes, an error is reported for only one of the attributes at a
time.

NOTE
Passwords can have a maximum of 40 characters.

Password encryption policy

Network OS supports encrypting the passwords of all existing user accounts by enabling password
encryption at the switch level. By default, the encryption service is disabled and passwords are stored
in clear text. Use the no service password-encryption command to enable or disable password
encryption. The following rules apply to password encryption:

• When you enable password encryption, all existing clear-text passwords will be encrypted, and any

password that are added subsequently in clear-text are stored in encrypted format

In the following example, the testuser account password is created in clear text after password
encryption has been enabled. The global encryption policy overrides command-level encryption
settings The password is stored as encrypted.

switch(config)# service password-encryption

switch(config)# do show running-config service password-encryption

service password-encryption

switch(config)# username testuser role testrole desc "Test User" encryption-level 0 password hellothere

switch(config)# do show running-config username

username admin password "BwrsDbB+tABWGWpINOVKoQ==\n" encryptionlevel 7 role admin desc Administrator

username testuser password "cONW1RQ0nTV9Az42/9uCQg==\n" encryption-level 7 role testrole desc "Test

User"

username user password "BwrsDbB+tABWGWpINOVKoQ==\n" encryptionlevel 7 role user desc User

• When you disable the password encryption service, any new passwords added in clear text will be

stored as clear text on the switch. Existing encrypted passwords remain encrypted.

In the following example, the testuser account password is stored in clear text after password
encryption has been disabled. The default accounts, "user" and admin" remain encrypted.

switch(config)# no service password-encryption

switch(config)# do show running-config service password-encryption no service password-encryption

switch(config)# username testuser role testrole desc "Test User" encryption-level 0 password

hellothere enable true

switch(config)# do show running-config username

username admin password "BwrsDbB+tABWGWpINOVKoQ==\n" encryptionlevel 7 role admin desc Administrator

username testuser password hellothere encryption-level 0 role testrole desc "Test User"

username user password "BwrsDbB+tABWGWpINOVKoQ==\n" encryptionlevel 7 role user desc User

Account lockout policy

The account lockout policy disables a user account when the user exceeds a configurable number of
failed login attempts. A user whose account has been locked cannot log in. SSH login attempts that
use locked user credentials are denied without the user being notified of the reason for denial.

Password encryption policy

266

Network OS Administrator’s Guide

53-1003225-04