beautypg.com

Enabling the admin lockout policy, Unlocking an account, Disabling the admin lockout policy – Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual

Page 144: Denial of service implications, The boot prom password

background image

Specifies the time, in minutes, after which a previously locked account is automatically unlocked.
LockoutDuration values range from 0 through 99999, and the default value is 30. Setting the value
to 0 disables lockout duration, and requires a user to seek administrative action to unlock the
account. The lockout duration begins with the first login attempt after the LockoutThreshold has
been reached. Subsequent failed login attempts do not extend the lockout period.

Enabling the admin lockout policy

1. Log in to the switch using an account that has admin or securityAdmin permissions.
2. Enter the passwdCfg --enableadminlockout command.

Unlocking an account

1. Log in to the switch using an account that has admin or securityAdmin permissions.
2. Enter the userConfig --change account_name -u command, specifying the -u option to unlock the

account.

Disabling the admin lockout policy

1. Log in to the switch using an account that has admin or securityAdmin permissions.
2. Enter the passwdCfg --disableadminlockout command.

Denial of service implications

The account lockout mechanism may be used to create a denial of service condition when a user
repeatedly attempts to log in to an account by using an incorrect password. Selected privileged
accounts are exempted from the account lockout policy to prevent users from being locked out from a
denial of service attack. However, these privileged accounts may then become the target of password-
guessing attacks. Audit logs should be examined to monitor if such attacks are attempted.

The boot PROM password

The boot PROM password provides an additional layer of security by protecting the boot PROM from
unauthorized use. Setting a recovery string for the boot PROM password enables you to recover a lost
boot PROM password by contacting your switch service provider. Without the recovery string, a lost
boot PROM password cannot be recovered.

Although you can set the boot PROM password without also setting the recovery string, it is strongly
recommended that you set both the password and the recovery string. If your site procedures dictate
that you set the boot PROM password without the recovery string, refer to

Setting the boot PROM

password for a switch without a recovery string

on page 146.

To set the boot PROM password with or without a recovery string, refer to the section that applies to
your switch or Backbone model.

Enabling the admin lockout policy

144

Fabric OS Administrators Guide

53-1003130-01

See also other documents in the category Brocade Computer Accessories: