HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.2 administrator guide (5697-0 - Page 78
The boot PROM password
View all HP StorageWorks 8/80 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 78 highlights
The following commands manage the account lock out policy. • userConfig --change account_name -u • passwdCfg --disableadminlockout Note that the account-locked state is distinct from the account-disabled state. Use the following attributes to set the account lockout policy: • LockoutThreshold Specifies the number of times a user can attempt to log in using an incorrect password before the account is locked. The number of failed login attempts is counted from the last successful login. LockoutThreshold values range from 0 to 999, and the default value is 0. Setting the value to 0 disables the lockout mechanism. • LockoutDuration Specifies the time, in minutes, after which a previously locked account is automatically unlocked. LockoutDuration values range from 0 to 99999, and the default value is 30. Setting the value to 0 disables lockout duration, and would require a user to seek administrative action to unlock the account. The lockout duration begins with the first login attempt after the LockoutThreshold has been reached. Subsequent failed login attempts do not extend the lockout period. Enabling the admin lockout policy 1. Log in to the switch using an account that is an Admin role or securityAdmin role. 2. Enter the following command: passwdCfg --enableadminlockout The policy is now enabled. Unlocking an account 1. Log in to the switch using an account that is an Admin role or securityAdmin role. 2. Enter the following command: userConfig --change account_name -u where account_name is the name of the user account that is locked out. The account is now unlocked. Disabling the admin lockout policy 1. Log in to the switch using an account that is an Admin role or securityAdmin role. 2. Enter the following command: passwdCfg --disableadminlockout The policy is now disabled. Denial of service implications The account lockout mechanism may be used to create a denial of service condition by repeatedly attempting to log in to an account using an incorrect password. Selected privileged accounts are exempted from the account lockout policy to prevent them from being locked out from a denial of service attack. However these privileged accounts may then become the target of password guessing attacks. Audit logs should be examined to monitor if such attacks are attempted. The boot PROM password The boot PROM password provides an additional layer of security by protecting the boot PROM from unauthorized use. Setting a recovery string for the boot PROM password enables you to recover a lost boot PROM password by contacting your switch service provider. Without the recovery string, a lost boot PROM password cannot be recovered. 78 Managing user accounts