XOS account lockout policy setting


Hi
Can anyone tell me what the syntax is for setting an account when it is locked out so that it waits for 120 seconds then the user can re-try again to login?

configure account tom password-policy lockout-on-login-failures on

the above command allows the user tom to lock his account after 3 failed attemtps

3 replies

Userlevel 7
Hi Shakil,
EXOS currently doesn't support an option to automatically re-enable accounts based on a timer.
The command you have described is the closest match to what you're trying to accomplish.
configure account [ all | name] password-policy lockout-on-login-failures [ on | off]
[/code]You can configure the maximum number of failed logins before a session is terminated (except via SSH).
configure cli max-failed-logins num-of-logins[/code]To re-enable an account that has been locked out, an administrator must login and use this command.
clear account [ all | name] lockout[/code]If you'd like to submit a feature request to enable time-based unlock, I ask that you contact your local SE.

-Drew
Userlevel 6
Drew C. wrote:

Hi Shakil,
EXOS currently doesn't support an option to automatically re-enable accounts based on a timer.
The command you have described is the closest match to what you're trying to accomplish.
configure account [ all | name] password-policy lockout-on-login-failures [ on | off]
[/code]You can configure the maximum number of failed logins before a session is terminated (except via SSH).
configure cli max-failed-logins num-of-logins[/code]To re-enable an account that has been locked out, an administrator must login and use this command.
clear account [ all | name] lockout[/code]If you'd like to submit a feature request to enable time-based unlock, I ask that you contact your local SE.

-Drew

Since this is the top result in Google, it's worth noting that time-based unlock has been available since XOS 16.1. It's configured with the lockout-time-period option to configure account, and seems to default to 5 minutes.
Drew C. wrote:

Hi Shakil,
EXOS currently doesn't support an option to automatically re-enable accounts based on a timer.
The command you have described is the closest match to what you're trying to accomplish.
configure account [ all | name] password-policy lockout-on-login-failures [ on | off]
[/code]You can configure the maximum number of failed logins before a session is terminated (except via SSH).
configure cli max-failed-logins num-of-logins[/code]To re-enable an account that has been locked out, an administrator must login and use this command.
clear account [ all | name] lockout[/code]If you'd like to submit a feature request to enable time-based unlock, I ask that you contact your local SE.

-Drew

How it works with ssh? only 2 attempts allowed?

configure account "name" password-policy lockout-on-login-failures on
configure account "name" password-policy lockout-time-period 5

I know that this conf is about console connections. What if we need to lock out a user after "x" attempts in ssh. What is the status?

Reply