Deployment Guide
Specifies the maximum number of days that can elapse before a password must be changed, and is
also known as the password expiration period. MaxPasswordAge values range from 0 through 999.
The default value is zero. Setting this parameter to zero disables password expiration.
• Warning
Specifies the number of days prior to password expiration that a warning about password expiration
is displayed. Warning values range from 0 through 999. The default value is 0 days.
NOTE
When MaxPasswordAge is set to a nonzero value, MinPasswordAge and Warning must be set to a
value that is less than or equal to MaxPasswordAge.
Example of password expiration policies
The following example configures a password expiration policy for the metoo user account. This user
must change the password within 90 days of setting the current password and no sooner than 10 days
after setting the current password. The user will start to receive warning messages 3 days before the
90-day limit, if the password is not already changed.
switch:admin> passwdcfg --setuser metoo -minpasswordage 10 -maxpasswordage 90 -
warning 3
The following example configures a password expiration policy for all users.
switch:admin> passwdcfg --set -minpasswordage 5 -maxpasswordage 30 -warning 5
Account lockout policy
The account lockout policy disables a user account when that user exceeds a specified number of failed
login attempts, and is enforced across all user accounts. You can configure this policy to keep the
account locked until explicit administrative action is taken to unlock it, or the locked account can be
automatically unlocked after a specified period. Administrators can unlock a locked account at any time.
A failed login attempt counter is maintained for each user on each switch instance. The counters for all
user accounts are reset to zero when the account lockout policy is enabled. The counter for an
individual account is reset to zero when the account is unlocked after a lockout duration period expires,
or when the account user logs in successfully.
The admin account can also have the lockout policy enabled on it. The admin account lockout policy is
disabled by default and uses the same lockout threshold as the other permissions. It can be
automatically unlocked after the lockout duration passes or when it is manually unlocked by either a
user account that has a securityAdmin or other admin permissions.
Virtual Fabrics considerations: The home logical fabric context is used to validate user enforcement
for the account lockout policy.
Note that the account-locked state is distinct from the account-disabled state.
Use the following attributes to set the account lockout policy:
• LockoutThreshold
Specifies the number of times a user can attempt to log in using an incorrect password before the
account is locked. The number of failed login attempts is counted from the last successful login.
LockoutThreshold values range from 0 through 999, and the default value is 0. Setting the value to 0
disables the lockout mechanism.
• LockoutDuration
Account lockout policy
Fabric OS Administrators Guide 143
53-1003130-01