Safeguard Administrator's Manual (G06.24+, H06.03+)
Table Of Contents
- What’s New in This Manual
- About This Manual
- 1 Introduction
- 2 Controlling User Access
- Introduction
- Using SAFECOM to Establish a Local User Community
- Using SAFECOM to Manage User Access to Your System
- Changing the Owner of a User Authentication Record
- Granting a User Temporary Access to Your System
- Requiring Users to Change Their Passwords
- Granting a Grace Period for Changing an Expired Password
- Forcing Immediate Expiration of a User’s Password
- Freezing a User's Ability to Access the System
- Specifying Auditing for a User ID
- Deleting Users
- Deleting Administrative Groups
- Using SAFECOM to Establish a Network of Users
- Using Safeguard With Nodes With Standard Security
- Identifying Network Users
- Granting a Network User Access to Objects on Your System
- Establishing a Community of Network Users
- Changes to the PAID During a User’s Session
- Additional Considerations for Aliases and Groups
- Additional Considerations for ACCESS with Network Specific Subject IDs
- Establishing Default Protection for a User's Disk Files
- Specifying a Default Command Interpreter for a User
- Establishing Guardian Defaults
- Assigning an Alias to a User
- 3 Managing User Groups
- 4 Securing Volumes and Devices
- 5 OBJECTTYPE Control
- 6 Managing Security Groups
- 7 Securing Terminals
- 8 Warning Mode
- 9 Configuration
- Safeguard Attributes
- Configuring User Authentication
- Configuring Password Control
- Configuring Device Control
- Configuring Process Control
- Configuring Disk-File Control
- Configuring Safeguard Auditing
- Configuring a Default Command Interpreter
- Configuring Communication With $CMON
- Configuring Logon Dialog
- Configuring Exclusive Access at Safeguard Terminals
- Configuring Warning Mode
- Configuring Persistence
- Configuring Attributes for Node Specific Subjects in ACLs
- 10 Installation and Management
- Safeguard Components
- Process Considerations for the SMP and SAFECOM
- Safeguard Subsystem Management Commands
- General Installation Procedure
- Installing the Safeguard Software
- Starting the SMP
- Converting to the Safeguard Subsystem
- Updating the Safeguard Software
- Guidelines for Securing the Safeguard Subsystem
- Monitoring the Safeguard Subsystem
- A SAFECOM Command Syntax
- Index
Configuration
Safeguard Administrator’s Manual—523317-013
9-5
Configuring Password Control
AUTHENTICATE-FAIL-TIMEOUT
The specified timeout for a user ID if AUTHENTICATE-MAXIMUM-ATTEMPTS is
exceeded. The default is 60 seconds. The command interpreter process at the
terminal remains locked for the duration of the timeout period.
AUTHENTICATE-FAIL-FREEZE
Freezes the user ID if AUTHENTICATE-MAXIMUM-ATTEMPTS is exceeded. (The
user ID can be thawed with the THAW USER command.) The initial value is OFF.
To change any of these values, issue the ALTER SAFEGUARD command from
SAFECOM. For example, to allow a maximum of five failed logon attempts for a single
user ID:
=ALTER SAFEGUARD, AUTHENTICATE-MAXIMUM-ATTEMPTS 5
To freeze the user ID if this value is exceeded:
=ALTER SAFEGUARD, AUTHENTICATE-FAIL-FREEZE ON
You can change more than one attribute with a single command. For example, to
change the maximum number of failed logon attempts to six and the timeout period to
five minutes:
=ALTER SAFEGUARD, AUTHENTICATE-MAXIMUM-ATTEMPTS 6, &
=AUTHENTICATE-FAIL-TIMEOUT 5 MINUTES
Configuring Password Control
The Safeguard software provides systemwide control over the use of passwords. For
example, you can require a minimum length for all passwords and not allow anyone to
reuse recent passwords.
These Safeguard attributes relate to password control:
PASSWORD-COMPATIBILITY-MODE
Specifies that only first eight characters of the password will be considered during
password change. This attribute can take effect only when
PASSWORD-ENCRYPT is ON and PASSWORD-ALGORITHM is HMAC256. The
initial value is ON.
Caution. Because the command interpreter process at the terminal remains locked for the
duration of the AUTHENTICATE-FAIL-TIMEOUT period, avoid specifying an unreasonably long
period. The terminal is effectively not usable during this period. The only recovery is to start a
new process at the terminal.
Caution. If you set AUTHENTICATE-FAIL-FREEZE ON, a user can freeze the user IDs of
others by attempting to log on with those others’ user names or user IDs.
Note. This attribute is supported only on systems running H06.08 and later H-series RVUs.