171
To do…
Use the command…
Remarks
Display information about users
blacklisted due to authentication
failure
display password-control blacklist
[
user-name
name
|
ip
ipv4-
address
|
ipv6
ipv6-address
] [
|
{
begin
|
exclude
|
include
}
regular-expression
]
Available in any view
Delete users from the blacklist
reset password-control blacklist
[
user-name
name
]
Available in user view
Clear history password records
reset password-control history-
record
[
user-name
name
|
super
[
level
level
] ]
Available in user view
NOTE:
The
reset password-control history-record
command can delete the history password records of one or
all users even when the password history function is disabled.
Password control configuration example
Network requirements
Implementing the following global password control policy:
An FTP or VTY user failing to provide the correct password in two successive login attempts is
permanently prohibited from logging in.
A user can log in five times within 60 days after the password expires.
The password aging time is 30 days.
The minimum password update interval is 36 hours.
The maximum account idle time is 30 days.
A password cannot contain the username or the reverse of the username.
No character occurs consecutively three or more times in a password.
Implementing the following super password control policy:
A super password must contain at least three types of valid characters, five or more of each type.
Implementing the following password control policy for local Telnet user
test
:
The password must contain at least 12 characters.
The password must consist of at least two types of valid characters, five or more of each type.
The password aging time is 20 days.
Configuration procedure
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable
# Prohibit the user from logging in forever after two successive login failures.
[Sysname] password-control login-attempt 2 exceed lock
# Set the password aging time to 30 days for all passwords.