Login and password parameters
-
PDF of this doc site
- Cluster administration
-
Volume administration
- Logical storage management with the CLI
-
NAS storage management
- Configure NFS with the CLI
- Manage NFS with the CLI
-
Manage SMB with the CLI
- Manage file access using SMB
- Security and data encryption
- Data protection and disaster recovery
Collection of separate PDF docs
Creating your file...
An effective security posture adheres to established organizational policies, guidelines, and any governance or standards that apply to the organization. Examples of these requirements include user name lifetime, password-length requirements, character requirements, and the storage of such accounts. The ONTAP solution provides features and functions to address these security constructs.
New local account features
To support an organization's user account policies, guidelines, or standards, including governance, the following functionality is supported in ONTAP:
-
Configuring password policies to enforce a minimum number of digits, lowercase characters, or uppercase characters
-
Requiring a delay after a failed login attempt
-
Defining the account inactive limit
-
Expiring a user account
-
Displaying a password expiration warning message
-
Notification of an invalid login
Configurable settings are managed by using the security login role config modify command. |
SHA-512 support
To enhance password security, ONTAP 9 supports the SHA-2 password hash function and defaults to using SHA-512 for hashing newly created or changed passwords. Operators and administrators can also expire or lock accounts as needed.
Pre-existing ONTAP 9 user accounts with unchanged passwords continue to use the MD5 hash function after the upgrade to ONTAP 9.0 or later. However, NetApp strongly recommends that these user accounts migrate to the more secure SHA-512 solution by having users change their passwords.
The password hash functionality enables you to perform the following tasks:
-
Display user accounts that match the specified hash function:
cluster1::*> security login show -user-or-group-name NewAdmin -fields hash-function vserver user-or-group-name application authentication-method hash-function -------- ------------------ ----------- --------------------- ------------- cluster1 NewAdmin console password sha512 cluster1 NewAdmin ontapi password sha512 cluster1 NewAdmin ssh password sha512
-
Expire accounts that use a specified hash function (for example, MD5), which forces users to change their passwords at the next login:
cluster1::*> security login expire-password -vserver * -username * -hash-function md5
-
Lock accounts with passwords that use the specified hash function.
cluster1::*> security login lock -vserver * -username * -hash-function md5
The password hash function is unknown for the internal
autosupport
user in your cluster's administrative SVM. This issue is cosmetic. The hash function is unknown because this internal user does not have a configured password by default.-
To view the password hash function for the
autosupport
user, run the following commands:::> set advanced ::> security login show -user-or-group-name autosupport -instance Vserver: cluster1 User Name or Group Name: autosupport Application: console Authentication Method: password Remote Switch IP Address: - Role Name: autosupport Account Locked: no Comment Text: - Whether Ns-switch Group: no Password Hash Function: unknown Second Authentication Method2: none
-
To set the password hash function (default: sha512), run the following command:
::> security login password -username autosupport
It does not matter what the password is set to.
security login show -user-or-group-name autosupport -instance Vserver: cluster1 User Name or Group Name: autosupport Application: console Authentication Method: password Remote Switch IP Address: - Role Name: autosupport Account Locked: no Comment Text: - Whether Ns-switch Group: no Password Hash Function: sha512 Second Authentication Method2: none
-
Password parameters
The ONTAP solution supports password parameters that address and support organizational policy requirements and guidelines.
Attribute | Description | Default | Range |
---|---|---|---|
|
Minimum user name length required |
3 |
3-16 |
|
User name alphanumeric |
disabled |
Enabled/disabled |
|
Minimum password length required |
8 |
3-64 |
|
Password alphanumeric |
enabled |
Enabled/disabled |
|
Minimum number of special characters required in the password |
0 |
0-64 |
|
Password expiration time (in days) |
Unlimited, which means the passwords never expire |
0-unlimited 0 == expire now |
|
Require initial password update on first login |
Disabled |
Enabled/disabled Changes allowed through console or SSH |
|
Maximum number of failed attempts |
0, do not lock account |
- |
|
Maximum lockout period (in days) |
The default is 0, which means the account is locked for one day |
- |
|
Disallow last N passwords |
6 |
Minimum is 6 |
|
Delay between password changes (in days) |
0 |
- |
|
Delay after each failed login attempt (in seconds) |
4 |
- |
|
Minimum number of lowercase alphabetic characters required in the password |
0, which requires no lowercase characters |
0-64 |
|
Minimum number of uppercase alphabetic characters required |
0, which requires no uppercase characters |
0-64 |
|
Minimum number of digits required in the password |
0, which requires no digits |
0-64 |
|
Display warning message before password expiration (in days) |
Unlimited, which means never warn about password expiration |
0, which means warn user about password expiration upon every successful login |
|
Account expires in N days |
Unlimited, which means the accounts never expire |
The account expiration time must be greater than the account inactive limit |
|
Maximum duration of inactivity before account expiration (in days) |
Unlimited, which means the inactive accounts never expire |
The account inactive limit must be less than the account expiration time |
cluster1::*> security login role config show -vserver cluster1 -role admin Vserver: cluster1 Role Name: admin Minimum Username Length Required: 3 Username Alpha-Numeric: disabled Minimum Password Length Required: 8 Password Alpha-Numeric: enabled Minimum Number of Special Characters Required in the Password: 0 Password Expires In (Days): unlimited Require Initial Password Update on First Login: disabled Maximum Number of Failed Attempts: 0 Maximum Lockout Period (Days): 0 Disallow Last 'N' Passwords: 6 Delay Between Password Changes (Days): 0 Delay after Each Failed Login Attempt (Secs): 4 Minimum Number of Lowercase Alphabetic Characters Required in the Password: 0 Minimum Number of Uppercase Alphabetic Characters Required in the Password: 0 Minimum Number of Digits Required in the Password: 0 Display Warning Message Days Prior to Password Expiry (Days): unlimited Account Expires in (Days): unlimited Maximum Duration of Inactivity before Account Expiration (Days): unlimited
Beginning in 9.14.1, there are increased complexity and lockout rules for passwords. This applies only to new installs of ONTAP. |