Skip to main content

Login and password parameters

Contributors netapp-dbagwell
PDFs

An effective security posture adheres to established organizational policies, guidelines, and any governance or standards that apply to the organization. Examples of these requirements include user name lifetime, password-length requirements, character requirements, and the storage of such accounts. The ONTAP solution provides features and functions to address these security constructs.

New local account features

To support an organization's user account policies, guidelines, or standards, including governance, the following functionality is supported in ONTAP:

  • Configuring password policies to enforce a minimum number of digits, lowercase characters, or uppercase characters

  • Requiring a delay after a failed login attempt

  • Defining the account inactive limit

  • Expiring a user account

  • Displaying a password expiration warning message

  • Notification of an invalid login

Note Configurable settings are managed by using the security login role config modify command.

SHA-512 support

To enhance password security, ONTAP 9 supports the SHA-2 password hash function and defaults to using SHA-512 for hashing newly created or changed passwords. Operators and administrators can also expire or lock accounts as needed.

Pre-existing ONTAP 9 user accounts with unchanged passwords continue to use the MD5 hash function after the upgrade to ONTAP 9.0 or later. However, NetApp strongly recommends that these user accounts migrate to the more secure SHA-512 solution by having users change their passwords.

The password hash functionality enables you to perform the following tasks:

  • Display user accounts that match the specified hash function:

    cluster1::*> security login show -user-or-group-name NewAdmin -fields  hash-function
vserver  user-or-group-name application authentication-method hash-function
-------- ------------------ ----------- --------------------- -------------
cluster1 NewAdmin           console     password              sha512
cluster1 NewAdmin           ontapi      password              sha512
cluster1 NewAdmin           ssh         password              sha512

  • Expire accounts that use a specified hash function (for example, MD5), which forces users to change their passwords at the next login:

    cluster1::*> security login expire-password -vserver * -username * -hash-function md5

  • Lock accounts with passwords that use the specified hash function.

    cluster1::*> security login lock -vserver * -username * -hash-function md5

    The password hash function is unknown for the internal autosupport user in your cluster's administrative SVM. This issue is cosmetic. The hash function is unknown because this internal user does not have a configured password by default.

    • To view the password hash function for the autosupport user, run the following commands:

      ::> set advanced
::> security login show -user-or-group-name autosupport -instance

                      Vserver: cluster1
      User Name or Group Name: autosupport
                  Application: console
        Authentication Method: password
     Remote Switch IP Address: -
                    Role Name: autosupport
               Account Locked: no
                 Comment Text: -
      Whether Ns-switch Group: no
       Password Hash Function: unknown
Second Authentication Method2: none

    • To set the password hash function (default: sha512), run the following command:

      ::> security login password -username autosupport

      It does not matter what the password is set to.

      security login show -user-or-group-name autosupport -instance

                      Vserver: cluster1
      User Name or Group Name: autosupport
                  Application: console
        Authentication Method: password
     Remote Switch IP Address: -
                    Role Name: autosupport
               Account Locked: no
                 Comment Text: -
      Whether Ns-switch Group: no
       Password Hash Function: sha512
Second Authentication Method2: none

Password parameters

The ONTAP solution supports password parameters that address and support organizational policy requirements and guidelines.

Table 1. Restrictions for management utility user accounts
Attribute Description Default Range

username-minlength

Minimum user name length required

3

3-16

username-alphanum

User name alphanumeric

disabled

Enabled/disabled

passwd-minlength

Minimum password length required

8

3-64

passwd-alphanum

Password alphanumeric

enabled

Enabled/disabled

passwd-min-special-chars

Minimum number of special characters required in the password

0

0-64

passwd-expiry-time

Password expiration time (in days)

Unlimited, which means the passwords never expire

0-unlimited

0 == expire now

require-initial-passwd-update

Require initial password update on first login

Disabled

Enabled/disabled

Changes allowed through console or SSH

max-failed-login-attempts

Maximum number of failed attempts

0, do not lock account

-

lockout-duration

Maximum lockout period (in days)

The default is 0, which means the account is locked for one day

-

disallowed-reuse

Disallow last N passwords

6

Minimum is 6

change-delay

Delay between password changes (in days)

0

-

delay-after-failed-login

Delay after each failed login attempt (in seconds)

4

-

passwd-min-lowercase-chars

Minimum number of lowercase alphabetic characters required in the password

0, which requires no lowercase characters

0-64

passwd-min-uppercase-chars

Minimum number of uppercase alphabetic characters required

0, which requires no uppercase characters

0-64

passwd-min-digits

Minimum number of digits required in the password

0, which requires no digits

0-64

passwd-expiry-warn-time

Display warning message before password expiration (in days)

Unlimited, which means never warn about password expiration

0, which means warn user about password expiration upon every successful login

account-expiry-time

Account expires in N days

Unlimited, which means the accounts never expire

The account expiration time must be greater than the account inactive limit

account-inactive-limit

Maximum duration of inactivity before account expiration (in days)

Unlimited, which means the inactive accounts never expire

The account inactive limit must be less than the account expiration time
Example
cluster1::*> security login role config show -vserver cluster1 -role admin

                                          Vserver: cluster1
                                        Role Name: admin
                 Minimum Username Length Required: 3
                           Username Alpha-Numeric: disabled
                 Minimum Password Length Required: 8
                           Password Alpha-Numeric: enabled
Minimum Number of Special Characters Required in the Password: 0
                       Password Expires In (Days): unlimited
   Require Initial Password Update on First Login: disabled
                Maximum Number of Failed Attempts: 0
                    Maximum Lockout Period (Days): 0
                      Disallow Last 'N' Passwords: 6
            Delay Between Password Changes (Days): 0
     Delay after Each Failed Login Attempt (Secs): 4
Minimum Number of Lowercase Alphabetic Characters Required in the Password: 0
Minimum Number of Uppercase Alphabetic Characters Required in the Password: 0
Minimum Number of Digits Required in the Password: 0
Display Warning Message Days Prior to Password Expiry (Days): unlimited
                        Account Expires in (Days): unlimited
Maximum Duration of Inactivity before Account Expiration (Days): unlimited
Note Beginning in 9.14.1, there are increased complexity and lockout rules for passwords. This applies only to new installs of ONTAP.