password-control login-attempt

Use password-control login-attempt to configure the login attempt limit. The settings include the maximum number of consecutive login failures and the action to be taken when the maximum number is reached.

Use undo password-control login-attempt to restore the default.

Syntax

password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]

undo password-control login-attempt

Default

The global login-attempt settings:

• The maximum number of consecutive login failures is 3.

• The locking period is 1 minute.

The login-attempt settings for a user group equal the global settings.

The login-attempt settings for a local user equal those for the user group to which the local user belongs.

Views

System view

User group view

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

login-times: Specifies the maximum number of consecutive login failures. The value range is 2 to 10.

exceed: Specifies an action to be taken for the user who fails to log in after making the maximum number of attempts.

• lock: Disables the user account permanently.

• lock-time time: Disables the user account for a period of time. The user can uses this user account when the timer expires. The value range for the time argument is 1 to 360 minutes.

• unlock: Allows the user account to continue using this account to perform login attempts.

Usage guidelines

The login-attempt policy depends on the view:

• The policy in system view has global significance and applies to all user groups.

• The policy in user group view applies to all local users in the user group.

• The policy in local user view applies only to the local user.

A login-attempt policy with a smaller application scope has higher priority. The system prefers to use the login-attempt policy in local user view for a local user.

• If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs.

• If no policy is configured for the user group, the system uses the global policy.

If an FTP or VTY user fails to log in, the system adds the user account and the user's IP address to the password control blacklist. When the maximum number of consecutive login failures is reached, the login attempt limit feature is triggered.

Whether a blacklisted user and user account are locked depends on the locking setting:

• If a user account is permanently locked for a user, the user cannot use this account unless this account is removed from the password control blacklist. To remove the user account, use the reset password-control blacklist command.

• To use a temporarily locked user account, the user can perform either of the following tasks:

  • Wait until the locking timer expires.

  • Remove the user account from the password control blacklist.

• If the user account and the user are blacklisted but not locked, the user can continue using this account to log in. The account and the user's IP address are removed from the password control blacklist when the user uses the account to successfully log in to the device.

	NOTE: This account is locked only for this user. Other users can still use this account, and the blacklisted user can use other user accounts.

The password-control login-attempt command takes effect immediately after being executed, and can affect the users already in the password control blacklist.

Examples

# Allow a maximum of four consecutive login failures on a user account, and disable the user account if the limit is reached.

<Sysname> system-view
[Sysname] password-control login-attempt 4 exceed lock

# Use the user account test to log in to the device, and enter incorrect password for four times.

# Display the password control blacklist. The output shows that the user account is on the blacklist, and its status is lock.

[Sysname] display password-control blacklist

 Username: test
    IP: 192.168.44.1        Login failures: 4      Lock flag: lock

 Blacklist items matched: 1.

# Verify that the user at 192.168.44.1 cannot use this user account to log in.

# Allow a maximum of two consecutive login failures on a user account, and disable the account for 3 minutes if the limit is reached.

<Sysname> system-view
[Sysname] password-control login-attempt 2 exceed lock-time 3

# Use the user account test to log in to the device, and enter incorrect password for two attempts.

# Display the password control blacklist. The output shows that the user account is on the blacklist and its status is lock.

[Sysname] display password-control blacklist

 Username: test
    IP: 192.168.44.1        Login failures: 2      Lock flag: lock

 Blacklist items matched: 1.

# Verify that after 3 minutes, the user account is removed from the password control blacklist and the user at 192.168.44.1 can use this account.

Related commands

display local-user

display password-control

display password-control blacklist

display user-group

reset password-control blacklist