The passwords of the local accounts have the following attributes:
Validity time, Warning time, Minimum time, Inactivity time
During the Validity time, which applies from the last time the password was set, it is possible to log in without restriction.
During the minimum time, a non-administrator cannot change his/her own password.
During the warning time, a warning is issued that the password will soon no longer be valid. However, it is possible to log in without restrictions.
During the inactivity time, the password is no longer valid, but it is still possible to log in.
Directly after a user has logged in, a request to change the password is issued.After the inactivity time has elapsed, the account is locked. It can be opened again from an(other) administration account or, if necessary, by Customer Support.
The value -1 for the Inactivity time results in the inactivity time not elapsing.
The value 99999 for the Validity time means, in practice, that you need not change the password.
The figure below shows the relationship between these times.
On the basis of the settings for system hardening, customer accounts are created with the following default values for password administration:
Validity time of the password: 60 days
Minimum time before the password is changed again 7 days
The minimum time is irrelevant for the administrator account and is not displayed.Warning time before the password expires: 7 days
Inactivity time after the password expires: 7 days
Every administrator can change individual password administration settings of an account at any time.
A non-administrator can only change the password of his/her own account. However, this is only possible if the minimum time has elapsed.
When you log in on the web interface, the following situations can occur with regard to the password status and password administration depending on your role:
If the current account is in the warning time, this is shown by a warning icon in the title bar of the main window:
In addition, a tool tip shows the user after how many days his/her password will expire.
If an account is in the inactive time, it is still possible to log in, but a change of password is forced immediately in the login window.
If the inactivity time has elapsed, the account is locked and it is no longer possible to log in. Intervention by an(other) administrator or Customer Support is then required (see "Security-relevant actions").
At shell level, the familiar behavior on Linux systems applies when logging in:
During the warning time a warning is issued in the course of the login, e.g.:
Your password will expire in 2 days.Attention!
Thepasswdcommand must not be used at the shell level!In this situation, the user should log in on the SE Manager and change the password even before the warning time expires.
During the inactivity time a change of password is forced in the course of the login.
In this situation, the user must act as follows:
Abort the log in to the shell.
Log in on the SE Manager and change the password in the login window.
Repeat the log in to the shell.
If the inactivity time has elapsed, the account is locked and it is no longer possible to log in. The login fails without any reason being given.
Security-relevant actions
- The administrator can adjust the settings for password administration so that they comply with the security policy in the data center.
The settings can only be changed for individual accounts and not globally for all accounts on the system. - Each user is requested to maintain his/her password in accordance with the security policy in his/her data center.
- It can occur that an account is locked because the inactivity time was exceeded. In this case an(other) administrator can cancel the lock for this account for exactly one login. The Enforce password change function (see online help) is used for this purpose.
- Customer Support is always able to cancel a lock for an account.