exceed: Specifies the action to be taken when a user fails to log in after the specified number of attempts.
lock: Permanently prohibits a user who fails to log in after the specified number of attempts from logging
in.
lock-time time: Forces a user who fails to log in after the specified number of attempts to wait for a period
of time before trying again. The time argument is in the range of 1 to 360 minutes.
unlock: Allows a user who fails to log in after the specified number of attempts to continue trying to log
in.
Usage guidelines
If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password
control blacklist. If a user fails to provide the correct password after the specified number of consecutive
attempts, the system takes one of the following actions:
• If prohibited permanently, a user can log in only after you remove the user from the password
control blacklist by using the reset password-control blacklist command.
• If prohibited temporarily, a user can log in again after the lock time elapses or you remove the user
from the password control blacklist by using the reset password-control blacklist command.
• If not prohibited to log in, a user is removed from the password control blacklist and can log in
again as long as the user logs in successfully or after the blacklist aging time (1 minute) elapses.
The password-control login-attempt command takes effect immediately after executed, and can thus
affect the users already in the password control blacklist.
Examples
# Set the maximum number of login attempts to 4 and permanently prohibit a user from logging in if the
user fails to log in after four attempts.
<Sysname> system-view
[Sysname] password-control login-attempt 4 exceed lock
Later, if a user fails to log in after four attempts, you can find it in the password control blacklist, with its
status changed from unlock to lock:
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1 Login failures: 4 Lock flag: lock
Blacklist items matched: 1.
The user can no longer log in.
# Set the maximum number of login attempts to 2 and prohibit a user from logging in within 3 minutes
if the user fails to log in after two attempts.
<Sysname> system-view
[Sysname] password-control login-attempt 2 exceed lock-time 3
Later, if a user fails to log in after two attempts, you can find it in the password control blacklist, with its
status changed from unlock to lock:
[Sysname] display password-control blacklist
147
To Next Page
Loading...
Need help?
General
