If no policy is configured for the local user, the system uses the policy for the user group to which the
•
local user belongs.
If no policy is configured for the user group, the system uses the global policy.
•
If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password
control blacklist. If a user fails to provide the correct password after the specified number of consecutive
attempts, the system takes one of the following actions:
•
If prohibited permanently, the user can log in only after you remove the username from the
password control blacklist by using the reset password-control blacklist command.
If prohibited temporarily, the user can log in again after the lock time elapses or after you remove
•
the username from the password control blacklist by using the reset password-control blacklist
command.
If not prohibited from logging in, the username is removed from the password control blacklist when
•
the user logs in to the system successfully.
The password-control login-attempt command takes effect immediately after executed, and can affect
the users already in the password control blacklist.
Examples
# Set the maximum number of login attempts to 4 and permanently prohibit a user from logging in if the
user fails to log in after four attempts.
<Sysname> system-view
[Sysname] password-control login-attempt 4 exceed lock
Later, if a user fails to log in after four attempts, you can find it in the password control blacklist, with its
status changed from unlock to lock:
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1
Blacklist items matched: 1.
The user can no longer log in.
# Set the maximum number of login attempts to 2 and prohibit a user from logging in within 3 minutes
if the user fails to log in after two attempts.
<Sysname> system-view
[Sysname] password-control login-attempt 2 exceed lock-time 3
Later, if a user fails to log in after two attempts, you can find it in the password control blacklist, with its
status changed from unlock to lock:
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1
Blacklist items matched: 1.
After 3 minutes, the user is removed from the password control blacklist and can log in again.
Related commands
•
display local-user
Login failures: 4
Login failures: 2
85
Lock flag: lock
Lock flag: lock