Administering the PAM Password Manager

Last Updated : Sep 21, 2020 |

About this task

The PAM Password Manager allows you to define:

  • rules that require users to change their passwords periodically. The settings on this page affect the settings in the /etc/login.defs file and are used by the Add Login and Modify Login pages.

    Note:

    Changes to the global password settings affect new users. Existing users are not be affected.

  • how AE Services Management Console administrative accounts are authenticated and controlled.

Procedure

  1. From the AE Services Management Console main menu, select Security > PAM > PAM Password Manager.
  2. In the New global password configuration (etc/login.defs) section, perform the following steps:
    1. In the Maximum number of days a password may be used (PASS_MAX_DAYS) field, accept or change the default (-1). The value (-1) indicates that the password never expires.
    2. In the Minimum number of days allowed between password changes (PASS_MIN_DAYS) field, accept or change the default (1).
    3. In the Number of days warning given before a password expires (PASS_WARN_AGE) field, accept or change the default (10).
  3. In the Optional Additional Authentication Protocols section, perform one of the following steps:

    • If you authenticate users to an external LDAP server, select the External LDAP check box.

    • If you do not authenticate users to an external LDAP server, accept the default. By default, this option is disabled (that is, a checkmark does not appear in the External LDAP check box). When this option is disabled, AE Services authenticates OAM administrative users to the local Linux password store on the AE Services server.

    • If you want to allow the Avaya Logins access to the server (Recommended), select the Enable EASG user access checkbox. This option also allows the ability to specify which of the Avaya Logins may or may not be granted access.

      Note:

      By enabling Avaya Logins, you are granting Avaya access to your system. Granting Avaya access to your system maximizes the performance and value of your Avaya support entitlements, allowing Avaya to resolve product issues on time. In addition to enabling the Avaya Logins, this product should be registered with Avaya and technically onboarded for remote connectivity and alarming. Please see the Avaya support site (support.avaya.com/registration) for additional information for registering products and establishing remote access and alarming.

    • If you want to block the Avaya Logins access to the server, select the Enable EASG user access checkbox.

      Note:

      By disabling Avaya Logins you are preventing Avaya access to your system that impacts Avaya’s ability to provide support for the product. Unless the customer is well-versed in managing the product themselves, Avaya Logins should not be disabled.

  4. In the Password Limits section, accept or change the default settings. Enforce Password Limits check box indicates whether password limits are in effect for the user. This setting is enabled by default (the check box is selected), which, in turn, enables the following settings:
    1. Number of times user is prompted for a new password (retry). The default is 3.
    2. Number of characters in new password that must be different from old password (difok). The default is 8.
    3. Minimum length of a new password (minlen). The default is 14.
    4. Minimum credit in meeting required password length for digits in a password (dcredit). The default is 0.
    5. Minimum credit in meeting required password length for upper case characters in a password (ucredit). The default is 0.
    6. Minimum credit in meeting required password length for lower case characters in a password (lcredit). The default is 0.
    7. Minimum credit in a meeting required password length for other characters in a password (ocredit). The default is 0.
    8. Number of previous passwords that cannot be reused. The default is 10.
    9. Maximum number of same consecutive characters in a password. The default is 2.
    10. Maximum consecutive characters from the same character class (maxclassrepeat). The default is 4.
    11. The algorithm used to encrypt the Linux password. The choices are sha256 and sha512.

    The following PAM rule is applicable only if you modify account using the command line interface:

    • Number of previous passwords that cannot be reused

  5. In the Failed Login Response section, accept or change the default settings. Enable account lockout with the following parameters check box. This check box is enabled by default, which, in turn, enables the following settings
    1. Lock out login after unsuccessful attempts to login (deny). The default is 5 attempts.
    2. Lock account for seconds (lock_time). The default is 600 seconds.
  6. Click Apply Changes.