Configuring Hard Limits for Authentication Settings
Key Manager features authentication settings that can be used for enforcing password policies for Key Manager accounts. Key Manager administrators with the appropriate permissions can change these policies via the Key Manager GUI and the command-line client. To further increase security, Key Manager features "hard limits" for restricting the values that Key Manager administrators can set for these settings.
Incorrect overrides for hard limits may cause the Key Manager system to malfunction. If you need to override the default hard limits in your Key Manager deployment, we strongly suggest that you contact SSH Communications Security Corporation customer support for help on this matter.
The authentication settings that can be overridden (along with their default values, if defined) are the following:
Table 4.1. Authentication-settings hard limits
| Setting name | Data type | Default value | Hard limits | Description |
|---|---|---|---|---|
| account_lockout | boolean | False | (unlimited) | Lock out accounts after the configured number of consecutive failed log-in attempts. |
| account_lockout_duration | integer | 1 | 1..1440 | Account lock-out duration (in minutes). |
| maximum_logon_attempts | integer | 3 | 1..100 | Lock out the account after this many consecutive failed log-in attempts. |
| min_length | integer | 8 | ≥7 | Password minimum length (in characters). |
| password_expiration | integer | 0 | 0..1825 | Duration (in days) after which the account password expires. 0 for unlimited. |
| password_history_length | integer | 4 | 4..100 | History length for preventing passwords that match previously-used passwords. |
| try_crack | boolean | False | (unlimited) | Disallow passwords that can be cracked with a standard dictionary attack. |
To override built-in hard limits for authentication settings, perform the following on all the Key Manager Servers:
-
Open the local-settings file
/opt/sshmgr/app/localsettings.pyand locate theSERVER_SETTINGS_OVERRIDESvariable (a Python dictionary-type data structure). If the variable does not exist, you can append it to the local-settings file. The syntax forSERVER_SETTINGS_OVERRIDESis described in the following steps. -
Under
SERVER_SETTINGS_OVERRIDES, define the overrides similar to the following:SERVER_SETTINGS_OVERRIDES = {'password_policy': {'password_expiration': {'value': 35,'is_valid': lambda x: 1 <= x <= 35},'account_lockout': {'value': True,'is_valid': lambda x: x == True},'maximum_logon_attempts': {'value': 3,'is_valid': lambda x: 1 <= x <= 3,'msg': 'Must be a value between 1 and 3'},...}}For each setting, define the following:
-
value: The default value for the setting. -
is_valid(optional): The hard limits for the setting. This must be specified as a function that returns True for accepted values, and False otherwise. If unspecified, the possible values are unlimited. -
msg(optional): A message that is displayed when a user tries to set an unaccepted value. This message can be used to inform Key Manager administrators about the possible values of the setting.
-
-
Save your changes to the local-settings file, then restart the relevant Key Manager Server services to apply the changes. If the machine is a Key Manager front end, restart its front-end services: If the machine is a Key Manager front end, restart its front-end services:
# supervisorctl restart frontend:Similarly, if the machine is a Key Manager back end, restart the back-end services:
# supervisorctl restart backend:noteHard limits only prevent Key Manager administrators from subsequently setting values outside the defined ranges. Existing values for authentication settings are preserved regardless of changes to default values and/or hard limits. You must manually ensure that authentication settings are changed to acceptable values after overriding hard limits.