https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#pgfId-1711061
找到这个官方连接,看到连接以下步骤的说明:
第一说明密码过期有个问题
Command Purpose
Step 1 | password-policy lifetime days ciscoasa(config)# password-policy lifetime 180 | (Optional) Sets the interval in days after which passwords expire for remote users (SSH, Telnet, HTTP); users at the console port are never locked out due to password expiration. Valid values are between 0 and 65536 days. The default value is 0 days, a value indicating that passwords will never expire. 7 days before the password expires, a warning message appears. After the password expires, system access is denied to remote users. To gain access after expiration, do one of the following:
|
Step 2 | password-policy minimum-changes value ciscoasa(config)# password-policy minimum-changes 2 | (Optional) Sets the minimum number of characters that you must change between new and old passwords. Valid values are between 0 and 64 characters. The default value is 0. Character matching is position independent, meaning that new password characters are considered changed only if they do not appear anywhere in the current password. |
Step 3 | password-policy minimum-length value ciscoasa(config)# password-policy minimum-length 8 | (Optional) Sets the minimum length of passwords. Valid values are between 3 and 64 characters. We recommend a minimum password length of 8 characters. |
Step 4 | password-policy minimum-uppercase value ciscoasa(config)# password-policy minimum-uppercase 3 | (Optional) Sets the minimum number of upper case characters that passwords must have. Valid values are between 0 and 64 characters. The default value is 0, which means there is no minimum. |
Step 5 | password-policy minimum-lowercase value ciscoasa(config)# password-policy minimum-lowercase 6 | (Optional) Sets the minimum number of lower case characters that passwords must have. Valid values are between 0 and 64 characters. The default value is 0, which means there is no minimum. |
Step 6 | password-policy minimum-numeric value ciscoasa(config)# password-policy minimum-numeric 1 | (Optional) Sets the minimum number of numeric characters that passwords must have. Valid values are between 0 and 64 characters. The default value is 0, which means there is no minimum. |
Step 7 | password-policy minimum-special value ciscoasa(config)# password-policy minimum-special 2 | (Optional) Sets the minimum number of special characters that passwords must have. Valid values are between 0 and 64 characters. Special characters include the following: !, @, #, $, %, ^, &, *, '(‘ and ‘)’. The default value is 0, which means there is no minimum. |
Step 8 | password-policy authenticate enable ciscoasa(config)# password-policy authenticate enable | (Optional) Sets whether users must change their password using the change-password command, instead of letting users change their password with the username command. The default setting is disabled: a user can use either method to change their password. If you enable this feature, if you try to change your password with the username command, the following error message appears: ERROR: Changing your own password is prohibitedYou also cannot delete your own account with the clear configure username command. If you try, the following error message appears: ERROR: You cannot delete all usernames because you are not allowed to delete yourself |
官网找到以下的链接信息:https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#pgfId-1711061
以上链接打开后,有个设置密码过期的时间,如表中红色框框所表示的命令:
比如:ASA防火墙配置了该ciscoasa(config)# password-policy lifetime 180 设置了 180天密码过期,如果密码过期了,那么按照官方的说法,如果目前我只设置一个管理员账号admin,当时间过期后,看了好像是密码过期无法通过ssh远程登录用admin的账号登录,必须通过物理控制台,也就是必须到现场接上console线进行登录更改密码是吗?
但是有一个疑问点,就是配置密码180天过期命令后,如果密码过期了,按照链接的说明,就是【有另一个管理员密码更改的 用户名 的命令】,看了这个说明不理解的就是,这个配置了180天过期的命令,不是针对所有管理员账号的吗,按照上面说明的意思好像是密码180天过期后,另外一个管理员可以远程ssh更改另外一个管理员的密码,这样就不用到现场链接物理控制台console吧,但是我想过期后所有管理员都应该都ssh远程登录不了,那么怎么说另外一个管理员能登录去更改另外一个管理员的密码呢?就很奇怪理解不了,求解呀各位大神.
Command Purpose
Step 1 | password-policy lifetime days ciscoasa(config)# password-policy lifetime 180 | (Optional) Sets the interval in days after which passwords expire for remote users (SSH, Telnet, HTTP); users at the console port are never locked out due to password expiration. Valid values are between 0 and 65536 days. The default value is 0 days, a value indicating that passwords will never expire. 7 days before the password expires, a warning message appears. After the password expires, system access is denied to remote users. To gain access after expiration, do one of the following:
|
Step 2 | password-policy minimum-changes value ciscoasa(config)# password-policy minimum-changes 2 | (Optional) Sets the minimum number of characters that you must change between new and old passwords. Valid values are between 0 and 64 characters. The default value is 0. Character matching is position independent, meaning that new password characters are considered changed only if they do not appear anywhere in the current password. |
Step 3 | password-policy minimum-length value ciscoasa(config)# password-policy minimum-length 8 | (Optional) Sets the minimum length of passwords. Valid values are between 3 and 64 characters. We recommend a minimum password length of 8 characters. |
Step 4 | password-policy minimum-uppercase value ciscoasa(config)# password-policy minimum-uppercase 3 | (Optional) Sets the minimum number of upper case characters that passwords must have. Valid values are between 0 and 64 characters. The default value is 0, which means there is no minimum. |
Step 5 | password-policy minimum-lowercase value ciscoasa(config)# password-policy minimum-lowercase 6 | (Optional) Sets the minimum number of lower case characters that passwords must have. Valid values are between 0 and 64 characters. The default value is 0, which means there is no minimum. |
Step 6 | password-policy minimum-numeric value ciscoasa(config)# password-policy minimum-numeric 1 | (Optional) Sets the minimum number of numeric characters that passwords must have. Valid values are between 0 and 64 characters. The default value is 0, which means there is no minimum. |
Step 7 | password-policy minimum-special value ciscoasa(config)# password-policy minimum-special 2 | (Optional) Sets the minimum number of special characters that passwords must have. Valid values are between 0 and 64 characters. Special characters include the following: !, @, #, $, %, ^, &, *, '(‘ and ‘)’. The default value is 0, which means there is no minimum. |
Step 8 | password-policy authenticate enable ciscoasa(config)# password-policy authenticate enable | (Optional) Sets whether users must change their password using the change-password command, instead of letting users change their password with the username command. The default setting is disabled: a user can use either method to change their password. If you enable this feature, if you try to change your password with the username command, the following error message appears: ERROR: Changing your own password is prohibitedYou also cannot delete your own account with the clear configure username command. If you try, the following error message appears: ERROR: You cannot delete all usernames because you are not allowed to delete yourself |
有哪位童鞋指导一下这个几次密码输入错误被锁定固定时间的配置选项吗,还是这台ASA5555型号不支持这个选项啊