Manual Chapter : BIG-IP System: Secure Password Policy

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Manual Chapter

BIG-IP System: Secure Password Policy

About secure password policy enforcement

In versions of BIG-IP prior to 14.0.0, Secure Password Policy is available but not enabled. Beginning with BIG-IP version 14.0.0, Secure Password Policy is enabled by default. This means that on new installations, the passwords for root and admin accounts are expired and must be changed upon initial login. This only applies to new installations and does not apply to upgrades or UCS load. Password policy settings from the UCS file are imported, so if you load a UCS from an 13.1 (or earlier) onto version 14.0 and the password policy was set to disabled in that UCS, then the password policy will be disabled on version 14.0.
When you login to either the admin or root account, you will be prompted to change the password. Whichever account password you change first will also set the password for the other account. For example, if on a new installation you change the admin password for the first time, the root password will also be changed. This is a one-time event; meaning that future changes to the root password will not affect the password for the admin user ID.
During an upgrade, the password policy settings from the previous version are rolled forward. This means that you will not encounter the secure password policy enforcement settings if you are upgrading; only on new installations or on a reset to factory default.
The new password must be more than 6 characters long and must pass basic pam_cracklib checks including:
  • cannot be a dictionary word
  • cannot be a palindrome of the old password
  • cannot be a case change only of an older password
  • cannot be a rotated version of the old password
  • cannot be too similar to the old password
  • cannot be too simple

Configuration settings for a secure password policy

This table lists and describes the settings for a password policy. These settings apply to all local user accounts on the BIG-IP system.
Setting
Description
Default value
Secure Password Enforcements
Enables or disables character restrictions, that is, a policy for minimum password length and required characters. When you enable this setting, the BIG-IP Configuration utility displays the
Minimum Length
and
Required Characters
settings.
Enabled
Minimum Length
Specifies the minimum number of characters required for a password, and the allowed range of values is
6
to
255
.
6
Required Characters
Specifies the number of numeric, uppercase, lowercase, and other characters required for a password. The allowed range of values is
0
to
127
.
0
Password Memory
Specifies, for each user account, the number of former passwords that the BIG-IP system retains to prevent the user from re-using a recent password. The range of allowed values is
0
to
127
.
0
Minimum Duration
Specifies the minimum number of days before a user can change a password. The range of allowed values is
0
to
255
.
0
Maximum Duration
Specifies the maximum number of days that a user's password can be valid. The range of allowed values is
1
to
99999
.
99999
Expiration Warning
Specifies the number of days prior to password expiration that the system sends a warning message to a user. The range of allowed values is
1
to
255
.
7
Maximum Login Failures
Denies access to a user after the specified number of failed authentication attempts. The administrator can then reset the lock to re-enable access for the user.
0
Required Lowercase
Specifies the minimum number of lowercase characters required for a password.
0
Required Numeric
Specifies the minimum number of numeric characters required for a password.
0
Required Special
Specifies the minimum number of special characters required for a password.
0
Required Uppercase
Specifies the minimum number of uppercase characters required for a password.
0

Secure Password Policy Enforcement on F5 Modules for Ansible

F5 Modules for Ansible use basic auth to communicate with the BIG-IP over HTTPS, so when password policy is enforced with
config reset
, Ansible will not be able to reach the BIG-IP until you update the password of your host in the inventory file. If you do not change the inventory password, your task will fail because it cannot authenticate.
The following code is an example of resetting the system configuration:
# config reset task - name: Reset the BIG-IP bigip_config: reset: yes save: True delegate_to: localhost
After config reset, you must immediately set the inventory password to match the new admin password. For example:
- name: Reset the BIG-IP - name: After reset, configure the expired admin password uri: url: "https://{{ inventory_hostname }}/mgmt/shared/authz/users/admin” method: PATCH body: '{"oldPassword":"admin","password":"{{ bigip_password }}"}’ body_format: json validate_certs: no force_basic_auth: yes user: admin password: admin headers: Content-Type: "application/json” delegate_to: localhost
The root password is automatically changed to the admin password if it was previously unchanged, so you will also need to update the root password to match the inventory password that Ansible expects.
- name: Last part of config reset - configure the root password bigip_user: full_name: root username_credential: root password_credential: "{{ bigip_password }}” update_password: always delegate_to: localhost

Modifying the system maintenance account passwords in the user interface

To modify the root or admin passwords, you must have either administrator or root level access to the configuration utility.
  1. On the Main tab, click
    System
    Platform
    .
  2. In the
    User Administration
    section, choose the
    Password
    field for either
    Root Account
    or
    Admin Account
    .
  3. Type the new password.
  4. Type the same password in the
    Confirm
    field for the account chosen.
  5. Click
    Update
    .
If you have updated the password for
Admin Account
, you will be logged out of the Configuration utility and will need to log in again using the new password.

Modifying the system maintenance passwords using TMSH

To modify the root or admin passwords, you must have either administrator or root level access to the command line.
  1. Log in to the TMOS Shell (
    tmsh
    ) by typing the following command:
    tmsh
    If you need to modify the password for only the
    admin
    account, skip to step 5.
  2. To modify the password for the
    root
    account, type the following command:
    modify auth password root
  3. When prompted, type the new
    root
    password.
  4. When prompted, retype the new
    root
    password to confirm.
    If you need to modify the password for only the
    root
    account, skip the remaining steps.
  5. To modify the password for the
    admin
    account, type the following command:
    modify auth user admin prompt-for-password
  6. When prompted, type the new
    admin
    password.
  7. When prompted, retype the new
    admin
    password to confirm.
  8. To save changes to the configuration files, type the following command:
    save sys config
  9. Exit
    tmsh
    by typing the following command:
    quit

Resetting a lost or forgotten root password

This procedure requires that you restart the BIG-IP system in single-user mode. While in this mode, the device is unable to process traffic.
  1. Start the system in single-user mode.
    Access to the command prompt of the device may take 5-to-10 minutes of boot time, depending on the device type.
    For platform-specific instructions, refer to one of the following articles:
  2. Type the following commands:
    mount -a
    passwd root
  3. When prompted, enter a new password.
  4. Type
    exit
    or
    reboot
    to return to the normal operating mode.
After the system restarts, you should be able to log in using the new password.