Manual Chapter :
BIG-IP System: Secure Password Policy
Applies To:
Show VersionsBIG-IP LTM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP System: Secure Password Policy
About secure password policy enforcement
In versions of BIG-IP prior to 14.0.0, Secure Password Policy is available but
not enabled. Beginning with BIG-IP version 14.0.0, Secure Password Policy is enabled by
default. This means that on new installations, the passwords for root and admin
accounts are expired and must be changed upon initial login. This only applies to new
installations and does not apply to upgrades or UCS load. Password policy settings from
the UCS file are imported, so if you load a UCS from an 13.1 (or earlier) onto version
14.0 and the password policy was set to disabled in that UCS, then the password policy
will be disabled on version 14.0.
When you login to either the admin or root account, you will be
prompted to change the password. Whichever account password you change first will also
set the password for the other account. For example, if on a new installation you change
the admin password for the first time, the root password will also be changed. This is a
one-time event; meaning that future changes to the root password will not affect the
password for the admin user ID.
During an upgrade, the password policy settings from the previous version are rolled
forward. This means that you will not encounter the secure password policy enforcement
settings if you are upgrading; only on new installations or on a reset to factory
default.
The new password must be more than 6 characters long and must pass
basic pam_cracklib checks including:
- cannot be a dictionary word
- cannot be a palindrome of the old password
- cannot be a case change only of an older password
- cannot be a rotated version of the old password
- cannot be too similar to the old password
- cannot be too simple
Configuration settings for a secure password policy
This table lists and describes the settings for a password policy. These settings apply to all local user accounts on the BIG-IP system.
Setting | Description | Default value |
---|---|---|
Secure Password Enforcements | Enables or disables character restrictions, that is, a policy for minimum
password length and required characters. When you enable this setting, the BIG-IP
Configuration utility displays the Minimum Length and
Required Characters settings. | Enabled |
Minimum Length | Specifies the minimum number of characters required for a
password, and the allowed range of values is 6 to 255 . | 6 |
Required Characters | Specifies the number of numeric, uppercase, lowercase, and
other characters required for a password. The allowed range of values is 0 to 127 . | 0 |
Password Memory | Specifies, for each user account, the number of former passwords that the BIG-IP
system retains to prevent the user from re-using a recent password. The range of
allowed values is 0 to 127 . | 0 |
Minimum Duration | Specifies the minimum number of days before a user can change a password. The
range of allowed values is 0 to 255 . | 0 |
Maximum Duration | Specifies the maximum number of days that a user's password can be valid. The
range of allowed values is 1 to 99999 . | 99999 |
Expiration Warning | Specifies the number of days prior to password expiration that the system sends a
warning message to a user. The range of allowed values is 1 to
255 . | 7 |
Maximum Login Failures | Denies access to a user after the specified number of failed authentication
attempts. The administrator can then reset the lock to re-enable access for the
user. | 0 |
Required Lowercase |
Specifies the minimum number of lowercase characters required for a
password. |
0 |
Required Numeric |
Specifies the minimum number of numeric characters required for a
password. |
0 |
Required Special |
Specifies the minimum number of special characters required for a
password. |
0 |
Required Uppercase |
Specifies the minimum number of uppercase characters required for a
password. |
0 |
Secure Password Policy Enforcement on F5 Modules for Ansible
F5 Modules for Ansible use basic auth to communicate with the BIG-IP over
HTTPS, so when password policy is enforced with
config
reset
, Ansible will not be able to reach the BIG-IP until you update the password
of your host in the inventory file. If you do not change the inventory password, your task
will fail because it cannot authenticate.The following code is an example of resetting the system configuration:
# config reset task - name: Reset the BIG-IP bigip_config: reset: yes save: True delegate_to: localhost
After config reset, you must immediately set the inventory password to match
the new admin password. For example:
- name: Reset the BIG-IP - name: After reset, configure the expired admin password uri: url: "https://{{ inventory_hostname }}/mgmt/shared/authz/users/admin” method: PATCH body: '{"oldPassword":"admin","password":"{{ bigip_password }}"}’ body_format: json validate_certs: no force_basic_auth: yes user: admin password: admin headers: Content-Type: "application/json” delegate_to: localhost
The root password is automatically changed to the admin password if it was previously
unchanged, so you will also need to update the root password to match the inventory
password that Ansible expects.
- name: Last part of config reset - configure the root password bigip_user: full_name: root username_credential: root password_credential: "{{ bigip_password }}” update_password: always delegate_to: localhost
Modifying the system maintenance account passwords in the user interface
To modify the root or admin passwords, you must have
either administrator or root level access to the configuration utility.
- On the Main tab, click.
- In theUser Administrationsection, choose thePasswordfield for eitherRoot AccountorAdmin Account.
- Type the new password.
- Type the same password in theConfirmfield for the account chosen.
- ClickUpdate.
If you have updated the password for
Admin
Account
, you will be logged out of the Configuration utility and will
need to log in again using the new password.Modifying the system maintenance passwords using TMSH
To modify the root or admin passwords, you must have
either administrator or root level access to the command line.
- Log in to the TMOS Shell (tmsh) by typing the following command:tmshIf you need to modify the password for only theadminaccount, skip to step 5.
- To modify the password for therootaccount, type the following command:modify auth password root
- When prompted, type the newrootpassword.
- When prompted, retype the newrootpassword to confirm.If you need to modify the password for only therootaccount, skip the remaining steps.
- To modify the password for theadminaccount, type the following command:modify auth user admin prompt-for-password
- When prompted, type the newadminpassword.
- When prompted, retype the newadminpassword to confirm.
- To save changes to the configuration files, type the following command:save sys config
- Exittmshby typing the following command:quit
Resetting a lost or forgotten root password
This procedure requires that you restart the BIG-IP
system in single-user mode. While in this mode, the device is unable to process
traffic.
- Start the system in single-user mode.Access to the command prompt of the device may take 5-to-10 minutes of boot time, depending on the device type.For platform-specific instructions, refer to one of the following articles:
- For BIG-IP 5000, 7000, 10000, and 12000 series platforms, refer to K14662: Restarting the BIG-IP system in single-user mode (GRUB2)
- For all other platforms, refer to K4178: Restarting the BIG-IP system in single-user mode (GRUB 0.97)
- For Virtual Clustered Multiprocessing (vCMP) guests, refer to K14581: Resetting a lost or forgotten administrative account password on a vCMP guest
- Type the following commands:mount -apasswd root
- When prompted, enter a new password.
- Typeexitorrebootto return to the normal operating mode.
After the system restarts, you should be able to log
in using the new password.