Manual Chapter : BIG-IP System Secure Password Policy

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 14.0.1, 14.0.0
Manual Chapter

BIG-IP System: Secure Password Policy

About secure password policy enforcement

In versions of BIG-IP prior to 14.0.0, Secure Password Policy is available but not enabled. Beginning with BIG-IP version 14.0.0, Secure Password Policy is enabled by default. This means that on new installations, the passwords for root and admin accounts are expired and must be changed upon initial login. This only applies to new installations and does not apply to upgrades or UCS load. Password policy settings from the UCS file are imported, so if you load a UCS from an 13.1 (or earlier) onto version 14.0 and the password policy was set to disabled in that UCS, then the password policy will be disabled on version 14.0.

When you login to either the admin or root account, you will be prompted to change the password. Whichever account password you change first will also set the password for the other account. For example, if on a new installation you change the admin password for the first time, the root password will also be changed. This is a one-time event; meaning that future changes to the root password will not affect the password for the admin user ID.

During an upgrade, the password policy settings from the previous version are rolled forward. This means that you will not encounter the secure password policy enforcement settings if you are upgrading; only on new installations or on a reset to factory default.

The new password must be more than 6 characters long and must pass basic pam_cracklib checks including:
  • cannot be a dictionary word
  • cannot be a palindrome of the old password
  • cannot be a case change only of an older password
  • cannot be a rotated version of the old password
  • cannot be too similar to the old password
  • cannot be too simple

Configuration settings for a secure password policy

This table lists and describes the settings for a password policy. These settings apply to all local user accounts on the BIG-IP system.

Setting Description Default value
Secure Password Enforcements Enables or disables character restrictions, that is, a policy for minimum password length and required characters. When you enable this setting, the BIG-IP Configuration utility displays the Minimum Length and Required Characters settings. Enabled
Minimum Length Specifies the minimum number of characters required for a password, and the allowed range of values is 6 to 255. 6
Required Characters Specifies the number of numeric, uppercase, lowercase, and other characters required for a password. The allowed range of values is 0 to 127. 0
Password Memory Specifies, for each user account, the number of former passwords that the BIG-IP system retains to prevent the user from re-using a recent password. The range of allowed values is 0 to 127. 0
Minimum Duration Specifies the minimum number of days before a user can change a password. The range of allowed values is 0 to 255. 0
Maximum Duration Specifies the maximum number of days that a user's password can be valid. The range of allowed values is 1 to 99999. 99999
Expiration Warning Specifies the number of days prior to password expiration that the system sends a warning message to a user. The range of allowed values is 1 to 255. 7
Maximum Login Failures Denies access to a user after the specified number of failed authentication attempts. The administrator can then reset the lock to re-enable access for the user. 0
Required Lowercase Specifies the minimum number of lowercase characters required for a password. 0
Required Numeric Specifies the minimum number of numeric characters required for a password. 0
Required Special Specifies the minimum number of special characters required for a password. 0
Required Uppercase Specifies the minimum number of uppercase characters required for a password. 0

Secure Password Policy Enforcement on F5 Modules for Ansible

F5 Modules for Ansible use basic auth to communicate with the BIG-IP over HTTPS, so when password policy is enforced with config reset, Ansible will not be able to reach the BIG-IP until you update the password of your host in the inventory file. If you do not change the inventory password, your task will fail because it cannot authenticate.

The following code is an example of resetting the system configuration:

# config reset task
- name: Reset the BIG-IP
  bigip_config:
    reset: yes
    save: True
  delegate_to: localhost 

After config reset, you must immediately set the inventory password to match the new admin password. For example:

- name: Reset the BIG-IP
- name: After reset, configure the expired admin password  
  uri:    
    url: "https://{{ inventory_hostname }}/mgmt/shared/authz/users/admin”    
    method: PATCH
    body: '{"oldPassword":"admin","password":"{{ bigip_password }}"}’    
    body_format: json
    validate_certs: no
    force_basic_auth: yes
    user: admin
    password: admin
    headers:
      Content-Type: "application/json”
  delegate_to: localhost

The root password is automatically changed to the admin password if it was previously unchanged, so you will also need to update the root password to match the inventory password that Ansible expects.

- name: Last part of config reset - configure the root password
  bigip_user:
    full_name: root
    username_credential: root
    password_credential: "{{ bigip_password }}”
    update_password: always
  delegate_to: localhost

Modifying the system maintenance account passwords in the user interface

To modify the root or admin passwords, you must have either administrator or root level access to the configuration utility.
  1. On the Main tab, click System > Platform .
  2. In the User Administration section, choose the Password field for either Root Account or Admin Account.
  3. Type the new password.
  4. Type the same password in the Confirm field for the account chosen.
  5. Click Update.
If you have updated the password for Admin Account, you will be logged out of the Configuration utility and will need to log in again using the new password.

Modifying the system maintenance passwords using TMSH

To modify the root or admin passwords, you must have either administrator or root level access to the command line.
  1. Log in to the TMOS Shell (tmsh) by typing the following command:
    tmsh
    Note: If you need to modify the password for only the admin account, skip to step 5.
  2. To modify the password for the root account, type the following command:
    modify auth password root
  3. When prompted, type the new root password.
  4. When prompted, retype the new root password to confirm.
    Note: If you need to modify the password for only the root account, skip the remaining steps.
  5. To modify the password for the admin account, type the following command:
    modify auth user admin prompt-for-password
  6. When prompted, type the new admin password.
  7. When prompted, retype the new admin password to confirm.
  8. To save changes to the configuration files, type the following command:
    save sys config
  9. Exit tmsh by typing the following command:
    quit

Resetting a lost or forgotten root password

This procedure requires that you restart the BIG-IP system in single-user mode. While in this mode, the device is unable to process traffic.
  1. Start the system in single-user mode.
    Important: Access to the command prompt of the device may take 5-to-10 minutes of boot time, depending on the device type.

    For platform-specific instructions, refer to one of the following articles:

  2. Type the following commands:

    mount -a

    passwd root

  3. When prompted, enter a new password.
  4. Type exit or reboot to return to the normal operating mode.
After the system restarts, you should be able to log in using the new password.