Configure the Local User Account Lockout
Policy for SDDC Manager
Set the maximum number of failed login attempts and the time that must pass before an
account on the SDDC Manager appliance is automatically unlocked.
Setting | Default Value |
|---|---|
Maximum number of failed
login attempts | 3 |
Unlock time for root | 300 seconds |
Unlock time for all
local accounts | 86400 seconds |
UI Procedure
- Log in to the SDDC Manager appliance using SSH asvcf.
- Change to therootuser.su -
- Back up the authentication requirements for the appliance using the following command.cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth-`date +%F_%H:%M:%S`.back
- Change the maximum number of failed attempts using the following command.sed -i -E 's/deny=[-]?[0-9]+/deny=<your_value>/g' /etc/pam.d/system-auth
- Change the unlock time for therootaccount using the following command.sed -i -E 's/root_unlock_time=[-]?[0-9]+/root_unlock_time=<your_value>/g' /etc/pam.d/system-auth
- Change the unlock time for all local accounts using the following command.sed -i -E 's/unlock_time=[-]?[0-9]+/unlock_time=<your_value>/g' /etc/pam.d/system-auth
The configuration is applied to all local
user accounts on the SDDC Manager appliance.
PowerShell Procedure
- Start Windows PowerShell.
- Replace the values in the sample code and run the commands in the PowerShell console.$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "administrator@vsphere.local" $sddcManagerPass = "VMw@re1!" # Replace with the name of your management domain $sddcDomainName = "sfo-m01" $rootPass = "VMw@re1!" $maxFailures = "3" $unlockInterval = "86400" $rootUnlockInterval = "300"
- Perform the configuration by running the command in the PowerShell console.Update-SddcManagerAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -rootPass $rootPass -failures $maxFailures -unlockInterval $unlockInterval -rootUnlockInterval $rootUnlockInterval