VMware Cloud Foundation 5.2

5.2 5.1 5.0 4.5
Deutsch Français Italiano 日本語 English

Configure the Local User Account Lockout Policy for SDDC Manager

Set the maximum number of failed login attempts and the time that must pass before an account on the SDDC Manager appliance is automatically unlocked.
Setting
Default Value
Maximum number of failed login attempts
3
Unlock time for root
300 seconds
Unlock time for all local accounts
86,400 seconds

UI Procedure

  1. Log in to the SDDC Manager appliance using SSH as
    vcf
    .
  2. Change to the
    root
     user.
    su -
  3. Back up the authentication requirements for the appliance using the following command. 
    cp -p /etc/security/faillock.conf /etc/security/faillock.conf-`date +%F_%H:%M:%S`.back
  4. Verify that all properties for configuring account lockout policy for SDDC Manager users are added in the
    /etc/security/faillock.conf
     file.
    If some properties are missing in the
    /etc/security/faillock.conf
     file, add them manually.
    
# Configuration for locking the user after multiple failed
# authentication attempts.
#
# The directory where the user files with the failure records are kept.
# The default is /var/run/faillock.
.
.
.
.
# admin_group = <admin_group_name>
dir = /run/faillock
deny = 3
unlock_time = 86400
even_deny_root
root_unlock_time = 300
dir = /var/log/faillock
  5. To configure the lockout policy for the root user account, in the
    /etc/security/faillock.conf
     file, set values to the following properties according to the requirements of your organization and save the file.
    Setting
    Property in
    /etc/security/faillock.conf
    Maximum number of failed attempts
    deny
    Unlock time for the root user account
    root_unlock_time
    Unlock time for all local accounts
    unlock_time
The configuration is applied to all local user accounts on the SDDC Manager appliance.

PowerShell Procedure

  1. Start PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

# Replace with the name of your management domain
$sddcDomainName = "sfo-m01"

$rootPass = "VMw@re1!"
$maxFailures = "3"
$unlockInterval = "86400"
$rootUnlockInterval = "300"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-SddcManagerAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -rootPass $rootPass -failures $maxFailures -unlockInterval $unlockInterval -rootUnlockInterval $rootUnlockInterval

Content feedback and comments