3 Replies Latest reply on Aug 30, 2012 2:01 PM by sliedl

    Sidewinder V7.01 cf command to create user and expire password

      is there a cf command to create an admin locally on the firewall as well as create  and set the password to expired so that the user is forced to change it at next logon ?

       

      #cf adminuser add username=$USERNAME  directory=/home/$USERNAME password=$PASSWORD

       

      how would I accomplish the expire password feature found  here

       

      Policy > Rule Elements > Authenticators > Password

      click on user and user groups

      click on username $USERNAME

      click modify

      Click Expire Password

      Ok

      Save

        • 1. Re: Sidewinder V7.01 cf command to create user and expire password

          Hello,

           

          Unfortunately the "Expire password" feature does not apply to Administrative users, only to regular users. There does not appear to be a way to "expire" the password for Administrative users either from the command line or GUI.

           

          Regards,

           

          Matt

          • 2. Re: Sidewinder V7.01 cf command to create user and expire password

            sorry, when i meant admin user i meant a local user (with admin or adminro privs) not the admin account specifically.

             

            Is it possible to expire the password for a regular local user account (not admin account) ?

            • 3. Re: Sidewinder V7.01 cf command to create user and expire password
              sliedl

              The admin users (users who can login to the firewall itself) are controlled by the 'cf adminuser' command.  These users have an admin or adminro role in that output, or no role at all if they have 'no admin priveleges'.


              The users in the 'Users and Usergroups' section can be thought of as 'proxy users' (users who can authenticate to the proxies which support authentication).  The admin users are proxy users also.  These users can be configured with the 'cf udb' command.  These users cannot login to the firewall itself.

               

              I do not see a way with either cf command to expire a password for a user though.  You can run 'cf udb add user=username' and that will add a 'proxy user' with no password or authentication method, but I have not tested that to see what it actually does (I imagine that user cannot authenticate through a proxy as they have no auth method).

               

              I tried this also:

              cf adminuser modify username=swadmin password=''  (no password specified)

              but it said you cannot unset a password.


              There is a way to make a rule on the firewall so a user can login via a web browser and change their password.  This works for both admin users and 'proxy users' I believe (since they both user the Password warder).  That is on page 107 of the 70102 Admin Guide (PD21680 in the KB or a Google search).  That is not exactly what you asked for but more of an FYI.

               

              I will ask the higher-ups if there is anyway to accomplish what you're asking for (akin to 'User must change password on next login' on Windows systems).