General Information for Users

This function lets you list the current IBM Firewall users, add and delete user's access to the IBM Firewall, and change the attributes of a user.

Note that if this user is being set up for the Secure Remote Client function, the Non-Secure IP field should be set to "password". See the Secure Remote Client section in the Users' Guide for more information.

Further Information

Administering Users at the Firewall

Authority Level

Open the pull-down to select Authority Level. There are two Authority Levels:
  1. Proxy User - By default, proxy users are assigned the restrict.sh, which only allows for a few commands (telnet,ping). Proxy users cannot perform any administration functions.
  2. Firewall Administrator - Will use ksh and can perform Firewall administrative functions via the command line interface or the Configuration Client. Exactly which firewall functions this user can administer can be customized by clicking on the Administration tab. Note that root is a special case of Firewall Administrator. Root can perform all firewall functions plus add or modify Firewall Administrators. Non-root Firewall Administrators cannot add or modify Firewall Administrators. Note that you cannot copy the root administrator in order to create another "root". Copying root simply acts to create another Firewall Administrator. Note also that copying root will not copy a Remote Login value of "False". If you copy the root user with Remote Login set to "False", the Remote Login setting for the new administrator will be set to "True".
Note that all Firewall administrator actions are logged to etc/security/fwadmin.log. Logged information includes the date, administrator's user ID, and the command executed.

User Name

Defines a string that identifies this user account on the system. The system uses this login name to set the correct environment and access privileges for the user when the user logs in.

To enter a user name, type a string of one to eight bytes. You can use letters, numbers, and some special characters in the user name.

The following restrictions apply: Each authorized user has a login name and password to access a user account. One person can have several authorized user accounts on a system but each account must be identified with a unique login name to preserve a secure environment.

It is a good idea to use names that are meaningful to the users on the system. For example, using actual names helps users identify each other for electronic mail, or using a task name helps identify the user account with its purpose.

Note: You cannot leave this field blank.

User Full Name

Enter the full name of the user. You can use any conventions that you want. This field is for your use only.

Secure Interface Shell

Enter the name of the shell to run when a user logs in from the secure network interface.
      /bin/csh            The C shell
      /bin/bsh            The Bourne shell
      /bin/ksh            The Korn shell
      /bin/restrict.sh    A restricted shell
      /bin/oneact.sh      A shell that performs a single action

Non-Secure Interface Shell

Enter the name of the shell to run when a user logs in from the non-secure network interface.
      /bin/csh            The C shell
      /bin/ksh            The Korn shell
      /bin/bsh            The Bourne shell
      /bin/restrict.sh    A restricted shell
      /bin/oneact.sh      A shell that performs a single
                          action.

Local Login

Specify what kind of authentication will be used to validate this user when logging in locally. The choices are:
                    deny  user cannot login to the firewall
                    none  use no authentication
                password  use password authentication
            SecurID Card  use a Security Dynamics SecurID Card
           User-Supplied  use the authentication method supplied
                          by you

Secure FTP

Enter the kind of authentication to be used when this user FTPs to the Firewall host from the secure network:
                    deny  user cannot FTP through the Firewall
                    none  use no authentication
                password  use password authentication
           SecureNet Key  use a AssureNet Pathways SecureNet Key card
            SecurID Card  use a Security Dynamics SecurID Card
           User-Supplied  use the authentication method supplied
                          by you
                    

Non-Secure FTP

Enter the kind of authentication to be used when this user FTPs to the Firewall host from the non-secure network:
                    deny  user cannot FTP through the Firewall
                    none  use no authentication
                password  use password authentication
           SecureNet Key  use a AssureNet Pathways SecureNet Key card
            SecurID Card  use a Security Dynamics SecurID Card
           User-Supplied  use the authentication method supplied
                          by you

Secure Telnet

Specify what kind of authentication will be used to validate this user when logging in from the secure network interface. The choices are:
                    deny  user cannot Telnet through the Firewall
                    none  use no authentication
                password  use password authentication
           SecureNet Key  use a AssureNet Pathways SecureNet Key card
            SecurID Card  use a Security Dynamics SecurID Card
           User-Supplied  use the authentication method supplied
                          by you
                   

Non-Secure Telnet

Specify what kind of authentication will be used to validate this user when logging in from the non-secure network interface. The choices are:
                    deny  user cannot login to the firewall
                    none  use no authentication
                password  use password authentication
           SecureNet Key  use a Digital Pathways SecureNet Key card
            SecurID Card  use a Security Dynamics SecurID Card
           User-Supplied  use the authentication method supplied
                          by you

Secure IP

Enter the kind of authentication to be used when this user uses Secure IP Security Authentication:
                    deny  user cannot authenticate
                password  use password authentication
                    

Non-Secure IP

Enter the kind of authentication to be used when this user uses Non-Secure IP Security Authentication:
                    deny  user cannot authenticate
                password  use password authentication
                   
Note that this field should be set to "password" if this user is being set up for the Secure Remote Client function. See the
Secure Remote Client section in the Users' Guide for more information.

Secure Administration

Specify what kind of authentication will be used to validate this user when logging in from the secure network interface for administration. The choices are:
                    deny  user cannot login to the firewall
                    none  use no authentication
                password  use password authentication
            SecurID Card  use a Security Dynamics SecurID Card
           User-Supplied  use the authentication method supplied
                          by you

Non-Secure Administration

Specify what kind of authentication will be used to validate this user when logging in from the non-secure network interface for administration. The choices are:
                    deny  user cannot login to the firewall
                    none  use no authentication
                password  use password authentication
            SecurID Card  use a Security Dynamics SecurID Card
           User-Supplied  use the authentication method supplied
                          by you

Securenet Key

Enter the same key code that will be used to prime the AssureNet Pathways SecureNet Key card.

Warning Time

The warning time is the maximum time in minutes that the user has remained idle before a warning message is issued to disconnect the user.

Disconnect Time

The disconnect time is the maximum time in minutes that the user has remained idle before they are disconnected. The disconnect time must be greater than the warn time.

Set Password

Select "Yes" if you wish for this user to be authenticated by password. Select "No" if a password is not required.

New Password (User Panel)

Enter a new password for this user in this field. Note that passwords are case-sensitive. If you enter a user's password in mixed-case, the user must then enter the password identically. If you have workstations that work in uppercase only, enter passwords for those users in uppercase. Also note that the maximum length for a password is 8 characters.

New Password (Again Please)

This field is for confirmation purposes. Re-enter the exact password again.

Login Retries

The number of consecutive unsuccessful login attempts the user is allowed. If this number is exceeded, the account is locked and the user cannot login. If 0 is specified, this function is disabled. The default displayed value of this field can be altered by the administrator by changing the corresponding value in the user called fwdpuser. The maximum number allowed by this firewall is 20. This field is only applicable if the authentication method is password.

Note: To unlock a user's account that was locked because of too many failed logins,the system administrator can use the Reset User's Failed Login Count menu item under the Users menu item of the Security & Users menu.


Expired Password Warning

Specifies the number of days prior to the expiration of the user's password when a warning message is issued. The value is a decimal integer string. The message appears each time the user logs in during this warning period, and gives the date when the user's password will expire. If the administrator wants to change the displayed value of this field, he can do so by altering the corresponding value in the user called fwdpuser. The maximum allowed by this firewall is 30. This field is only applicable if the method of authentication is password.

Num Passwords Before Reuse

The number of previous passwords that the user will not be able to reuse. The value is a decimal integer string. The interpretation of this value may depend on the value of the WEEKS before password reuse attribute. If 0 is specified, any previous password can be reused as long as the WEEKS before password reuse time has elapsed. The maximum allowed by this firewall is 20. The default displayed value of this field can be changed by changing the corresponding value in the user called fwdpuser.

This field is only applicable if the authentication method is password.


Weeks Before Password Reuse

The number of weeks that must pass before a user is able to reuse a password after it has been selected as the user's current password. The value is a decimal integer string, and the recommended number of weeks is 26 (six months). The interpretation of this value may depend on the value of the NUMBER OF PASSWORDS before reuser attribute. If 0 is specified, any former password may be reused as long as the NUMBER OF PASSWORDS before reuser attribute has been satisfied. The maximum allowed by this firewall is 52. The default displayed value of this field can be changed by changing the corresponding value in the user called fwdpuser by the administrator.

This field is only applicable if the authentication method is password.


Weeks Before Lockout

The number of weeks after the user's password expires (reaches its maximum age) during which the user can still change the password. If this time period passes without a password change, the user account no longer allows logins until an administrator resets the password. The value is a decimal integer string. If 0 is specified, logins will be prevented at the time the password expires. If -1 is specified, this feature is disabled. If Password MAX. AGE is 0, any value entered here is ignored. The maximum allowed by this firewall is 26. The default of this field can be altered by changing the corresponding value in the user called fwdpuser by the administrator.

This field is only applicable if the authentication method is password.


Max Age

Defines the maximum age (in weeks) for the user's password. When the password reaches this age, the system requires it to be changed before the user can login again. The value is a decimal integer string. If 0 is specified, this feature is disabled. The maximum allowed by this firewall is 52. The default displayed value of this field can be changed by the administrator by changing the corresponding value in the user called fwdpuser.

This field is only applicable if the authentication method is password.


Min Length

Defines the minimum number of characters that the user's password must have. The value is a decimal integer string. If 0 is specified, there is no minimum length. The default displayed value of this field can be altered by the administrator by changing the corresponding value in the user called fwdpuser. The maximum allowed by this firewall is 8.

This field is only applicable if the authentication method is password.


Min Alpha Chars

Defines the minimum number of alphabetic characters that must be in the user's password. The value is a decimal integer string. If 0 is specified, no minimum number of alphabetic characters is required. The maximum allowed by this firewall is 8. The default displayed value of this field can be changed by changing the corresponding value in the user called fwdpuser.

This field is only applicable if the authentication method is password.


Min Other Chars

Defines the minimum number of nonalphabetic characters that must be in the user's password. The value is a decimal integer string. If 0 is given, no minimum number of nonalphabetic characters is needed. The maximum allowed by this firewall is 8. The default displayed value of this field can be changed by changing the corresponding value in the user called fwdpuser.

This field is only applicable if the authentication method is password.


Max Repeated Chars

Defines the maximum number of times a character can be repeated within the user's new password. The value is a decimal integer string. If 0 is specified, any number characters can be repeated. The maximum allowed by this firewall is 8. The default value displayed of this field can be changed by changing the corresponding value in the user called fwdpuser.

This field is only applicable if the authentication method is password.


Min Different Chars

Defines the minimum number of alphabetic characters required in the user's new password that were not in the old password. The value is a decimal integer string. If 0 is given, this requirement is disabled. The maximum allowed by this firewall is 8. The default displayed value of this field can be changed by changing the corresponding value in the user called fwdpuser.

This field is only applicable if the authentication method is password.


Logon Mode (User)

Select Host if this user is allowed to administer the firewall that is installed on this host.

Administration Function Selection

Choose the functions that this administrator will be allowed to configure.
Network ObjectsClick on this item to allow this network administrator to configure network objects. If Network Objects is selected, decide if you would like this user to have either "Basic" or "Advanced" access to the Network Objects. Advanced and Basic are defined as follows:
  • Basic--This user cannot modify or delete existing Network Objects. This user can, however, copy or add new Network Objects.
  • Advanced--All Network Objects functions are available to this user.
See Network Objects in the User's Guide for more information.
Traffic ControlClick on this item to allow this network administrator to configure Traffic Control functions. See Controlling Traffic Through the Firewall in the User's Guide for more information.
NATClick on this item to allow this network administrator to configure Network Address Translation. See Translating Network Addresses in the User's Guide for more information.
DNSClick on this item to allow this network administrator to configure domain name services. See Handling Domain Name and Mail Services in the User's Guide for more information.
MailClick on this item to allow this network administrator to configure mail services. See Handling Domain Name and Mail Services in the User's Guide for more information.
Virtual Private NetworkClick on this item to allow this network administrator to configure the virtual private network for this firewall. See Creating a Virtual Private Network in the User's Guide for more information.
Proxy AdministrationClick on this item to allow this network administrator to configure proxy services. See Using Proxy Servers in the User's Guide for more information.
UsersClick on this item to allow this network administrator to define users. See Administering Users at the Firewall in the User's Guide for more information.
SNMPClick on this item to allow this network administrator to configure the Simple Network Management Protocol agent on the firewall. See SNMP in the User's Guide for more information.
Log FacilitiesClick on this item to allow this network administrator to configure the system logs. See Managing Log and Archive Files in the User's Guide for more information.
Log MonitorClick on this item to allow this network administrator to configure the log monitor function. See Monitoring the Firewall Logging in the User's Guide for more information.
Secure/Non-Secure InterfaceClick on this item to allow this network administrator to configure the security status of interfaces on the firewall. See Designating Your Network Interface in the User's Guide for more information.
PagerClick on this item to allow this network administrator to setup the pager. See Pager Notification Support in the User's Guide for more information.

OK

Press the "OK" button to save changes and close the window.

Cancel

Press the "Cancel" button to close the window without saving any changes.