Expiring Passwords at the User Level
EFT Server's HS-PCI module provides a method for resetting the password
via FTP
and SFTP.
If you do not activate
the HS-PCI module, this feature is disabled after the 30-day trial
period expires.
On HS-PCI-enabled Sites, passwords are set by default to expire in 90
days.
EFT Server checks all accounts for expired passwords daily at midnight,
as well as at Server Startup and each GetAllSites() response. Each day
it also checks whether passwords are <n> days from expiration, and
those passwords are flagged for reminders, if reminders are enabled. All
reminder e-mail messages are sent immediately after flagging the accounts
to be reminded.
If a user with an expired password logs in over FTP, the user is prompted
that the password is expired and must be reset. Until the password is
successfully changed, EFT Server will not process any commands other than
changing the password or exiting. If a user with an expired password logs
in over SFTP, the user is forced to reset the password before continuing
with the login process.
|
|
Password initial reset, expiration, and account management
features only apply to GlobalSCAPE and ODBC authentication sites. These
options are not available if other authentication types (AD, LDAP, etc.)
are used. Password security features all apply to the Server, not to individual
accounts.
There is no way to ask FTP users to change their password prior to logging
in. EFT Server must allow them to login (authenticate), but then prevents
any further interaction with their session until they change their password.
|
To expire a password after
<n> days
In EFT Administrator, connect
to EFT Server and click the Server
tab.
In
the left pane, click the user or User Setting Level you want to configure,
then click the Security tab.
Select
the Allows users to reset their passwords check
box, then click Advanced.
To
expire the password after a certain number of days, select the Expire
passwords in check box, then specify the number of days.
Click Apply to
save the changes on EFT Server.
If reminders
are enabled in EFT Administrator, users are prompted when their
account passwords are about to expire and after the account is expired.
The text of the password
expired message, below, is stored by default in C:\Program
Files\GlobalSCAPE\EFT\PasswordResetMsg.html.
%full_name%, The password for account: %username% has expired.
Please change your password at your earliest convenience. Instructions
for changing your password via FTP, SFTP, and HTTP/S are provided below
for your convenience: 1. Please enter the following URL into your browser:
%reset_page% 2. Supply your current password when prompted 3. Enter your
new password and confirm 4. If approved, exit the browser and login as
normal.
The text of the password
expiration reminder message, below, is stored by default in C:\Program Files\GlobalSCAPE\EFT\PasswordResetReminderMsg.html.
%
full_name%, The password for account: %username% will expire in
%days_left% days. Please change your password at your earliest convenience.
Instructions for changing your password via FTP, SFTP, and HTTP/S are
provided below for your convenience: 1. Please enter the following URL
into your browser: %reset_page% 2. Supply your current password when prompted
3. Enter your new password and confirm 4. If approved, exit the browser
and login as normal.
|
|
You can edit the HTML file for the password messages;
however, be sure not to change the variables, which are enclosed in percent
signs (%text%). |
The account is not disabled; users with expired passwords may login
if they provide their existing password and then the new password. Users
are not allowed to proceed with their session until a password is created
and accepted by the system.
In HTTP/S and SFTP, the authentication request will
be denied.
In FTP, no further FTP commands will be accepted until
the new password is provided and meets any complexity and reuse requirements.
If Expire password in N days is
enabled, /manageaccount and the
reset page are enabled, the password has expired, and the user logs in
with an expired password, EFT Server automatically redirects the authenticated
user to the reset page. (In HTTPS, the user is redirected to the rest
page on the HTTPS port.)
When resetting passwords, all password complexity
requirements, reuse history,
and cyclical password-use checks apply, if those settings are enabled
in EFT Administrator.
On a HS-PCI-enabled Site, a warning
message appears in the following situations:
If the Expire passwords
check box is selected, and the account management / reset page
is enabled, and the password has expired, and the user logs in with an
expired password. If the user logs in with an expired password to the
FTP port, no commands are allowed other than exiting or changing the password
until the password has been changed, a prompt appears to remind the user
to change the password.
If the Expire passwords
check box is selected and an administrator logs in using an expired
password, a warning appears to prompt the administrator to supply a new
password.
If the Expire passwords
check box is selected and a user logs in to the HTTP/S index page
when their password is <n> days from the expiration period (<n> being the value set in the
Remind users box), a prompt appears
to remind the user to change the password.
If you clear the Disallow
password reuse check box or set the expiration value to a number
> 90.
If you disable account management over HTTPS, and the
Expire passwords after <n> days
check boxes is enabled.
If you clear the Expire
passwords after <n> days check box, users for whom HTTPs
login is enabled can change passwords over a dedicated HTTP/S account
management page located at /manageaccount,
which is a reserved path name on EFT Server.
Related Topics
Adding
Users
Expired Password Reminder e-mail