Authentication Order
Cerberus FTP Server can authenticate against several different types of data sources.
The current possible authentication sources include the
Native user system, Active Directory (AD), and LDAP.
You can have multiple AD and LDAP servers configured and
Cerberus will checked each one and attempt to match a
username and password. Cerberus will try each
authentication source in order until a successful
authentication occurs or until all sources fail authentication.
User Manager Policy Page
The order that authentication sources are checked is determined by the Authentication Order list box. You can move authentication sources up and down
in order depending upon your needs.
Authentication Requirements
The Disable Account and Password Storage Format options only apply to Cerberus Native accounts.
-
Disable Account After x Failed Attempts -
The Native account becomes disabled if x number of
consecutive failed login attempts. The counter is
reset on a successful login.
-
Password Storage Format - This is the
method Cerberus uses to store password information.
Options are MD5, SHA1, SHA256, and SHA512. All
options are salted and are performed using FIPS
compliant crypto routines if the server is in FIPS mode.
-
Stop Authentication Chain if User Exists -
If a user is found in an authentication source, but the
password is incorrect, don't proceed to check the other
authentication sources. No other authentication sources will be checked if the user is found and the password is incorrect.
-
Create Home Directory As User For AD -
This setting influences how home directories are created for AD users
when the default virtual directory mapping mode in AD is set to
Global Home/%username% mode. Normally, Cerberus creates the home directory
while under the service account. If this option is enabled, Cerberus will impersonate
the AD user before creating the directory. This ensures the home directory is owned
by the AD user instead of the service account.
Password Complexity Requirements
These settings only apply to Cerberus Native accounts.
-
Minimum Length - The password must be
at least x characters long.
-
Require at Least x Letters - The
password must contain at least x count of letters.
-
Require at Least x Numbers - The
password must contain at least x count of numbers.
-
Require at Least x Special Characters -
The password must contain at least x count of special
characters (ex, %, $, #).
Password Change Policy
These settings only apply to Cerberus Native accounts.
-
Require Password Change Every X Days - The server will require that native account passwords be changed this number of days.
-
Applied to FTP - When checked,
this policy is enforced for FTP/S account
access. Note, FTP does not have a standard way
of changing or prompting the user to change an
account password. Cerberus supports a
common extension that allows changing the user
password using the
SITE PSWD oldpassword newpassword
command.
-
Applies to SSH SFTP - When
checked, this policy is enforced for SSH SFTP
account access. SSH has a standard method
of allowing users to change their passwords but
many SFTP clients do not implement it.
-
Applies to HTTP - When checked,
this policy is enforced for HTTP/S account
access.
Password History
These settings only apply to Cerberus Native accounts.
-
Remember Last X Passwords - Cerberus
will save a secure hash of the last specified number of
passwords that the user has used.
-
Can't Reuse Last X Passwords - Cerberus
will prevent a user from changing their password to any
password used within the specified history count.
|