[Fed-Talk] How to use pwpolicy for setting local password policies?
[Fed-Talk] How to use pwpolicy for setting local password policies?
- Subject: [Fed-Talk] How to use pwpolicy for setting local password policies?
- From: "Dan O'Donnell" <email@hidden>
- Date: Tue, 14 Jun 2005 11:21:14 -0700
I'm not an expert either in unix or in security policies in the unix world.
Am trying to configure a selection of our machines for secure computing,
which requires specific password policies (restrictions for characters,
expiration, and failed login attempts) on certain user accounts.
The short story is that it is not working, though there doesn't seem to be
an obvious reason why.
The man page for pwpolicy states that I can use a simple command with
specified arguments, along the lines of the following (for a single user
account):
pwpolicy -u <username> -setpolicy "policy string for chars, expiration,
failed attempts"
It looks good according to the man page, but doesn't work. The man page
calls another argument of -a for authenticator, but has no description of
what this is aside from "name of the authenticator".
The failure gives no clue as to why, it only returns '>', which is not even
a command prompt. A pwpolicy -getpolicy returns the same '>'.
I looked to the Common Criteria Configuration Guide which, on page 48, has a
slightly similar command but with the exceptions that it specifies a call to
a user node in the NetInfo directory so that the command looks like the
following, and specifies the name of the authenticator (which I assume is
the admin account entering the command):
pwpolicy -n /NetInfo/DefaultLocalNode -a <username> -setglobalpolicy "policy
string"
I don't want a global policy, so I used -setpolicy which is a legitimate
argument according to the man pages. The machine asks for a password, and
then returns to a command prompt.
This did not work either though, but at least it returns a message of " is
not a password server account."
There does not appear to be any obvious way to set the policies directly in
NetInfo either.
At this time authentication to Active Directory has been proven to work but
is not an option. Management by Workgroup Manager is not an option either.
These machines must be standalone, with the policy built in to each.
Has anybody seen and solved this problem before, and can point me to an
error in my ways?
Thanks,
Dan O'Donnell
--
Dan O'Donnell
Information Services, Macintosh Technology Lead
RAND Corporation
Phone 310.393.0411 x6637
Fax 310.260.8143
--------------------
This email message is for the sole use of the intended recipient(s) and
may contain privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden