Re: [Fed-Talk] How to use pwpolicy for setting local password policies?
Re: [Fed-Talk] How to use pwpolicy for setting local password policies?
- Subject: Re: [Fed-Talk] How to use pwpolicy for setting local password policies?
- From: Michael Kluskens <email@hidden>
- Date: Wed, 15 Jun 2005 09:07:04 -0400
On Jun 14, 2005, at 5:40 PM, Joel Rennich wrote:
Starting around 10.3.6 pwpolicy was about 90% functional on OS X
client without an OS X Server. The missing options were:
...newPasswordRequired - this would force an immediate change, and
would certainly be useful to have
Some assembly required...
OS X 10.4.1
Very first example in the man page (the referenced web page is a
rehash of the man page, no new information; however, a search on
pwpolicy on that web site brings up helpful information):
> pwpolicy -getglobalpolicy
password server is not configured.
The man page VERY specifically says "Mac OS X Server"
However,
> pwpolicy -getpolicy -u johnsmith
newPasswordRequired=0
With -v it's more interesting. Next try setting this value, but you
need a system account
> pwpolicy -v -a systemadmin -setpolicy "newPasswordRequired=0" -u
johnsmith
Enter the password for the local account systemadmin.
Lots of interesting stuff, including:
newPasswordRequired=0 usingHistory=0 canModifyPasswordforSelf=1
usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0
requiresNumeric=0 expirationDateGMT=12/31/69
hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0
maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0
maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0
The first big gaping HOLE in OS X password requirements: NO
requirement for symbols or mixed case (see below for what that means
when cracking passwords). That is a requirement for good reason at
this facility.
Now again try:
> pwpolicy -getpolicy -u johnsmith
For comparison try another local account.
For individual policies you can do things like the following:
pwpolicy -a systemadm -setpolicy "minChars=8 requiresNumeric=1
requiresAlpha=1" -u johnsmith
Next for global policies from <http://www.afp548.com/comment.php?
mode=view&cid=1419>:
pwpolicy -n /NetInfo/DefaultLocalNode -a systemadmin -setglobalpolicy
"minChars=8 requiresNumeric=1 requiresAlpha=1"
(the -n specifier maybe optional on a local machine)
Individual accounts will NOT use the global policy unless you tell
them to.
-------------------------------------------------------
To evaluate your password security try:
> pwpolicy -gethashtypes -u johnsmith
SALTED-SHA1
SMB-LAN-MANAGER
SMB-NT
To remove the gaping security hole:
> pwpolicy -a systemadmin -u johnsmith -sethashtypes SMB-NT off SMB-
LAN-MANAGER off
Now try -gethashtypes again.
To properly clean house:
pwpolicy -a systemadmin -setglobalhashtypes SMB-NT off SMB-LAN-
MANAGER off
Of course to properly verify that those nasty SMB's are gone you have
to go and look at the OS X hash files.
Side effects are possible if these SMB's are used to access Windows
machines/servers in an automatic fashion.
At least one of the SMB password types is easy to crack and password
cracking trojans have been created for OS X to attack the SMB
password (classic M$ passwords, 14 characters, but you break each
block of seven characters individually starting with dictionary words
in combination with numbers and symbols (enough people are
predictable enough to make cracking most passwords fast enough), but
case is not considered in these hashes, so that reduces the search
space a lot, dictionary words are found instantly, with no symbols
that's 36 possible characters in 7 places which is about 78 billion
possibilities for a brute force search, a lot of possibilities but
how long does it take a dual 2.7 G5 to search that space, not as long
as you would think). Yes the trojan requires system access, but once
a trojan is in an user account there are ways to get administrative
access and a trojan has infinite patience (reading the security
advisories for Unix/Linux and OS X gives some clues to possible
approaches, plus more clues can found, a one week course is how
classical Unix cracks are done is enough to open most people's eyes
if they don't glaze over first). This is assuming none of the
individual desktop machines in an organization have a user who is
also an adminstrator--a little hard with certain non-administrative
programs, i.e. Adobe Acrobat wants to be used by an admin account on
one machine here.
You don't know how secure your passwords are until you've run a
password cracker on them (signed permission required from higher up
of course) and if you haven't run a password cracker on the OS X
password hash files then you shouldn't have any confidence in them.
I highly recommend tripwire for OS X, it's helps to know what is
changing on a machine if you wish to keep it secure. Of course some
people are not interested in keeping their machines secure, they are
only interested in dotting the i's and crossing the t's.
michael
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden