Re: [Fed-Talk] How to use pwpolicy for setting local password policies?
Re: [Fed-Talk] How to use pwpolicy for setting local password policies?
- Subject: Re: [Fed-Talk] How to use pwpolicy for setting local password policies?
- From: Michael Kluskens <email@hidden>
- Date: Wed, 15 Jun 2005 16:07:43 -0400
On Jun 15, 2005, at 9:07 AM, Michael Kluskens wrote:
newPasswordRequired=0 usingHistory=0 canModifyPasswordforSelf=1
usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0
requiresNumeric=0 expirationDateGMT=12/31/69
hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0
maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0
maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0
The first big gaping HOLE in OS X password requirements: NO
requirement for symbols or mixed case (see below for what that
means when cracking passwords). That is a requirement for good
reason at this facility.
Correction mixed case requirement exists, but it won't take:
admin% pwpolicy -n /NetInfo/DefaultLocalNode -a systemadm -
setglobalpolicy "minChars=8 requiresNumeric=1 requiresAlpha=1
usingHistory=15 maxMinutesUntilChangePassword=525600
passwordCannotBeName=1 maxFailedLoginAttempts=10 requiresMixedCase=1"
admin% pwpolicy -n /NetInfo/DefaultLocalNode -a systemadm -
getglobalpolicy
usingHistory=15 canModifyPasswordforSelf=1 usingExpirationDate=0
usingHardExpirationDate=0 requiresAlpha=1 requiresNumeric=1
expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69
maxMinutesUntilChangePassword=525600 maxMinutesUntilDisabled=0
maxMinutesOfNonUse=0 maxFailedLoginAttempts=10 minChars=8 maxChars=0
passwordCannotBeName=1 requiresMixedCase=0 newPasswordRequired=0
Most of these settings don't work with -setpolicy or -setpolicyglobal
or something is stuck and won't take.
admin% pwpolicy -a sysadm -setpolicyglobal -u johnsmith
admin% pwpolicy -getpolicy -u johnsmith
newPasswordRequired=0 usingHistory=0 canModifyPasswordforSelf=1
usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0
requiresNumeric=0 expirationDateGMT=12/31/69
hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0
maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0
maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0
Launching Netinfo Manager shows this info for the user but the global
policy is either preventing additional changes to the user settings
or somehow messing something up.
The per user setting appears in Netinfo Manager under the new
property "passwordpolicyoptions", which is hard to work with because
you only get to see one line at a time; however, when I copied this
property to another account now I get a disclosure triangle and get
to see most of this property at once (as XML).
The global setting is under config shadowhash and again appears as
one line, one of the possible properties is optional_hash_list as
well as passwordpolicyoptions.
Since pwpolicy was not setting the values I wanted I edited both the
global and the per user setting.
I logged out and tested my account I could still login and when I
went to change my password it told me when my password was too short,
it told me I didn't have any numbers when I used the proper length,
but it permitted me to use my last name followed by a 1.
Definitely needs some work or a means to transfer password checking
to another piece of software. I configured checkpassword out of
npasswd on our SGI's and it is possible to prevent all sorts of bad
password choices, just like is built into Linux (maintaining Linux is
no fun in every other aspect).
michael
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden