Hello (again) has anyone out there successfully set up their 10.3.6 box set up exactly as Apple's "Common Criteria Configuration and Administration Guide" prescribes?
I've done at least 5 separate installs of 10.3.9, 10.3.6 (exactly as the Guide), and 10.3.6 Server.
I can't seem to get the pwpolicy -setglobalpolicy to actually apply to newly created accounts. I'm also finding that even if i explicitly set the policy for a user (via pwpolicy commands with Terminal), that there is no reinforcement of the password rules. Probably due to what I found below...
I struggled for a long time to figure out a few things.
It seems as though using 10.3.x Client - by creating a new user via the System preferences, the password type is "Shadow Password" - which has no password enforcement rules.
When I installed 10.3.6 Server, and created a new user from the Sys Prefs, the same thing - password type is "Shadow Password" AND if I create a user on 10.3.6 Server via the "Workgroup Manager" STILL the default pass type is "Shadow Password" - if I change it to "Open Directory" using the Workgroup Manager, only then can I start enforcing rules. - makes sense - only Open Dir can enforce password rules.
I'm familiar with Apple's attempted migration from "Shadow Pass" to "Open Directory" although I don't recall the system rev number where that kicks in 100%.
So I need to know (minimally) how do I get the Open Directory to be the default password type for all new users regardless of whether they're added from the Sys Prefs or the Workgroup Manager??
I've followed the Apple Guide verbatim (x5), but when my DSS inspector puts it through it's paces it'll certainly fail on passwording alone.
The impression that I had from the Guide lead me to believe that it could all be done. I'm hoping I can pull it off.
One oddity in the setup - and I don't think this is the problem: On page 33 of the guide - we're told to makes changes to the "sshd_config" file, and there's a table of variables to se to yes/no. Well, there are only 3 of the 12 even found in the "sshd_config" file. I did find 3 more in the "ssh_config" (no daemon). But 6 of 12 are unaccounted for. I could add the entries (all "no" anyways) but I wouldn't know where. The guide also states (page 33) "In the sshd_config file, all options are listed, but are commented out...."
Anyone have any ideas?
Thanks, Jason
email@hidden
_____________________________________ Jason C. Dickinson Terahertz Scientist Submillimeter-Wave Technology Laboratory University of Massachusetts Lowell ______________________________________
|