Re: [Fed-Talk] Setting Global Policy on Client - 'pwpolicy'
Re: [Fed-Talk] Setting Global Policy on Client - 'pwpolicy'
- Subject: Re: [Fed-Talk] Setting Global Policy on Client - 'pwpolicy'
- From: Peter Link <email@hidden>
- Date: Wed, 5 Dec 2007 09:26:56 -0800
Shawn,
Thank you for the information but the man
page for pwpolicy on 10.5.1 needs to be updated
(11/13/2002 for OSX Server) as does the recently
released Command_Line_Admin_v10.5.pdf (11/26/07)
manual. The new manual seems to only address
using this command to access a remote Mac and
doesn't list the syntax for a local Mac as you
described below.
I asked in a separate email which of the
settings actually work on a Leopard client since
there were limitations on the Tiger client. I
believe all settings work on an OSX server when
using managed clients but not everything worked
on a Tiger standalone client. I would like
someone else to test this since I hosed Tiger
systems using too many settings.
Thanks.
At 2:30 PM -0500 11/25/07, Shawn A. Geddis wrote:
On Nov 19, 2007, at 10:50 AM, Michael wrote:
On Nov 16, 2007, at 12:29 PM, James Alcasid wrote:
By default their are no global policy defaults for passwords on MacOSX
Client and Server.
For what you are trying to accomplish check the man pages on pwpolicy.
What you are trying to accomplish might look something like this as an
example:
sudo pwpolicy - a the_dmin_username -setglobalpolicy "minChars=8
maxMinutesUntilChangePassword=129600"
Has anyone figured out how to get this to work
in OS X 10.5 without having OS X Server.
Server based password control is a no-go when
you have laptops and other machines not
permanently connected to the network. Every
other OS handles this just fine.
Michael
Michael,
You do not need Mac OS X Server for this to
work. The 'pwpolicy' command was brought over
from OS X Server to OS X to meet requirements
for Common Criteria Certification.
If you just issue the pwpolicy on Mac OS X
without the nodename then you will get the error
that password server is not configured.
$ sudo pwpolicy -getglobalpolicy
password server is not configured.
Problem is that you need to provide the local
nodename for the local domain on the client.
On Mac OS X 10.4: /NetInfo/DefaultLocalNode
On Mac OS X 10.5: /Local/Default
To display the Global Policy Settings...
$ sudo pwpolicy -n /Local/Default -getglobalpolicy
usingHistory=0 canModifyPasswordforSelf=1
usingExpirationDate=0 usingHardExpirationDate=0
requiresAlpha=0 requiresNumeric=0
expirationDateGMT=12/31/69
hardExpireDateGMT=12/31/69
maxMinutesUntilChangePassword=0
maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0
maxFailedLoginAttempts=0 minChars=0 maxChars=0
passwordCannotBeName=0 requiresMixedCase=0
requiresSymbol=0 newPasswordRequired=0
minutesUntilFailedLoginReset=0
notGuessablePattern=0
For example, Set the Global Policy Setting for 'minChars'
$ sudo pwpolicy -n /Local/Default -setglobalpolicy "minChars=5"
The instructions within the man page and the
CC_AdminGuide are still accurate **IF** you use
the correct nodename to reflect which OS version
you are running on as I noted earlier in this
message:
On Mac OS X 10.4: /NetInfo/DefaultLocalNode
On Mac OS X 10.5: /Local/Default
- Shawn
_____________________________________________________
Shawn Geddis Security Consulting Engineer Apple Enterprise
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
--
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden