Re: [Fed-Talk] Setting Global Policy on Client - 'pwpolicy'
Re: [Fed-Talk] Setting Global Policy on Client - 'pwpolicy'
- Subject: Re: [Fed-Talk] Setting Global Policy on Client - 'pwpolicy'
- From: Allan Marcus <email@hidden>
- Date: Wed, 23 Jan 2008 16:36:58 -0700
The best I can come up with for Leopard is:
pwpolicy -n /Local/Default -setglobalpolicy "minChars=8
requiresAlpha=1 requiresNumeric=1 passwordCannotBeName=1
Note: The pwpolicy is not enforced if you are an admin resetting a
password for a non-admin. Also, there is a bug if you are an admin
setting the password for yourself: if you set it to a too short
password your will get a notification that the pw is too short, but
it makes the change nonetheless! This has been reported to Apple
(Enterprise support ticket 314128).
---
Thanks,
Allan Marcus
505-667-5666
On Dec 5, 2007, at 10:26 AM, Peter Link wrote:
Shawn,
Thank you for the information but the man page for pwpolicy on
10.5.1 needs to be updated (11/13/2002 for OSX Server) as does the
recently released Command_Line_Admin_v10.5.pdf (11/26/07) manual.
The new manual seems to only address using this command to access a
remote Mac and doesn't list the syntax for a local Mac as you
described below.
I asked in a separate email which of the settings actually work on
a Leopard client since there were limitations on the Tiger client.
I believe all settings work on an OSX server when using managed
clients but not everything worked on a Tiger standalone client. I
would like someone else to test this since I hosed Tiger systems
using too many settings.
Thanks.
At 2:30 PM -0500 11/25/07, Shawn A. Geddis wrote:
On Nov 19, 2007, at 10:50 AM, Michael wrote:
On Nov 16, 2007, at 12:29 PM, James Alcasid wrote:
By default their are no global policy defaults for passwords on
MacOSX
Client and Server.
For what you are trying to accomplish check the man pages on
pwpolicy.
What you are trying to accomplish might look something like this
as an
example:
sudo pwpolicy - a the_dmin_username -setglobalpolicy "minChars=8
maxMinutesUntilChangePassword=129600"
Has anyone figured out how to get this to work in OS X 10.5
without having OS X Server. Server based password control is a no-
go when you have laptops and other machines not permanently
connected to the network. Every other OS handles this just fine.
Michael
Michael,
You do not need Mac OS X Server for this to work. The 'pwpolicy'
command was brought over from OS X Server to OS X to meet
requirements for Common Criteria Certification.
If you just issue the pwpolicy on Mac OS X without the nodename
then you will get the error that password server is not configured.
$ sudo pwpolicy -getglobalpolicy
password server is not configured.
Problem is that you need to provide the local nodename for the
local domain on the client.
On Mac OS X 10.4: /NetInfo/DefaultLocalNode
On Mac OS X 10.5: /Local/Default
To display the Global Policy Settings...
$ sudo pwpolicy -n /Local/Default -getglobalpolicy
usingHistory=0 canModifyPasswordforSelf=1 usingExpirationDate=0
usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0
expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69
maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0
maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0
maxChars=0 passwordCannotBeName=0 requiresMixedCase=0
requiresSymbol=0 newPasswordRequired=0
minutesUntilFailedLoginReset=0 notGuessablePattern=0
For example, Set the Global Policy Setting for 'minChars'
$ sudo pwpolicy -n /Local/Default -setglobalpolicy "minChars=5"
The instructions within the man page and the CC_AdminGuide are
still accurate **IF** you use the correct nodename to reflect
which OS version you are running on as I noted earlier in this
message:
On Mac OS X 10.4: /NetInfo/DefaultLocalNode
On Mac OS X 10.5: /Local/Default
- Shawn
_____________________________________________________
Shawn Geddis • Security Consulting Engineer • Apple Enterprise
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
--
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden