Re: [Fed-Talk] cannot change max login attempts (10.4 Server)
Re: [Fed-Talk] cannot change max login attempts (10.4 Server)
- Subject: Re: [Fed-Talk] cannot change max login attempts (10.4 Server)
- From: email@hidden
- Date: Thu, 30 Sep 2010 14:42:09 -0400
On 9/30/2010 2:10 PM, Link, Peter R. wrote:
> You have to include the Netinfo line even though this isn't documented well.. Try running the command specifying the NetInfo and see if it does most of what you need it to do. As I said, it might not do everything. The pwpolicy command was introduced around 10.4 and fully functional in later releases (not referencing NetInfo).
Specifying the node seems to set the local policy:
# sudo pwpolicy -n /NetInfo/DefaultLocalNode -setglobalpolicy "usingHistory=12 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=1 requiresNumeric=1 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=86400 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=86400 maxFailedLoginAttempts=6 minChars=12 maxChars=0 passwordCannotBeName=1 requiresMixedCase=1 newPasswordRequired=0 minutesUntilFailedLoginReset=15 notGuessablePattern=1"
# pwpolicy -n /NetInfo/DefaultLocalNode -getglobalpolicy
usingHistory=12 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=1 requiresNumeric=1 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=86400 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=86400 maxFailedLoginAttempts=6 minChars=12 maxChars=0 passwordCannotBeName=1 requiresMixedCase=1 newPasswordRequired=0
But I would think that would only affect accounts in the Local node (i.e. not the OD/LDAPv3 node). In any case, it still isn't locking out accounts after 6 bad SSH login attempts. :(
>
> unfortunate about your software not running on anything newer than 10.4. That will become a problem as soon as you current hardware fails. I'd suggest finding someone who can update that software before it doesn't have something to run on.
We are working on updating the software already. In the meantime I need to at least attempt to follow the NIST guidelines for the server configuration.
--
Rob
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden