Re: [Fed-Talk] RE: How to configure complex password requirements?
Re: [Fed-Talk] RE: How to configure complex password requirements?
- Subject: Re: [Fed-Talk] RE: How to configure complex password requirements?
- From: "Dan O'Donnell" <email@hidden>
- Date: Mon, 24 Jan 2011 11:44:20 -0800
- Thread-topic: [Fed-Talk] RE: How to configure complex password requirements?
The man pages will tell you what pwpolicy can do, and how to apply the
policies you want. Check 'man pwpolicy' from the Terminal - it appears that
upper case, lower case and numerics can be required password policy
settings, but not symbols:
Global Policies
requiresAlpha If 1, user's password is required to have a character in
[A-Z][a-z].
requiresNumeric If 1, user's password is required to have a character in
[0-9].
Some other policy settings that pwpolicy can implement (found with man
pwpolicy):
usingHistory 0 = user can reuse the current password, 1 = user cannot
reuse the current password, 2-15 = user cannot reuse the last n passwords.
usingExpirationDate If 1, user is required to change password on the
date in expirationDateGMT
usingHardExpirationDate If 1, user's account is disabled on the date in
hardExpireDateGMT
expirationDateGMT Date for the password to expire, format must be:
mm/dd/yy
hardExpireDateGMT Date for the user's account to be disabled, format
must be: mm/dd/yy
maxMinutesUntilChangePassword user is required to change the password at
this interval
maxMinutesUntilDisabled user's account is disabled after this interval
maxMinutesOfNonUse user's account is disabled if it is not accessed by
this interval
maxFailedLoginAttempts user's account is disabled if the failed login
count exceeds this number
MinChars passwords must contain at least minChars
maxChars passwords are limited to maxChars
Additional User Policies isDisabled If 1, user account is not allowed to
authenticate, ever.
isAdminUser If 1, this user can administer accounts on the password
server.
newPasswordRequired If 1, the user will be prompted for a new password
at the next authentication. Applications that do not support change password
will not authenticate.
On 1/24/11 11:30 AM, "DeMattia, Edmond G." <email@hidden>
wrote:
> Specifically, how did you get the 4 character sets to be required? That's
> what I'm looking for.
>
> Thanks
>
> On 1/24/11 2:21 PM, "Matthew Smith" <email@hidden> wrote:
>
>> You can do a "man pwpolicy" from terminal to see all the options. I'm
>> not sure if all of them work on a standalone. I was able to get the
>> following to work on 10.6 standalones: 14-char requirement, 1 upper, 1
>> lower, 1 number, 1 symbol. Didn't mess with the expiration, so I don't
>> know if that works on standalones.
>>
>> Matthew
>>
>> On Jan 24, 2011, at 11:15 AM, Valentine, Ruth Ann B. wrote:
>>
>>> Use pwpolicy to set each user:
>>>
>>> Sudo pwpolicy -a adminname -u username -setpolicy "minChars=12"
>>>
>>> I have not got a local machine to take a global policy, so I wrote a
>>> little shell script to run on each user after they are created.
>>>
>>> You can also use newPasswordRequired=1 to force them to change the
>>> password on their first login.
>>>
>>> Some of the settings tell them what policy explicitly they are not
>>> meeting (minChars is one) others only say it doesn't meet policy, so be
>>> sure you are clear when you tell the user what the policy is.
>>>
>>> -----Original Message-----
>>> From: fed-talk-bounces+ruthann=email@hidden
>>> [mailto:fed-talk-bounces+ruthann=email@hidden] On Behalf Of
>>> DeMattia, Edmond G.
>>> Sent: Monday, January 24, 2011 10:59 AM
>>> To: email@hidden
>>> Subject: [Fed-Talk] How to configure complex password requirements?
>>>
>>> How can I configure a 10.6 workstation that's doing local
>>> authentication to force users to use complex passwords? I also need to
>>> set a minimum of 12 characters. Is there a way to do it natively?
>>>
>>> TIA
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>> du
>>
>> This email sent to email@hidden
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
__________________________________________________________________________
This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden