Re: [Fed-Talk] RE: How to configure complex password requirements?
Re: [Fed-Talk] RE: How to configure complex password requirements?
- Subject: Re: [Fed-Talk] RE: How to configure complex password requirements?
- From: Matthew Smith <email@hidden>
- Date: Mon, 31 Jan 2011 12:05:03 -0500
I recently set up some accounts on a Mac G5 running the latest version of 10.5 (separate from the DoD network) and I wanted their password to expire upon the next use. I was able to do the global settings requiring them to have minimum characters, symbols, etc. However, when I try to set the user's "newPasswordRequired=1" I'm told that the user is not a password server user. Here was my command:
sudo pwpolicy -u username -n /Local/Default -setpolicy "newPasswordRequired=1"
I didn't reboot after creating the accounts and trying this. Is it possible that, upon reboot, that the newly created accounts would be added to the password server user list?
Yours,
Matthew
On Jan 25, 2011, at 10:23 AM, Valentine, Ruth Ann B. wrote:
> Ah, that explains some things...... After problems setting global policy, I gave up and have always just applied the pwpolicy for each user, not globally, and everything works fine. Not really a big problem to run a shell script to do this after creating a user.
>
> -----Original Message-----
> From: fed-talk-bounces+ruthann=email@hidden [mailto:fed-talk-bounces+ruthann=email@hidden] On Behalf Of Ruben Brochner
> Sent: Monday, January 24, 2011 7:27 PM
> To: DeMattia, Edmond G.; Fed Talk
> Subject: Re: [Fed-Talk] RE: How to configure complex password requirements?
>
> I haven't tested this recently, but ...
>
> The following command (all on one line) issued by a local administrator should set the global password policy for "Standard" accounts:
>
> sudo pwpolicy -n /Local/Default -setglobalpolicy "minChars=14 requiresAlpha=1 requiresNumeric=1 requiresMixedCase=1 requiresSymbol=1 passwordCannotBeName=1 maxFailedLoginAttempts=3 minutesUntilFailedLoginReset=60 notGuessablePattern=1 maxMinutesUntilChangePassword=86400"
>
> Please note that pwpolicy limitations do not apply to "Administrator" accounts even though the System Preferences Account pane might lead an administrative user to believe that it does. This can result in a password being changed even though the system has informed a user that his new password was too short, etc. Also, the limitations do not apply during the creation of an account by an administrator.
>
> - Ruben
>
>
>
> On Jan 24, 2011, at 3:11 PM, DeMattia, Edmond G. wrote:
>
>> The [A-Z][a-z] and the [0-9] settings were clear. I didn't see how to
>> implement a special character. As it stands, it appears you can only
>> enforce 2 character sets as the [A-Z] and [a-z] are not treated
>> independently.
>>
>> On 1/24/11 2:44 PM, "Dan O'Donnell" <email@hidden> wrote:
>>
>>> The man pages will tell you what pwpolicy can do, and how to apply the
>>> policies you want. Check 'man pwpolicy' from the Terminal - it appears
>>> that
>>> upper case, lower case and numerics can be required password policy
>>> settings, but not symbols:
>>>
>>> Global Policies
>>> requiresAlpha If 1, user's password is required to have a character
>>> in
>>> [A-Z][a-z].
>>>
>>> requiresNumeric If 1, user's password is required to have a character
>>> in
>>> [0-9].
>>>
>>>
>>>
>>>
>>>
>>> Some other policy settings that pwpolicy can implement (found with man
>>> pwpolicy):
>>>
>>> usingHistory 0 = user can reuse the current password, 1 = user cannot
>>> reuse the current password, 2-15 = user cannot reuse the last n passwords.
>>>
>>> usingExpirationDate If 1, user is required to change password on the
>>> date in expirationDateGMT
>>>
>>> usingHardExpirationDate If 1, user's account is disabled on the date
>>> in
>>> hardExpireDateGMT
>>>
>>> expirationDateGMT Date for the password to expire, format must be:
>>> mm/dd/yy
>>>
>>> hardExpireDateGMT Date for the user's account to be disabled, format
>>> must be: mm/dd/yy
>>>
>>> maxMinutesUntilChangePassword user is required to change the password
>>> at
>>> this interval
>>>
>>> maxMinutesUntilDisabled user's account is disabled after this interval
>>>
>>> maxMinutesOfNonUse user's account is disabled if it is not accessed
>>> by
>>> this interval
>>>
>>> maxFailedLoginAttempts user's account is disabled if the failed login
>>> count exceeds this number
>>>
>>> MinChars passwords must contain at least minChars
>>>
>>> maxChars passwords are limited to maxChars
>>>
>>> Additional User Policies isDisabled If 1, user account is not allowed
>>> to
>>> authenticate, ever.
>>>
>>> isAdminUser If 1, this user can administer accounts on the password
>>> server.
>>>
>>> newPasswordRequired If 1, the user will be prompted for a new password
>>> at the next authentication. Applications that do not support change
>>> password
>>> will not authenticate.
>>>
>>>
>>>
>>> On 1/24/11 11:30 AM, "DeMattia, Edmond G." <email@hidden>
>>> wrote:
>>>
>>>> Specifically, how did you get the 4 character sets to be required?
>>>> That's
>>>> what I'm looking for.
>>>>
>>>> Thanks
>>>>
>>>> On 1/24/11 2:21 PM, "Matthew Smith" <email@hidden> wrote:
>>>>
>>>>> You can do a "man pwpolicy" from terminal to see all the options. I'm
>>>>> not sure if all of them work on a standalone. I was able to get the
>>>>> following to work on 10.6 standalones: 14-char requirement, 1 upper, 1
>>>>> lower, 1 number, 1 symbol. Didn't mess with the expiration, so I don't
>>>>> know if that works on standalones.
>>>>>
>>>>> Matthew
>>>>>
>>>>> On Jan 24, 2011, at 11:15 AM, Valentine, Ruth Ann B. wrote:
>>>>>
>>>>>> Use pwpolicy to set each user:
>>>>>>
>>>>>> Sudo pwpolicy -a adminname -u username -setpolicy "minChars=12"
>>>>>>
>>>>>> I have not got a local machine to take a global policy, so I wrote a
>>>>>> little shell script to run on each user after they are created.
>>>>>>
>>>>>> You can also use newPasswordRequired=1 to force them to change the
>>>>>> password on their first login.
>>>>>>
>>>>>> Some of the settings tell them what policy explicitly they are not
>>>>>> meeting (minChars is one) others only say it doesn't meet policy, so
>>>>>> be
>>>>>> sure you are clear when you tell the user what the policy is.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: fed-talk-bounces+ruthann=email@hidden
>>>>>> [mailto:fed-talk-bounces+ruthann=email@hidden] On Behalf
>>>>>> Of
>>>>>> DeMattia, Edmond G.
>>>>>> Sent: Monday, January 24, 2011 10:59 AM
>>>>>> To: email@hidden
>>>>>> Subject: [Fed-Talk] How to configure complex password requirements?
>>>>>>
>>>>>> How can I configure a 10.6 workstation that's doing local
>>>>>> authentication to force users to use complex passwords? I also need
>>>>>> to
>>>>>> set a minimum of 12 characters. Is there a way to do it natively?
>>>>>>
>>>>>> TIA
>>>>>>
>>>>>> _______________________________________________
>>>>>> Do not post admin requests to the list. They will be ignored.
>>>>>> Fed-talk mailing list (email@hidden)
>>>>>> Help/Unsubscribe/Update your Subscription:
>>>>>>
>>>>>> This email sent to email@hidden
>>>>>
>>>>> _______________________________________________
>>>>> Do not post admin requests to the list. They will be ignored.
>>>>> Fed-talk mailing list (email@hidden)
>>>>> Help/Unsubscribe/Update your Subscription:
>>>>>
>>>>> .e
>>>>> du
>>>>>
>>>>> This email sent to email@hidden
>>>>
>>>> _______________________________________________
>>>> Do not post admin requests to the list. They will be ignored.
>>>> Fed-talk mailing list (email@hidden)
>>>> Help/Unsubscribe/Update your Subscription:
>>>>
>>>> This email sent to email@hidden
>>>
>>>
>>> __________________________________________________________________________
>>>
>>> This email message is for the sole use of the intended recipient(s) and
>>> may contain confidential information. Any unauthorized review, use,
>>> disclosure or distribution is prohibited. If you are not the intended
>>> recipient, please contact the sender by reply email and destroy all copies
>>> of the original message.
>>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden