Managing local password policy with `pwpolicy`

Have you ever wanted to enforce password policies on local OS X users? Things like complexity, expiration, rotation, etc? Well you are in luck! On OS X, users are managed in a local Directory Service, and so you have the same tools on each client that you would use in OS X server if you were setting requirements for Open Directory Users - that is, dscl and pwpolicy.

While both are interesting, I’m going to talk about pwpolicy specifically!

man pwpolicy

Set user policy with

pwpolicy setpolicy

Read it back with

pwpolicy getpolicy
Warning: applying command to user <tprice>
Getting policy for tprice
usingHistory=4 requiresAlpha=1 maxFailedLoginAttempts=5 requiresNumeric=1 minChars=8

Similarly, if you want it to be global:

pwpolicy setglobalpolicy

Reads back with

pwpolicy getglobalpolicy
usingHistory=4

So, that handles things like complexity and rotation, but so far we haven’t touched on expiration.

For that, I enlisted the help of ##osx-server on freenode. What I got was a LaunchAgent, a LaunchDaemon, and two shell scripts. I modified those a bit to work in my environment - you can find those here.

Now, I’ve got a script that runs at regular intervals checking password age, and prompting for a reset! At some point I will probably force real expiration - after a decent time of the user ignoring prompts!

 
37
Kudos
 
37
Kudos

Now read this

Migrating User Home Folders

Today at work I developed a script to migrate users to a new home folder. This was done with automation in mind – every user will now have the same home folder name (but individual RealNames) so that scripts can be deployed without... Continue →