Managing local password policy with `pwpolicy`

Have you ever wanted to enforce password policies on local OS X users? Things like complexity, expiration, rotation, etc? Well you are in luck! On OS X, users are managed in a local Directory Service, and so you have the same tools on each client that you would use in OS X server if you were setting requirements for Open Directory Users - that is, dscl and pwpolicy.

While both are interesting, I’m going to talk about pwpolicy specifically!

man pwpolicy

Set user policy with

pwpolicy setpolicy

Read it back with

pwpolicy getpolicy
Warning: applying command to user <tprice>
Getting policy for tprice
usingHistory=4 requiresAlpha=1 maxFailedLoginAttempts=5 requiresNumeric=1 minChars=8

Similarly, if you want it to be global:

pwpolicy setglobalpolicy

Reads back with

pwpolicy getglobalpolicy
usingHistory=4

So, that handles things like complexity and rotation, but so far we haven’t touched on expiration.

For that, I enlisted the help of ##osx-server on freenode. What I got was a LaunchAgent, a LaunchDaemon, and two shell scripts. I modified those a bit to work in my environment - you can find those here.

Now, I’ve got a script that runs at regular intervals checking password age, and prompting for a reset! At some point I will probably force real expiration - after a decent time of the user ignoring prompts!

 
37
Kudos
 
37
Kudos

Now read this

Require MFA, but not for programmatic access

If you are looking for a way to enforce MFA for users when they log in to the console without limiting their programmatic access, look no further! Attach this policy to users to cut off all their access until they have logged in with... Continue →