Managing local password policy with `pwpolicy`

Have you ever wanted to enforce password policies on local OS X users? Things like complexity, expiration, rotation, etc? Well you are in luck! On OS X, users are managed in a local Directory Service, and so you have the same tools on each client that you would use in OS X server if you were setting requirements for Open Directory Users - that is, dscl and pwpolicy.

While both are interesting, I’m going to talk about pwpolicy specifically!

man pwpolicy

Set user policy with

pwpolicy setpolicy

Read it back with

pwpolicy getpolicy
Warning: applying command to user <tprice>
Getting policy for tprice
usingHistory=4 requiresAlpha=1 maxFailedLoginAttempts=5 requiresNumeric=1 minChars=8

Similarly, if you want it to be global:

pwpolicy setglobalpolicy

Reads back with

pwpolicy getglobalpolicy
usingHistory=4

So, that handles things like complexity and rotation, but so far we haven’t touched on expiration.

For that, I enlisted the help of ##osx-server on freenode. What I got was a LaunchAgent, a LaunchDaemon, and two shell scripts. I modified those a bit to work in my environment - you can find those here.

Now, I’ve got a script that runs at regular intervals checking password age, and prompting for a reset! At some point I will probably force real expiration - after a decent time of the user ignoring prompts!

 
37
Kudos
 
37
Kudos

Now read this

The Definition of Done

What exactly is the definition of done? What steps are required before you can say a feature is done? The DoD (Definition of Done) should be a simple checklist of activities/steps that should be completed that add value to the product... Continue →