Managing local password policy with `pwpolicy`

Have you ever wanted to enforce password policies on local OS X users? Things like complexity, expiration, rotation, etc? Well you are in luck! On OS X, users are managed in a local Directory Service, and so you have the same tools on each client that you would use in OS X server if you were setting requirements for Open Directory Users - that is, dscl and pwpolicy.

While both are interesting, I’m going to talk about pwpolicy specifically!

man pwpolicy

Set user policy with

pwpolicy setpolicy

Read it back with

pwpolicy getpolicy
Warning: applying command to user <tprice>
Getting policy for tprice
usingHistory=4 requiresAlpha=1 maxFailedLoginAttempts=5 requiresNumeric=1 minChars=8

Similarly, if you want it to be global:

pwpolicy setglobalpolicy

Reads back with

pwpolicy getglobalpolicy
usingHistory=4

• Note that these are examples from my environment - if you go read policy on your machine, it will likely return nothing, unless you have set this up already.

So, that handles things like complexity and rotation, but so far we haven’t touched on expiration.

For that, I enlisted the help of ##osx-server on freenode. What I got was a LaunchAgent, a LaunchDaemon, and two shell scripts. I modified those a bit to work in my environment - you can find those here.

Now, I’ve got a script that runs at regular intervals checking password age, and prompting for a reset! At some point I will probably force real expiration - after a decent time of the user ignoring prompts!