Managing local password policy with `pwpolicy`

Have you ever wanted to enforce password policies on local OS X users? Things like complexity, expiration, rotation, etc? Well you are in luck! On OS X, users are managed in a local Directory Service, and so you have the same tools on each client that you would use in OS X server if you were setting requirements for Open Directory Users - that is, dscl and pwpolicy.

While both are interesting, I’m going to talk about pwpolicy specifically!

man pwpolicy

Set user policy with

pwpolicy setpolicy

Read it back with

pwpolicy getpolicy
Warning: applying command to user <tprice>
Getting policy for tprice
usingHistory=4 requiresAlpha=1 maxFailedLoginAttempts=5 requiresNumeric=1 minChars=8

Similarly, if you want it to be global:

pwpolicy setglobalpolicy

Reads back with

pwpolicy getglobalpolicy
usingHistory=4

So, that handles things like complexity and rotation, but so far we haven’t touched on expiration.

For that, I enlisted the help of ##osx-server on freenode. What I got was a LaunchAgent, a LaunchDaemon, and two shell scripts. I modified those a bit to work in my environment - you can find those here.

Now, I’ve got a script that runs at regular intervals checking password age, and prompting for a reset! At some point I will probably force real expiration - after a decent time of the user ignoring prompts!

 
37
Kudos
 
37
Kudos

Now read this

Using Apache2 with Open Directory for Authentication

During the course of migrating directory services from OpenLDAP to Open Directory, I was tasked with finding alternate configurations for connecting a lot of different services to OD. Among these were gitlab, freeradius, a slew of... Continue →