I had a colleague ask me recently about the changes to Mavericks pwpolicy. Not having touched the tool in a few years, I was curious about the changes. Well, as the saying goes, I'm now one dead little kitty.
pwpolicy gets and sets the password policies for users on OS X. I believe binding to a directory service is required and these settings don't apply to local accounts, however I could be wrong about that, as Apple has now published an article on how Global policies can lock out admin accounts. Yay?
pwpolicy now has deprecated the commands we would have used in the past. In their place are multiple new Account Policy Keywords. All in all, it seems like a good move to use policy keywords as it will be much more customizable in the future. However, at the moment the pwpolciy man page makes my head hurt. I'm failing to grasp the whole picture here, and it's keeping me from grasping the new way of doing policies. I hope to learn more, but in the mean time I've played with the example plist in the man page. With a few simple modifications, I've added checking for numeric and non-numeric characters, as well as mixed case strings.
It appears that these policies use regex to check the password, where the new password is the variable "policyAttributePassword" and when the RegEx "matches" that it continues on.
Again, all conjecture as I've not been able to test or confirm. I am curious as to where the supplemental documentation is....Apple? Anyone else have some idea as to what's going on here? Perhaps willing to present it at a July conference in PA?
Test Plist...
<dict>
<key>policyCategoryPasswordAuthentication</key>
<array>
<dict>
<key>policyContent</key>
<string>policyAttributeMaximumFailedAuthentications < policyAttributeFailedAuthentications</string>
<key>policyIdentifier</key>
<string>failed auths</string>
</dict>
</array>
<key>policyCategoryPasswordChange</key>
<array>
<dict>
<key>policyContent</key>
<string>policyAttributeCurrentTime > policyAttributeLastPasswordChangeTime + policyAttributeExpiresEveryNDays * DAYS_TO_SECONDS</string>
<key>policyIdentifier</key>
<string>Change every 182 days</string>
<key>policyParameters</key>
<dict>
<key>policyAttributeExpiresEveryNDays</key>
<integer>182</integer>
</dict>
</dict>
</array>
<key>policyCategoryPasswordContent</key>
<array>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '.{8,}+'</string>
<key>policyIdentifier</key>
<string>com.apple.policy.legacy.minChars</string>
<key>policyParameters</key>
<dict>
<key>minimumLength</key>
<integer>8</integer>
</dict>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '\D'</string>
<key>policyIdentifier</key>
<string>com.apple.policy.legacy.requiresAlpha</string>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '\d'</string>
<key>policyIdentifier</key>
<string>com.apple.policy.legacy.requiresNumeric</string>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '.*[A-Z][a-z]+'</string>
<key>policyIdentifier</key>
<string>com.apple.policy.legacy.requiresMixedCase</string>
</dict>
</array>
</dict>
Edit: Updated link to Global policies can lock out admin accounts HT.
pwpolicy gets and sets the password policies for users on OS X. I believe binding to a directory service is required and these settings don't apply to local accounts, however I could be wrong about that, as Apple has now published an article on how Global policies can lock out admin accounts. Yay?
pwpolicy now has deprecated the commands we would have used in the past. In their place are multiple new Account Policy Keywords. All in all, it seems like a good move to use policy keywords as it will be much more customizable in the future. However, at the moment the pwpolciy man page makes my head hurt. I'm failing to grasp the whole picture here, and it's keeping me from grasping the new way of doing policies. I hope to learn more, but in the mean time I've played with the example plist in the man page. With a few simple modifications, I've added checking for numeric and non-numeric characters, as well as mixed case strings.
It appears that these policies use regex to check the password, where the new password is the variable "policyAttributePassword" and when the RegEx "matches" that it continues on.
Again, all conjecture as I've not been able to test or confirm. I am curious as to where the supplemental documentation is....Apple? Anyone else have some idea as to what's going on here? Perhaps willing to present it at a July conference in PA?
Test Plist...
<dict>
<key>policyCategoryPasswordAuthentication</key>
<array>
<dict>
<key>policyContent</key>
<string>policyAttributeMaximumFailedAuthentications < policyAttributeFailedAuthentications</string>
<key>policyIdentifier</key>
<string>failed auths</string>
</dict>
</array>
<key>policyCategoryPasswordChange</key>
<array>
<dict>
<key>policyContent</key>
<string>policyAttributeCurrentTime > policyAttributeLastPasswordChangeTime + policyAttributeExpiresEveryNDays * DAYS_TO_SECONDS</string>
<key>policyIdentifier</key>
<string>Change every 182 days</string>
<key>policyParameters</key>
<dict>
<key>policyAttributeExpiresEveryNDays</key>
<integer>182</integer>
</dict>
</dict>
</array>
<key>policyCategoryPasswordContent</key>
<array>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '.{8,}+'</string>
<key>policyIdentifier</key>
<string>com.apple.policy.legacy.minChars</string>
<key>policyParameters</key>
<dict>
<key>minimumLength</key>
<integer>8</integer>
</dict>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '\D'</string>
<key>policyIdentifier</key>
<string>com.apple.policy.legacy.requiresAlpha</string>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '\d'</string>
<key>policyIdentifier</key>
<string>com.apple.policy.legacy.requiresNumeric</string>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '.*[A-Z][a-z]+'</string>
<key>policyIdentifier</key>
<string>com.apple.policy.legacy.requiresMixedCase</string>
</dict>
</array>
</dict>
Edit: Updated link to Global policies can lock out admin accounts HT.
