pwpolicy(8) BSD System Manager's Manual pwpolicy(8)
NAME
pwpolicy -- gets and sets password policies
SYNOPSIS
pwpolicy [-h]
pwpolicy [-v] [-a authenticator] [-p password] [-u username]
[-n nodename] command command-arg
pwpolicy [-v] [-a authenticator] [-p password] [-u username]
[-n nodename] command "policy1=value1 policy2=value2 ..."
DESCRIPTION
pwpolicy manipulates password policies.
Options
-a name of the authenticator
-p password (omit this option for a secure prompt)
-u name of the user to modify
-n use a specific directory node; the search node is used by default.
-v verbose
-h help
Commands
-getglobalpolicy Get global policies
-setglobalpolicy Set global policies
-getpolicy Get policies for a user
-setpolicy Set policies for a user
-setpolicyglobal Set a user account to use global policies
-setpassword Set a new password for a user. Non-administrators
can use this command to change their own pass-
words.
-enableuser Enable a shadowhash user account that was disabled
by a password policy event.
-getglobalhashtypes Returns the default list of password hashes stored
on disk for this system.
-setglobalhashtypes Edits the default list of password hashes stored
on disk for this system.
-gethashtypes Returns a list of password hashes stored on disk
for a user account.
-sethashtypes Edits the list of password hashes stored on disk
for a user account.
-00 through -7 Shortcuts for the above commands (in order).
Global Policies
usingHistory 0 = user can reuse the current pass-
word, 1 = user cannot reuse the current
password, 2-15 = user cannot reuse the
last n passwords.
usingExpirationDate If 1, user is required to change pass-
word on the date in expirationDateGMT
usingHardExpirationDate If 1, user's account is disabled on the
date in hardExpireDateGMT
requiresAlpha If 1, user's password is required to
have a character in [A-Z][a-z].
requiresNumeric If 1, user's password is required to
have a character in [0-9].
expirationDateGMT Date for the password to expire, format
must be: mm/dd/yy
hardExpireDateGMT Date for the user's account to be dis-
abled, format must be: mm/dd/yy
maxMinutesUntilChangePassword user is required to change the password
at this interval
maxMinutesUntilDisabled user's account is disabled after this
interval
maxMinutesOfNonUse user's account is disabled if it is not
accessed by this interval
maxFailedLoginAttempts user's account is disabled if the
failed login count exceeds this number
minChars passwords must contain at least min-
Chars
maxChars passwords are limited to maxChars
Additional User Policies
isDisabled If 1, user account is not allowed to authen-
ticate, ever.
isAdminUser If 1, this user can administer accounts on
the password server.
newPasswordRequired If 1, the user will be prompted for a new
password at the next authentication. Appli-
cations that do not support change password
will not authenticate.
canModifyPasswordforSelf If 1, the user can change the password.
Stored Hash Types
CRAM-MD5 Required for IMAP.
RECOVERABLE Required for APOP and WebDAV. Only available on Mac OS X
Server edition.
SALTED-SHA1 The default for login window.
SMB-LAN-MANAGER Required for compatibility with Windows 9.x file shar-
ing.
SMB-NT Required for compatibility with Windows NT/XP file shar-
ing.
EXAMPLES
To get global policies:
pwpolicy -getglobalpolicy
To set global policies:
pwpolicy -a authenticator -setglobalpolicy "minChars=4 maxFailed-
LoginAttempts=3"
To get policies for a specific user account:
pwpolicy -u user -getpolicy
pwpolicy -u user -n /NetInfo/DefaultLocalNode -getpolicy
To set policies for a specific user account:
pwpolicy -a authenticator -u user -setpolicy "minChars=4 maxFailed-
LoginAttempts=3"
To change the password for a user:
pwpolicy -a authenticator -u user -setpassword newpassword
To set the list of hash types for local accounts:
pwpolicy -a authenticator -setglobalhashtypes SMB-LAN-MANAGER off
SMB-NT on
Mac OS X Server 13 November 2002 Mac OS X Server
|
