FreeBSD Manual Pages
pwpolicy(8) System Manager's Manual pwpolicy(8) NAME pwpolicy -- gets and sets password policies SYNOPSIS pwpolicy [-h] pwpolicy [-v] [-a authenticator] [-p password] [-u username | -c computername] [-n nodename] command command- arg pwpolicy [-v] [-a authenticator] [-p password] [-u username | -c computername] [-n nodename] command "pol- icy1=value1 policy2=value2 ..." DESCRIPTION pwpolicy manipulates password policies. Options -a name of the authenticator -c name of the computer account to modify -p password (omit this option for a secure prompt) -u name of the user account to modify -n use a specific directory node; the search node is used by de- fault. -v verbose -h help Commands -getglobalpolicy Get global policies. DEPRECATED. -setglobalpolicy Set global policies. DEPRECATED. -getpolicy Get policies for a user. DEPRECATED. --get-effective-policy Gets the combination of global and user policies that apply to the user. DEPRE- CATED. -setpolicy Set policies for a user. DEPRECATED. -setpassword Set a new password for a user. Non-admin- istrators can use this command to change their own passwords. -enableuser Enable a user account that was disabled by a password policy event. -disableuser Disable a user account. -getglobalhashtypes Returns the default list of password hashes stored on disk for this system. -setglobalhashtypes Edits the default list of password hashes stored on disk for this system. -gethashtypes Returns a list of password hashes stored on disk for a user account. -sethashtypes Edits the list of password hashes stored on disk for a user account. -setaccountpolicies Sets (replaces) the account polices for the specified user. If no user is speci- fied, sets the global account policies. Takes one argument: the name of the file containing the policies. -getaccountpolicies Gets the account policies for the speci- fied user. If no user is specified, gets the global account policies. -clearaccountpolicies Removes all of the account policies for the specified user. If no user is speci- fied, removes the global account policies. -authentication-allowed Determines if the policies allow the user to authenticate Account Policies Account policies are the replacement for the deprecated legacy global and user policies. Account policies are specified as a dictionary con- taining three keys, one key for each policy category. Note that the dictionary is not required to contain all of the policy categories. Valid keys for the policy categories are: policyCategoryAuthentication Controls when a user may login/authen- ticate. policyCategoryPasswordChange Determines if/when a user is required to change their password policyCategoryPasswordContent Controls the set of allowable charac- ters in a password. Each policy category contains an array of individual policy dictionar- ies. Valid keys in the policy dictionary are: policyIdentifier A user-defined unique identifier for the policy. policyParameters An optional key that contains a dictionary of pa- rameters to be used in the policy or used for dis- play purposes. policyContent The actual policy string, from which an NSPredi- cate can be created. Any valid NSPredicate keyword may be used, as well as certain parameters from the user's record and the policy's parameters dic- tionary. Below is an example account policy dictionary. Not all policy cate- gories need be present in the dictionary. <dict> <key>policyCategoryPasswordAuthentication</key> <array> <dict> <key>policyContent</key> <string>policyAttributeMaximumFailedAuthentications < policyAttributeFailedAuthentications</string> <key>policyIdentifier</key> <string>failed auths</string> </dict> </array> <key>policyCategoryPasswordChange</key> <array> <dict> <key>policyContent</key> <string>policyAttributeCurrentTime > policyAttributeLastPasswordChangeTime + policyAttributeExpiresEveryNDays * DAYS_TO_SECONDS</string> <key>policyIdentifier</key> <string>Change every 30 days</string> <key>policyParameters</key> <dict> <key>policyAttributeExpiresEveryNDays<key> <integer>30</integer> </dict> </array> <key>policyCategoryPasswordContent</key> <array> <dict> <key>policyContent</key> <string>policyAttributePassword matches '.{3,}+'</string> <key>policyIdentifier</key> <string>com.apple.policy.legacy.minChars</string> <key>policyParameters</key> <dict> <key>minimumLength</key> <integer>3</integer> </dict> </dict> </array> </dict> Account Policy Keywords The following keywords may be used in the policy content. The values from the user's record will be substitued for the keyword when the pol- icy is evaluated. User-defined keywords may also be used, as long the keyword is present in the policy's parameters dictionary. policyAttributePassword User's new password. policyAttributePasswordHashes Hashes of the new pass- word. Compared against the history. policyAttributePasswordHistory User's password his- tory. policyAttributePasswordHistoryDepth How much password his- tory to keep. policyAttributeCurrentDate Current date and time as an NSDate. Use for comparing localized NS- Dates. policyAttributeCurrentTime Current date and time in seconds. Used for date/time calculations, i.e. date + interval. policyAttributeCurrentDayOfWeek Current day of the week (integer). policyAttributeCurrentTimeOfDay Current time of day (0000 to 2359). policyAttributeFailedAuthentications Number of consecutive failed authentication attempts. policyAttributeMaximumFailedAuthentications Maximum allowed consec- utive failed authenti- cation attempts. policyAttributeLastFailedAuthenticationTime Time of the last failed authentication. policyAttributeLastAuthenticationTime Time of the last suc- cessful authentication. policyAttributeLastPasswordChangeTime Time of the last pass- word change. policyAttributeNewPasswordRequiredTime Time when a new pass- word is required. policyAttributeCreationTime Time when the account was created. policyAttributeConsecutiveCharacters Number of consecutive (i.e. run of the same) characters in a pass- word. policyAttributeMaximumConsecutiveCharacters Maximum number of con- sectuive characters al- lowed in a password. policyAttributeSequentialCharacters Number of sequention (ascending or descend- ing) characters in a password. policyAttributeMaximumSequentialCharacters Maximum allowed nmber of sequention (ascend- ing or descending) characters in a pass- word. policyAttributeExpiresEveryNDays Expires every n number of days. policyAttributeDaysUntilExpiration Synonym for the above. policyAttributeEnableOnDate Date on which the ac- count is enabled (lo- calized NSDate). policyAttributeExpiresOnDate Date on which the ac- count will expire (lo- calized NSdate). policyAttributeEnableOnDayOfWeek Day of week on which the account is enabled (integer). policyAttributeExpiresOnDayOfWeek Day of week on which the account will expire (integer). policyAttributeEnableAtTimeOfDay Time of day at which the account is enabled (integer, 0000-2359). policyAttributeExpiresAtTimeOfDay Time of day at which the account will expire (integer, 0000-2359). Legacy Global Policies (DEPRECATED) usingHistory 0 = user can reuse the current pass- word, 1 = user cannot reuse the cur- rent password, 2-15 = user cannot reuse the last n passwords. usingExpirationDate If 1, user is required to change password on the date in expira- tionDateGMT usingHardExpirationDate If 1, user's account is disabled on the date in hardExpireDateGMT requiresAlpha If 1, user's password is required to have a character in [A-Z][a-z]. requiresNumeric If 1, user's password is required to have a character in [0-9]. expirationDateGMT Date for the password to expire, for- mat must be: mm/dd/yy hardExpireDateGMT Date for the user's account to be disabled, format must be: mm/dd/yy validAfter Date for the user's account to be en- abled, format must be: mm/dd/yy maxMinutesUntilChangePassword user is required to change the pass- word at this interval maxMinutesUntilDisabled user's account is disabled after this interval maxMinutesOfNonUse user's account is disabled if it is not accessed by this interval maxFailedLoginAttempts user's account is disabled if the failed login count exceeds this num- ber minChars passwords must contain at least min- Chars maxChars passwords are limited to maxChars Additional Legacy User Policies (DEPRECATED) isDisabled If 1, user account is not allowed to au- thenticate, ever. isAdminUser If 1, this user can administer accounts on the password server. newPasswordRequired If 1, the user will be prompted for a new password at the next authentication. Ap- plications that do not support change password will not authenticate. canModifyPasswordforSelf If 1, the user can change the password. Stored Hash Types CRAM-MD5 Required for IMAP. RECOVERABLE Required for APOP and WebDAV. Only available on Mac OS X Server edition. SALTED-SHA512-PBKDF2 The default for loginwindow. SALTED-SHA512 Legacy hash for loginwindow. SMB-NT Required for compatibility with Windows NT/XP file sharing. SALTED-SHA1 Legacy hash for loginwindow. SHA1 Legacy hash for loginwindow. EXAMPLES To get global policies: pwpolicy -getglobalpolicy To set global policies: pwpolicy -a authenticator -setglobalpolicy "minChars=4 maxFailed- LoginAttempts=3" To get policies for a specific user account: pwpolicy -u user -getpolicy pwpolicy -u user -n /NetInfo/DefaultLocalNode -getpolicy To set policies for a specific user account: pwpolicy -a authenticator -u user -setpolicy "minChars=4 max- FailedLoginAttempts=3" To change the password for a user: pwpolicy -a authenticator -u user -setpassword newpassword To set the list of hash types for local accounts: pwpolicy -a authenticator -setglobalhashtypes SMB-LAN-MANAGER off SMB-NT on SEE ALSO PasswordService(8) Mac OS X 13 November 2002 pwpolicy(8)
NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | SEE ALSO
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=pwpolicy&sektion=8&manpath=macOS+13.6.5>