pwpolicy(8) BSD System Manager's Manual pwpolicy(8)NAMEpwpolicy — gets and sets password policies
SYNOPSISpwpolicy [-h]
pwpolicy [-v] [-a authenticator] [-p password]
[-u username | -c computername] [-n nodename] command command-
arg
pwpolicy [-v] [-a authenticator] [-p password]
[-u username | -c computername] [-n nodename] command "pol‐
icy1=value1 policy2=value2 ..."
DESCRIPTIONpwpolicy manipulates password policies.
Options
-a name of the authenticator
-c name of the computer account to modify
-p password (omit this option for a secure prompt)
-u name of the user account to modify
-n use a specific directory node; the search node is used by default.
-v verbose
-h help
Commands
-getglobalpolicy Get global policies
-setglobalpolicy Set global policies
-getpolicy Get policies for a user
--get-effective-policy Gets the combination of global and user
policies that apply to the user.
-setpolicy Set policies for a user
-setpolicyglobal Set a user account to use global policies
-setpassword Set a new password for a user. Non-adminis‐
trators can use this command to change their
own passwords.
-enableuser Enable a user account that was disabled by a
password policy event.
-disableuser Disable a user account.
-getglobalhashtypes Returns the default list of password hashes
stored on disk for this system.
-setglobalhashtypes Edits the default list of password hashes
stored on disk for this system.
-gethashtypes Returns a list of password hashes stored on
disk for a user account.
-sethashtypes Edits the list of password hashes stored on
disk for a user account.
-0 through -7 Shortcuts for the above commands (in order).
Global Policies
usingHistory 0 = user can reuse the current pass‐
word, 1 = user cannot reuse the current
password, 2-15 = user cannot reuse the
last n passwords.
usingExpirationDate If 1, user is required to change pass‐
word on the date in expirationDateGMT
usingHardExpirationDate If 1, user's account is disabled on the
date in hardExpireDateGMT
requiresAlpha If 1, user's password is required to
have a character in [A-Z][a-z].
requiresNumeric If 1, user's password is required to
have a character in [0-9].
expirationDateGMT Date for the password to expire, format
must be: mm/dd/yy
hardExpireDateGMT Date for the user's account to be dis‐
abled, format must be: mm/dd/yy
validAfter Date for the user's account to be
enabled, format must be: mm/dd/yy
maxMinutesUntilChangePassword user is required to change the password
at this interval
maxMinutesUntilDisabled user's account is disabled after this
interval
maxMinutesOfNonUse user's account is disabled if it is not
accessed by this interval
maxFailedLoginAttempts user's account is disabled if the
failed login count exceeds this number
minChars passwords must contain at least min‐
Chars
maxChars passwords are limited to maxChars
Additional User Policies
isDisabled If 1, user account is not allowed to authen‐
ticate, ever.
isAdminUser If 1, this user can administer accounts on
the password server.
newPasswordRequired If 1, the user will be prompted for a new
password at the next authentication. Appli‐
cations that do not support change password
will not authenticate.
canModifyPasswordforSelf If 1, the user can change the password.
Stored Hash Types
CRAM-MD5 Required for IMAP.
RECOVERABLE Required for APOP and WebDAV. Only available on Mac
OS X Server edition.
SALTED-SHA512-PBKDF2 The default for loginwindow.
SALTED-SHA512 Legacy hash for loginwindow.
SMB-NT Required for compatibility with Windows NT/XP file
sharing.
SALTED-SHA1 Legacy hash for loginwindow.
SHA1 Legacy hash for loginwindow.
EXAMPLES
To get global policies:
pwpolicy-getglobalpolicy
To set global policies:
pwpolicy-a authenticator -setglobalpolicy "minChars=4 maxFailed‐
LoginAttempts=3"
To get policies for a specific user account:
pwpolicy-u user -getpolicy
pwpolicy-u user -n /NetInfo/DefaultLocalNode -getpolicy
To set policies for a specific user account:
pwpolicy-a authenticator -u user -setpolicy "minChars=4 maxFailed‐
LoginAttempts=3"
To change the password for a user:
pwpolicy-a authenticator -u user -setpassword newpassword
To set the list of hash types for local accounts:
pwpolicy-a authenticator -setglobalhashtypes SMB-LAN-MANAGER off
SMB-NT on
SEE ALSOPasswordService(8)Mac OS X Server 13 November 2002 Mac OS X Server