Created
June 29, 2017 13:34
-
-
Save Freccia/37df869bd91a2c5edfffd4b02f5d24f0 to your computer and use it in GitHub Desktop.
Sets Os X Password Policies
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| ################################################################################### | |
| ## Create a pwpolicy XML file based upon variables and options included below. | |
| ## Policy is applied and then file gets deleted. | |
| ## Use "sudo pwpolicy -u <user> -getaccountpolicies" | |
| ## to see it, and "sudo pwpolicy -u <user> -clearaccountpolicies" to clear it. | |
| ## | |
| ## Tested on: OS X 10.10 10.11 10.12 | |
| #################################################################################### | |
| ######################################### | |
| # Make sure only root can run our script | |
| # | |
| if [ "$(id -u)" != "0" ]; then | |
| echo "Please run this script as root" 1>&2 | |
| exit 1 | |
| fi | |
| ########################################## | |
| ############################################################################# | |
| # Variables for script and commands generated below. | |
| # EDIT AS NECESSARY FOR YOUR OWN PASSWORD POLICY | |
| # | |
| LOCKOUT=60 # 1min lockout | |
| # Sierra is sending more than one authentications attempts. | |
| # There are reports that it will be fixed in 12.3. | |
| #MAX_FAILED=10 # 10 max failed logins before locking | |
| PW_EXPIRE=180 # 180 days password expiration | |
| MIN_LENGTH=10 # at least 10 chars for password | |
| MIN_ALPHA_LOWER=1 # at least 1 lower case letter in password | |
| MIN_UPPER_ALPHA=1 # at least 1 upper case letter in password | |
| MIN_SPECIAL_CHAR=1 # at least one special character in password | |
| PW_HISTORY=3 # remember last 3 passwords | |
| # | |
| ############################################################################## | |
| ################################################### | |
| # create pwpolicy.plist in /private/var/tmp | |
| # Password policy using variables above is: | |
| # Change as necessary in variable flowerbox above | |
| # ------------------------------------------------- | |
| echo " | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>policyCategoryPasswordChange</key> | |
| <array> | |
| <dict> | |
| <key>policyContent</key> | |
| <string>policyAttributeCurrentTime > policyAttributeLastPasswordChangeTime + (policyAttributeExpiresEveryNDays * 24 * 60 * 60)</string> | |
| <key>policyIdentifier</key> | |
| <string>Change every 180 days</string> | |
| <key>policyParameters</key> | |
| <dict> | |
| <key>policyAttributeExpiresEveryNDays</key> | |
| <integer>180</integer> | |
| </dict> | |
| </dict> | |
| </array> | |
| <key>policyCategoryPasswordContent</key> | |
| <array> | |
| <dict> | |
| <key>policyContent</key> | |
| <string>policyAttributePassword matches '.{10,}+'</string> | |
| <key>policyIdentifier</key> | |
| <string>Has at least 10 characters</string> | |
| <key>policyParameters</key> | |
| <dict> | |
| <key>minimumLength</key> | |
| <integer>10</integer> | |
| </dict> | |
| </dict> | |
| <dict> | |
| <key>policyContent</key> | |
| <string>policyAttributePassword matches '(.*[a-z].*){1,}+'</string> | |
| <key>policyIdentifier</key> | |
| <string>Has a lower case letter</string> | |
| <key>policyParameters</key> | |
| <dict> | |
| <key>minimumAlphaCharactersLowerCase</key> | |
| <integer>1</integer> | |
| </dict> | |
| </dict> | |
| <dict> | |
| <key>policyContent</key> | |
| <string>policyAttributePassword matches '(.*[A-Z].*){1,}+'</string> | |
| <key>policyIdentifier</key> | |
| <string>Has an upper case letter</string> | |
| <key>policyParameters</key> | |
| <dict> | |
| <key>minimumAlphaCharacters</key> | |
| <integer>1</integer> | |
| </dict> | |
| </dict> | |
| <dict> | |
| <key>policyContent</key> | |
| <string>policyAttributePassword matches '(.*[^a-zA-Z0-9].*){1,}+'</string> | |
| <key>policyIdentifier</key> | |
| <string>Has a special character</string> | |
| <key>policyParameters</key> | |
| <dict> | |
| <key>minimumSymbols</key> | |
| <integer>1</integer> | |
| </dict> | |
| </dict> | |
| <dict> | |
| <key>policyContent</key> | |
| <string>none policyAttributePasswordHashes in policyAttributePasswordHistory</string> | |
| <key>policyIdentifier</key> | |
| <string>Does not match any of last 3 passwords</string> | |
| <key>policyParameters</key> | |
| <dict> | |
| <key>policyAttributePasswordHistoryDepth</key> | |
| <integer>3</integer> | |
| </dict> | |
| </dict> | |
| </array> | |
| </dict> | |
| </plist>" > /private/var/tmp/pwpolicy.plist | |
| ##### end of pwpolicy.plist generation script | |
| ################################################### | |
| # clear account policy before loading a new one | |
| pwpolicy -clearaccountpolicies | |
| pwpolicy -setaccountpolicies /private/var/tmp/pwpolicy.plist | |
| #delete staged pwpolicy.plist | |
| rm -f /private/var/tmp/pwpolicy.plist | |
| echo "Password policy successfully applied. Run \"sudo pwpolicy -getaccountpolicies\" to see it." | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment