Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   23457 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

pwpolicy(8)		  BSD System Manager's Manual		   pwpolicy(8)

NAME
     pwpolicy — gets and sets password policies

SYNOPSIS
     pwpolicy [-h]
     pwpolicy [-v] [-a authenticator] [-p password]
	      [-u username | -c computername] [-n nodename] command command-
	      arg
     pwpolicy [-v] [-a authenticator] [-p password]
	      [-u username | -c computername] [-n nodename] command "pol‐
	      icy1=value1 policy2=value2 ..."

DESCRIPTION
     pwpolicy manipulates password policies.

   Options
     -a	   name of the authenticator

     -c	   name of the computer account to modify

     -p	   password (omit this option for a secure prompt)

     -u	   name of the user account to modify

     -n	   use a specific directory node; the search node is used by default.

     -v	   verbose

     -h	   help

   Commands
     -getglobalpolicy		  Get global policies
     -setglobalpolicy		  Set global policies
     -getpolicy			  Get policies for a user
     --get-effective-policy	  Gets the combination of global and user
				  policies that apply to the user.
     -setpolicy			  Set policies for a user
     -setpolicyglobal		  Set a user account to use global policies
     -setpassword		  Set a new password for a user. Non-adminis‐
				  trators can use this command to change their
				  own passwords.
     -enableuser		  Enable a user account that was disabled by a
				  password policy event.
     -disableuser		  Disable a user account.
     -getglobalhashtypes	  Returns the default list of password hashes
				  stored on disk for this system.
     -setglobalhashtypes	  Edits the default list of password hashes
				  stored on disk for this system.
     -gethashtypes		  Returns a list of password hashes stored on
				  disk for a user account.
     -sethashtypes		  Edits the list of password hashes stored on
				  disk for a user account.
     -0 through -7		  Shortcuts for the above commands (in order).

   Global Policies
     usingHistory		       0 = user can reuse the current pass‐
				       word, 1 = user cannot reuse the current
				       password, 2-15 = user cannot reuse the
				       last n passwords.
     usingExpirationDate	       If 1, user is required to change pass‐
				       word on the date in expirationDateGMT
     usingHardExpirationDate	       If 1, user's account is disabled on the
				       date in hardExpireDateGMT
     requiresAlpha		       If 1, user's password is required to
				       have a character in [A-Z][a-z].
     requiresNumeric		       If 1, user's password is required to
				       have a character in [0-9].
     expirationDateGMT		       Date for the password to expire, format
				       must be: mm/dd/yy
     hardExpireDateGMT		       Date for the user's account to be dis‐
				       abled, format must be: mm/dd/yy
     validAfter			       Date for the user's account to be
				       enabled, format must be: mm/dd/yy
     maxMinutesUntilChangePassword     user is required to change the password
				       at this interval
     maxMinutesUntilDisabled	       user's account is disabled after this
				       interval
     maxMinutesOfNonUse		       user's account is disabled if it is not
				       accessed by this interval
     maxFailedLoginAttempts	       user's account is disabled if the
				       failed login count exceeds this number
     minChars			       passwords must contain at least min‐
				       Chars
     maxChars			       passwords are limited to maxChars

   Additional User Policies
     isDisabled			  If 1, user account is not allowed to authen‐
				  ticate, ever.
     isAdminUser		  If 1, this user can administer accounts on
				  the password server.
     newPasswordRequired	  If 1, the user will be prompted for a new
				  password at the next authentication. Appli‐
				  cations that do not support change password
				  will not authenticate.
     canModifyPasswordforSelf	  If 1, the user can change the password.

   Stored Hash Types
     CRAM-MD5		   Required for IMAP.
     RECOVERABLE	   Required for APOP and WebDAV. Only available on Mac
			   OS X Server edition.
     SALTED-SHA512-PBKDF2  The default for loginwindow.
     SALTED-SHA512	   Legacy hash for loginwindow.
     SMB-NT		   Required for compatibility with Windows NT/XP file
			   sharing.
     SALTED-SHA1	   Legacy hash for loginwindow.
     SHA1		   Legacy hash for loginwindow.

EXAMPLES
     To get global policies:

	   pwpolicy -getglobalpolicy

     To set global policies:

	   pwpolicy -a authenticator -setglobalpolicy "minChars=4 maxFailed‐
	   LoginAttempts=3"

     To get policies for a specific user account:

	   pwpolicy -u user -getpolicy
	   pwpolicy -u user -n /NetInfo/DefaultLocalNode -getpolicy

     To set policies for a specific user account:

	   pwpolicy -a authenticator -u user -setpolicy "minChars=4 maxFailed‐
	   LoginAttempts=3"

     To change the password for a user:

	   pwpolicy -a authenticator -u user -setpassword newpassword

     To set the list of hash types for local accounts:

	   pwpolicy -a authenticator -setglobalhashtypes SMB-LAN-MANAGER off
	   SMB-NT on

SEE ALSO
     PasswordService(8)

Mac OS X Server		       13 November 2002		       Mac OS X Server

Vote for polarhome