7.4. Password Policies

When you have large groups of people, and confidential information to disseminate to them, then special precautions must be made to ensure that the information doesn't become available to those who may do harm with it. The most common access restriction utilized in IT today is the standard username plus password paradigm. Adoption of two factor and token-based authentication certainly is worth a look, but for this context I will discuss primarily how to best constrain global and per-user password policies to maximize the security that they can provide. When left to their own devices, end users will choose the shortest, easiest, and most guessable password as possible. Strong passwords to them are nothing more than an inconvenience, and in many cases, a barrier to work.

Unless you have the infrastructure to implement tokens or smart cards, your users are stuck in a password world. The unfortunate reality is that the burden to ensure data confidentiality ultimately falls on you, the system administrator. Luckily, Mac OS X Server includes a set of tools for implementing password strength requirements and implementing required, scheduled rotations. These tools are presented to you via the familiar Workgroup Manager application (for managing per-user settings), and in Server Admin (for managing system-global settings). Additionally, in typical fashion Apple provides a command-line tool pw policy for more advanced uses.

To access global password policy settings, first open up the Server Admin application found in /Applications/Server and connect to your Open Directory server. Once connected, view the settings section of the Open Directory service and select the Policy tab. Under this tab, settings can be found for global user authentication requirements (the Password tab), computer binding requirements (the binding tab), and supported hashes, which will be utilized by the OS X password server (the authentication tab). Figure 7-25 demonstrates the user's password tab, providing options to force password strength, such as minimum length, numeric digit, special character, and uppercase character requirements, and even allows for preventing user's to reuse previously used passwords. In this tab, you can also force global rotation requirements, designating an arbitrary timeframe between password changes.

Figure 7.25. Configuring Global Password Policies in Server Admin.

The command-line equivalent to these global settings is found using the pwpolicy command. Specifically, the -getglobalpolicy and -setglobalpolicy flags. To require a minimum of 8 characters, you should use an alphanumeric password with at least one special character for all users. The following is the syntax:

sudo pwpolicy -a hunterbj -setglobalpolicy "requiresNumeric=1 minChars=8 requiresAlpha=1 requiresSymbol=1"

In this example, you are specifying an Open Directory administrator user name with the -a flag, and then using -setglobalpolicy to set your specific items. To both ensure your settings took, and to get a list of possible settings, you rerun the command with the -getglobalpolicy flag:

sudo pwpolicy -a hunterbj -getglobalpolicy
Password:
usingHistory=0 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=1 requiresNumeric=1 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=8 maxChars=0 passwordCannotBeName=1 requiresMixedCase=0 requiresSymbol=1 newPasswordRequired=0 minutesUntilFailedLoginReset=0 notGuessablePattern=0

After reading this output, you can definitely see the options that you just set. Likewise, you can verify that the settings have properly updated in Server Admin.

7.4.1. Password Changes at Loginwindow

When first deploying systems to hundreds of users, it is likely that you will first utilize a standard password or password pattern so that users can successfully login for the first time. However, as you will likely often need to disseminate this information in an unsafe manner (such as email), it is important that you ensure that users reset their passwords to a personal value as soon as possible. To do this, you can modify the global password policy to force a password change upon first login. To accomplish this, you can simply check the option for the password to "Be reset at first login." Alternatively, you can set this option using pwpolicy:

sudo pwpolicy -a hunterbj -setglobalpolicy "newPasswordRequired=1"

When troubleshooting user desktop issues, it may be necessary to reset the password. When doing so, you will usually want to force the user to change his or her password as soon as you're done with your work. The best way to do this is to force a password change at next login for that specific user. To do this, open Workgroup Manager and connect to your Open Directory server, finding the user account in question. With the user selected, password policies can be found by clicking on the Options button under the Advanced tab for the user. Here, you can set numerous per-user password policies. As mentioned in Figure 7-26's warning, settings set here can override global policies.

Figure 7.26. Configuring per-user password policies using Workgroup Manager

There are a few caveats to forcing a user to change their password this setting. First and foremost, not all network services in OS X support the ability to force a password change. Notably, the services that do support this are limited in 10.5 and 10.6 to loginwindow, the account system preference pane, an AFP authentication, Kerberos, and the web password change portal introduced in 10.6. For other unsupported services, such as ssh, iCal, mail, and wiki services, when a user has a forced password change active, then these services will simply fail authentication. As such, it is important that you properly communicate with your users both that you reset their password, as well as make sure that they are familiar with the procedure to reset it. If your email system utilizes Open Directory for authentication, setting this will lock them out of their email and constrain your ability to communicate with them.

7.4.2. Managing Keychains

Managing keychains will become a clear and present issue in the life of a Mac administrator. Keychains in OS X are encrypted files, which are used to store various sensitive information. Keychains are a system-wide framework that allows applications to utilize, providing a single universal method for password management. Each user has a default "login" keychain, which is automatically unlocked at login, provided the password provided at login is the same as that configured for the keychain. The login keychain is used by numerous applications such as Safari, Finder, Mail, and Entourage to store credentials. If a user opens these applications, and the keychain is locked, they will be presented with a dialog box to enter their keychain. If the user's login password and keychain are mismatched, it will be very confusing to the end user, and will force a level of frustration when they never know which password to use at any given moment.

As you may know already, the main issue is that when a user changes their password via any means other than the system preferences account pane, then their keychain password will not get updated. This creates a challenging issue for end users, as remembering a single password for them is hard enough. Combine this with the fact that in order to address the issue, users need to be taught about the Keychain Access application, this may or may not be plausible in your environment. Luckily, the Macintosh community springs into response. The folks at www.afp548.com have provided a handy utility, called Keychain Minder, which can be installed on client machines, and set to autostart. When configured like this, Keychain Minder will start at user login, and ensure that the login keychain has successfully unlocked. If not, the application will present the user with a dialog box, asking them to enter in their former password as well as their new password. After verifying the new password is the same as the login keychain, it updates the password. If the user cannot remember the old password, the application provides an easy interface to start over with a new one.

Keychain Minder can be found for download at http://www.afp548.com/article.php?story=20080828125103334.