Password Rules

[BSDimwit]

Does anyone know of a way or 3rd party software available that will do the following password related things.

1. In many UNIX's, there is a way to set password construction rules... such as all passwords must be at least 8 characters and must have at least 1 non alphabetic character...

2. Lockout a user's account when their password is typed incorrectly X amount of times. I have found pam modules for other OS's that do this, has anyone seen one available for Darwin/Mac OS X.

I am a pretty accomplished FreeBSD admin and what puzzles me is that if they were going to port over most of FreeBSD's userland, why didn't they take the /etc/login.conf functionality as well...GRRR. Heck, even Windows offers this ability. I hope I am simply mistaken.

I am asking this because I work for a company that builds computer systems for the Air Force (Major Defense Contractor). The systems often reside on classified networks and in general must comply with the US Gov'ts C2 requirements. The password related items I listed above are sticking points where Macs are concerned and since I like Macs, I am trying to get several macs that have been laying around onto one of these networks. While 10.3 did make some significant improvements where password security is concerned(shadowed passwords, MD5 hashes, etc...) it seems that Apple has a bit further to go where defense contracts are concerned. It just irks me when Linux or FreeBSD can do something that Mac OS X doesn't seem to be able to with me coding my pam modules.

I have no experience with OSX server... does the server offer this sort of granularity where account passwords are concerned? I know that with Netinfo, Mac's have the ability to many of the things that NIS can do, but does it surpass NIS(not C2 compliant) where centralized account management is concerned?

Any help I can get will help me out greatly... not to mention give me more ammunition to dog the NT admins.

Thanks in advance.

[michaelsanford]

That's interesting. From all that I know, I don't know of a way to do this with a third party applicaiton, since it's I'm pretty sure this functionality is built in to the system. You're presumably talking about password lengths when sysadmins create user accounts?

Mac OS X uses .plist files all over the place to configure all the different parameters of the system. I would try looking through /Library/Preferences/SystemConfiguration/ for something appropriate (I've had a quick glance but haven't found anything).

In fact, up to and including Jaguar you couldn't use linux-style MD5 passwords (which meant that the maximum stored password was something like 8 characters, and after that it was truncated, thouch the input fields were larger). I don't know if this is the case in Panther or not.

This is certainly something you could suggest to Apple for 10.3.2, if you want to start one of those online petitions I'll sign in a second.

I'll look around for you.

[MisterK]

Im not sure if this'll help you out but it's sure worth taking a look at it.
check www.webmin.com (and for info www.swelltech.com/support/webminguide).
It is a GUI Tool for System administrators, and I've heard alot of good stories about it.
Also I know that Panther ships with the latest version of Kerberos (web.mit.edu/kerberos/www/).
Well I hope this'll help you a little, and I'll look around for you as well.