2

I am setting up a Mac Mini for use as a server in our office. I am trying to set in place a reasonable security policy. Currently, I am struggling to accomplish the following:

How can I make a user change their password when they sign in for the first time via SSH? I have seen answers involving setting newPasswordRequired=1 using pwpolicy, but this has been deprecated since 10.10. Bonus points if the login keyring can be updated at the same time.

Alex Reinking
  • 201
  • MacOS uses opendirectory locally to configure/manage accounts, if you are using opendirectory under linux, it is the same. But if you are using common local linux account, you will have to modify your scripts. For all other things MacOS is almost identical to linux, like shell scripts and batch commands. Different from linux, SSH is disabled by default, did you manage to enable it? – Prado Aug 29 '19 at 20:46
  • Yes, I've enabled sshd and can login with passwords. – Alex Reinking Aug 29 '19 at 20:49
  • There are some quick explanation about creating users from command line here: https://apple.stackexchange.com/questions/274954/cannot-create-a-user-account-on-mac-using-command-line – Prado Aug 29 '19 at 20:51
  • I see three questions here (how to create users with certain properties from a bash script, how to set a timeout to replace a password with a public key, how to enforce a public key), this site works better with one question per post. Also, some of these questions already have been asked before. – nohillside Aug 30 '19 at 05:57
  • Feel free to ask these questions separately (or edit the current down to one). If you do so, please also share whatever code snippet you already have. It's often easier to help if it is more clear where you are coming from. – nohillside Aug 30 '19 at 05:58
  • 1
    @nohillside - I have reduced the focus of this question to just the password expiry part. – Alex Reinking Aug 30 '19 at 06:37
  • I am adding a new answer I found here that may be of interest for you https://apple.stackexchange.com/a/367924/341083 – Prado Aug 30 '19 at 17:36
  • We are all contributing for the final answer, I see no problem about 3 questions because they are tightly connected and the final answer once composed will be a very specific answer and complete, which sure will help others with similar situations. My focus is on the question purpose, not the quantity. the purpose is just 1(one) – Prado Aug 30 '19 at 17:39
  • 2
    warning Never, never try -setpolicy "newPasswordRequired=1" on newer systems, it still works somehow/bugged [it accepts that option, but..], I tried it now on MacOS 10.15 Catalina, and the user is not able to log anymore Lol. SSH quits the session just after inserting the password. GUI login is impossible for that such user now. – Prado Aug 30 '19 at 19:32

0 Answers0