Help

Password script + Touch ID

Go to solution
MPB
New Contributor II

Posted on ‎01-12-2017 01:17 AM

Hello,

for our password policy we are using a script we have found here on Jamfnation. This runs perfectly on MacBooks (Mid 2015) but with the new MacBooks 2016 and Touch ID not. After a several of logins (4 or 5 times) i can’t login anymore. I got a hint that the password is wrong (shaking password field) and then i got a black screen and i can only see the cursor. Only with a hard shutdown i can fix the problem.

If Touch ID disabled, then i haven’t the problems. Does somebody has any idea?

#!/bin/sh
##########################################################################################################
## Pupose:  Create a pwpolicy XML file based upon variables and options included below.
##          Policy is applied and then file gets deleted. Use "sudo pwpolicy -u <user> -getaccountpolicies"
##          to see it, and "sudo pwpolicy -u <user> -clearaccountpolicies" to clear it.
##
## Usage:   Edit variables in Variable flowerbox below.
##          Then run as a policy from Casper, or standalone as root.
##
## Tested on: OS X 10.10 and 10.11
##
## Authors: Danny Friedman, Civis Analytics IT Manager, CCA, civisanalytics.com
##          Jeff Holland, Civis Analytics Sr. Security Engineer, CISSP/GCUX, civisanalytics.com
#########################################################################################################

# get logged-in user and assign it to a variable
#LOGGEDINUSER=$(ls -l /dev/console | awk '{print $3}')
#
#echo "LOGGEDINUSER is: $LOGGEDINUSER"

CD="/usr/local/bin/CocoaDialog.app/Contents/MacOS/CocoaDialog"

# Dialog to enter the User name and create $USERNAME variable
rv=($($CD standard-inputbox --title "Username" --no-newline --informative-text "Für welchen Benutzernamen?"))

USERNAME=${rv[1]}

if [ "$rv" == "1" ]; then echo "User said OK"
  elif [ "$rv" == "2" ]; then echo "Cancelling" exit
fi

# Dialog to enter the Password and the $PASSWORD variable
rv=($($CD secure-standard-inputbox --title "Password" --no-newline --informative-text "Bitte Admin Passwort eigeben"))

PASSWORD=${rv[1]}

if [ "$rv" == "1" ]; then echo "User said OK"
  elif [ "$rv" == "2" ]; then echo "Canceling" exit
fi


# get user home folder
USERHOME=$(dscl . read /Users/$USERNAME NFSHomeDirectory | cut -d' ' -f2)

echo "USERHOME is: $USERHOME"

##############################################################################
# Variables for script and commands generated below.
#
# EDIT AS NECESSARY FOR YOUR OWN PASSWORD POLICY
# AND COMPANY INFORMATION
#
COMPANY_NAME=„company.com“      # CHANGE THIS TO YOUR COMPANY NAME
LOCKOUT=300                     # 5min lockout
MAX_FAILED=10                   # 10 max failed logins before locking
PW_EXPIRE=90                    # 90 days password expiration
MIN_LENGTH=8                    # at least 8 chars for password
MIN_NUMERIC=1                   # at least 1 number in password
MIN_ALPHA_LOWER=1               # at least 1 lower case letter in password
MIN_UPPER_ALPHA=1               # at least 1 upper case letter in password
MIN_SPECIAL_CHAR=1              # at least one special character in password
PW_HISTORY=3                    # remember last 3 passwords

exemptAccount1="admin"          #Exempt account used for remote management. CHANGE THIS TO YOUR EXEMPT ACCOUNT
#
##############################################################################
echo "policy parameters set"
#################################################
##### create pwpolicy.plist in /private/var/tmp
# Password policy using variables above is:
# Change as necessary in variable flowerbox above
# --------------------------------------------------
# pw's must be at least 8 chars
# pw's must have at least 1 lower case letter
# pw's must have at least 1 upper case letter
# pw's must have at least 1 special non-alpha/non-numeric character
# pw's must have at least 1 number
# can't use any of the previous 3 passwords
# pw's expire at 90 days
# 10 failed successive login attempts results in a 300sec lockout, then auto enables

echo "erstelle plist"

echo "<dict>
 <key>policyCategoryAuthentication</key>
  <array>
   <dict>
    <key>policyContent</key>
     <string>(policyAttributeFailedAuthentications &lt; policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime &gt; (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string>
    <key>policyIdentifier</key>
     <string>Authentication Lockout</string>
    <key>policyParameters</key>
  <dict>
  <key>autoEnableInSeconds</key>
   <integer>$LOCKOUT</integer>
   <key>policyAttributeMaximumFailedAuthentications</key>
   <integer>$MAX_FAILED</integer>
  </dict>
 </dict>
 </array>


 <key>policyCategoryPasswordChange</key>
  <array>
   <dict>
    <key>policyContent</key>
     <string>policyAttributeCurrentTime &gt; policyAttributeLastPasswordChangeTime + (policyAttributeExpiresEveryNDays * 24 * 60 * 60)</string>
    <key>policyIdentifier</key>
     <string>Ändere alle $PW_EXPIRE Tage dein Passwort</string>
    <key>policyParameters</key>
    <dict>
     <key>policyAttributeExpiresEveryNDays</key>
      <integer>$PW_EXPIRE</integer>
    </dict>
   </dict>
  </array>


  <key>policyCategoryPasswordContent</key>
 <array>
  <dict>
   <key>policyContent</key>
    <string>policyAttributePassword matches '.{$MIN_LENGTH,}+'</string>
   <key>policyIdentifier</key>
    <string>Mindestens $MIN_LENGTH Zeichen</string>
   <key>policyParameters</key>
   <dict>
    <key>minimumLength</key>
     <integer>$MIN_LENGTH</integer>
   </dict>
  </dict>


  <dict>
   <key>policyContent</key>
    <string>policyAttributePassword matches '(.*[0-9].*){$MIN_NUMERIC,}+'</string>
   <key>policyIdentifier</key>
    <string>Mindestens eine Zahl</string>
   <key>policyParameters</key>
   <dict>
   <key>minimumNumericCharacters</key>
    <integer>$MIN_NUMERIC</integer>
   </dict>
  </dict>


  <dict>
   <key>policyContent</key>
    <string>policyAttributePassword matches '(.*[a-z].*){$MIN_ALPHA_LOWER,}+'</string>
   <key>policyIdentifier</key>
    <string>Mindestens einen Kleinbuchstaben</string>
   <key>policyParameters</key>
   <dict>
   <key>minimumAlphaCharactersLowerCase</key>
    <integer>$MIN_ALPHA_LOWER</integer>
   </dict>
  </dict>


  <dict>
   <key>policyContent</key>
    <string>policyAttributePassword matches '(.*[A-Z].*){$MIN_UPPER_ALPHA,}+'</string>
   <key>policyIdentifier</key>
    <string>Mindestens einen Großbuchstaben</string>
   <key>policyParameters</key>
   <dict>
   <key>minimumAlphaCharacters</key>
    <integer>$MIN_UPPER_ALPHA</integer>
   </dict>
  </dict>


  <dict>
   <key>policyContent</key>
    <string>policyAttributePassword matches '(.*[^a-zA-Z0-9].*){$MIN_SPECIAL_CHAR,}+'</string>
   <key>policyIdentifier</key>
    <string>Mindestens ein Sonderzeichen</string>
   <key>policyParameters</key>
   <dict>
   <key>minimumSymbols</key>
    <integer>$MIN_SPECIAL_CHAR</integer>
   </dict>
  </dict>


  <dict>
   <key>policyContent</key>
    <string>none policyAttributePasswordHashes in policyAttributePasswordHistory</string>
   <key>policyIdentifier</key>
    <string>Darf nicht mit einem der letzten $PW_HISTORY Passwörter übereinstimmen</string>
   <key>policyParameters</key>
   <dict>
    <key>policyAttributePasswordHistoryDepth</key>
     <integer>$PW_HISTORY</integer>
   </dict>
  </dict>

 </array>
</dict>" > /private/var/tmp/pwpolicy.plist

echo "plist fertig erstellt"
##### end of pwpolicy.plist generation script
###################################################

#Check for non-admin account before deploying policy
#if [ "$LOGGEDINUSER" != "$exemptAccount1" ]; then
#  chown $LOGGEDINUSER:staff /private/var/tmp/pwpolicy.plist
#  chmod 644 /private/var/tmp/pwpolicy.plist

# Set cocoaDialog location

#Check for non-admin account before deploying policy
if [ "$USERNAME" != "$exemptAccount1" ]; then  
    chown $USERNAME:staff /private/var/tmp/pwpolicy.plist
    chmod 644 /private/var/tmp/pwpolicy.plist

    pwpolicy -a eladmin -p "$PASSWORD" -u $USERNAME -clearaccountpolicies
    pwpolicy -a eladmin -p "$PASSWORD" -u $USERNAME -setaccountpolicies /private/var/tmp/pwpolicy.plist
    pwpolicy -a eladmin -p "$PASSWORD" -u $USERNAME -setpolicy "newPasswordRequired=1"

    # add hidden file for Extension Attribute & Smart Group
    touch /var/db/.password_policy_set_successful_YES

elif [ "$USERNAME" == "$exemptAccount1" ]; then 
    echo "NETTER VERSUCH!"
    exit 1 

fi

# clear account policy before loading a new one

echo "clearing done"


#delete staged pwploicy.plist
rm -f /private/var/tmp/pwpolicy.plist

echo "Password policy successfully applied. Run "sudo pwpolicy -u <user> -getaccountpolicies" to see it."

# Dialog to enter the User name and create $USERNAME variable
location=($($CD standard-inputbox --title "Username" --no-newline --informative-text "Arbeitsplatznummer eingeben"))

location=${location[1]}

if [ "$location" == "1" ]; then echo "User said OK"
  elif [ "$location" == "2" ]; then echo "Cancelling" exit
fi

touch /etc/location

echo $location > /etc/location

exit 0
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
gachowski
Valued Contributor II

Posted on ‎01-12-2017 10:23 AM

MAX_FAILED=10

Sierra is sending more than one authentications attempts. There are reports that it will be fixed in 12.3. You can search here for AD, iCloud and Sierra to get more info..

C

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
gachowski
Valued Contributor II

Posted on ‎01-12-2017 10:23 AM

MAX_FAILED=10

Sierra is sending more than one authentications attempts. There are reports that it will be fixed in 12.3. You can search here for AD, iCloud and Sierra to get more info..

C

0 Kudos

Go to solution
MPB
New Contributor II

Posted on ‎01-13-2017 04:58 AM

Many thanks! I disable the function now.

0 Kudos