Local password policy lockout timeout not working
Originator: | eric | ||
Number: | rdar://28849031 | Date Originated: | 10/19/2016 |
Status: | Open | Resolved: | |
Product: | macOS | Product Version: | 10.12/16A323 |
Classification: | Security | Reproducible: | Always |
Summary: I have set a local password policy to lock an account if the password is mistyped 5 times and then unlock after 30 minutes. This worked properly in 10.11. It does not work properly in 10.12. Steps to Reproduce: 1. Create a test user account on a 10.12 system. 2. Apply the attached pwpolicy.plist to the account with 'pwpolicy setaccountpolicies -u <testaccount> /path/to/pwpolicy.plist 3. Logout of admin account 4. Attempt to login to test account with the wrong password 5 times. 5. Wait 30 minutes. 6. Attempt to login to test account with the right password. Expected Results: The test account should be able to log in. Actual Results: See a message on the login window that "Your account does not have a valid home directory. Contact your system administrator for more information." If instead of waiting 30 minutes, you clear out the failed logins, the user will be able to log in properly. 'dscl . createpl /Users/<testaccount> accountPolicyData failedLoginCount 0' 'dscl . createpl /Users/<testaccount> accountPolicyData failedLoginTimestamp 0' pwpolicy.plist- <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>policyCategoryAuthentication</key> <array> <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>ProfilePayload:610F4E80-ABAE-4754-9CD9-CEA09733B088:maxFailedAttempts</string> <key>policyParameters</key> <dict> <key>policyAttributeMaximumFailedAuthentications</key> <integer>5</integer> <key>autoEnableInSeconds</key> <integer>1800</integer> </dict> </dict> </array> </dict> </plist>
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
This is resolved in 10.12.3 (16D32)