Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
31323334353637383940
Providing Secure Authentication for Windows Users
Mac OS X Server also oers the same types of secure passwords for Windows users:
Open Directory passwords are required for domain login from a Windows Â
workstation to a Mac OS X Server PDC and can be used to authenticate for Windows
le service. This type of password can be validated using many authentication
methods, including NTLMv2, NTLMv1, and LAN Manager. Open Directory passwords
are stored in a secure database, not in user accounts.
Shadow passwords can’t be used for domain login but they can be used for Â
Windows le service and other services. This type of password can also be validated
using NTLMv2, NTLMv1, and LAN Manager authentication methods. Shadow
passwords are stored in secure les, not in user accounts.
A crypt password with Authentication Manager enabled provides compatibility Â
for user accounts on a server that has been upgraded from Mac OS X Server v10.1.
After upgrading the server to Mac OS X Server v10.6, these user accounts should be
changed to use Open Directory passwords, which are more secure than the legacy
Authentication Manager.
Oine Attacks on Passwords
Because crypt passwords are stored in user accounts, they are potentially subject
to attack.
User accounts in a shared directory domain are accessible on the network. Anyone on
the network who has Workgroup Manager or knows how to use command-line tools
can read the contents of user accounts, including crypt passwords stored in them.
Open Directory passwords and shadow passwords aren’t stored in user accounts,
so these passwords can’t be read from directory domains.
A malicious attacker, or cracker, could use Workgroup Manager or UNIX commands
to copy user records to a le. The cracker can then transport this le to a system and
use various techniques to decode crypt passwords stored in the user records. After
decoding a crypt password, the cracker can log in unnoticed with a legitimate user
name and crypt password.
This form of attack is known as an oine attack because it does not require successive
login attempts to gain access to a system.
An eective way to thwart password cracking is to use good passwords and avoid
using crypt passwords. A password should contain letters, numbers, and symbols in
combinations that can’t be easily guessed by unauthorized users.
Good passwords should not consist of actual words. They can include digits and
symbols (such as # or $), or they can consist of the rst letter of all words in a phrase.
Use both uppercase and lowercase letters.
40 Chapter 3 Open Directory Authentication