Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
41424344454647484950
Chapter 3 Open Directory Authentication 41
Shadow passwords and Open Directory passwords are far less susceptible to oine
attack because they are not stored in user records.
Shadow passwords are stored in separate les that can be read only by someone
who knows the password of the root user account (also known as the system
administrator).
Open Directory passwords are stored securely in the Kerberos KDC and in the Open
Directory Password Server database. A users Open Directory password can’t be
read by other users, not even by a user with administrator rights for Open Directory
authentication. (This administrator can change only Open Directory passwords and
password policies.)
Crypt passwords are not considered secure. They should be used only for user
accounts that must be compatible with UNIX clients that require them, or for
Mac OS X v10.1 clients. Being stored in user accounts, they’re too accessible and
therefore subject to oine attack. Although stored in an encoded form, theyre
relatively easy to decode. For more information, see Oine Attacks on Passwords
on page 40.
How Crypt Passwords Are Encrypted
Crypt passwords are not stored in clear text; they are concealed and made unreadable
by encryption. A crypt password is encrypted by supplying the clear text password
with a random number to a mathematical function, known as a one-way hash
function. A one-way hash function always generates the same encrypted value
from particular input but cannot be used to recreate the original password from the
encrypted output it generates.
To validate a password using the encrypted value, Mac OS X applies the function to
the password entered by the user and compares it with the value stored in the user
account or shadow le. If the values match, the password is considered valid.
Determining Which Authentication Option to Use
To authenticate a user, Open Directory must determine which authentication option to
use—Kerberos, Open Directory Password Server, shadow password, or crypt password.
The user’s account contains information that species which authentication option to
use. This information is named the authentication authority attribute.
Open Directory uses the name provided by the user to locate the user’s account in the
directory domain. Then Open Directory consults the authentication authority attribute
in the users account and learns which authentication option to use.
You can change a users authentication authority attribute by changing the password
type in the Advanced pane of Workgroup Manager, as shown in the following table.
For more information, see “Changing a User’s Password Type on page 107.