Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
51525354555657585960
Chapter 3 Open Directory Authentication 53
Disabling Shadow Password Authentication Methods
You can selectively disable authentication methods to make passwords stored in
shadow password les more secure. For example, if a user doesn’t use mail service
or web services, you can disable the WebDAV-Digest and APOP methods for the
user. Then someone who gains access to the shadow password les on a server can’t
recover the users password.
Important: If you disable a shadow password authentication method, its hash is
removed from a users shadow password le the next time the user authenticates. If
you enable an authentication method that was disabled, the newly enabled method’s
hash is added to the user’s shadow password le the next time the user authenticates
for a service that can use a clear text password, such as a login window or AFP.
Alternatively, you can reset the user’s password to add the newly enabled method’s
hash. The user can reset the password, or a directory administrator can do it.
Disabling an authentication method makes the shadow password more secure if a
malicious user gains physical access to a server’s shadow password les or to media
containing a backup of the shadow password les. Someone who gains access to the
password les can try to crack a user’s password by attacking the hash or recoverable
text stored by any authentication method.
Nothing is stored by a disabled authentication method, leaving one less avenue of
attack open to a cracker who has physical access to a server’s shadow password les or
a backup of them.
Hashes stored by some authentication methods are easier to crack than others.
With recoverable authentication methods, original clear text passwords can be
reconstructed from what is stored in the le. Disabling the authentication methods
that store recoverable or weaker hashes increases shadow password le security more
than disabling methods that store stronger hashes.
If you believe a servers shadow password les and backups are secure, select all
authentication methods. If youre concerned about the physical security of the server
or its backup media, disable unused methods.
Note: Disabling authentication methods does not increase the security of passwords
while they are transmitted over the network. Only password storage security is
aected. Disabling some authentication methods might require clients to congure
their software to send passwords over the network in clear text, thereby compromising
password security in a dierent way.