Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Version 10.3 or Later
31323334353637383940
40 Chapter 3 User Authentication With Open Directory
A shadow password is stored as several hashes in a file on the same computer as the
directory domain where the user account resides. Because the password is not stored
in the user account, the password is not easy to capture over the network. Each users
shadow password is stored in a different file, called a shadow password file, and these
files are protected so they can be read only by the root user account. Only user
accounts that are stored in a computer’s local directory can have a shadow password.
User accounts that are stored in a shared directory can’t have a shadow password.
A shadow password’s primary hash function is SHA-1. In addition, NT and LAN Manager
hashes are stored in the shadow password file for backwards compatibility with
Windows SMB file and print services. The NT and LAN Manager hashes can be used for
Windows personal file sharing from a Mac OS X computer and can also be used to
authenticate Windows file and print services provided by Mac OS X Server.
Shadow passwords also provide cached authentication for mobile user accounts.
Shadow and crypt do not support all services. Some services require the authentication
methods that Open Directory supports, such as APOP, CRAM-MD5, Digest-MD5, MS-
CHAPv2, and WebDAV-Digest. For secure transmission of passwords over a network,
crypt supports the DHX authentication method. Shadow additionally supports NT and
LAN Manager for network-secure authentication.
Crypt authentication only supports a maximum password length of eight bytes (eight
ASCII characters). If a longer password is entered in a user account, only the first eight
bytes are used for crypt password validation.
The eight-character limit does not apply to a shadow password. With a shadow
password, the first 128 characters are used for NT authentication, and the first 14
characters are used for LAN Manager authentication.
Encrypting Shadow and Crypt Passwords in User Accounts
Shadow and crypt passwords are not stored in clear text; they are concealed and made
illegible by encryption.
Shadow and crypt encrypt a password by feeding the clear text password along with a
random number to a mathematical function, known as a one-way hash function. A
one-way hash function always generates the same encrypted value from particular
input, but cannot be used to recreate the original password from the encrypted output
it generates.
To validate a password using the encrypted value, Mac OS X applies the function to the
password entered by the user and compares it with the value stored in the user
account. If the values match, the password is considered valid.
LL2352.Book Page 40 Friday, August 22, 2003 3:12 PM