Ok to switch from Crypt to Shadow Password?

Tabitha McNerney tabithamc at gmail.com
Tue Jan 1 15:09:10 PST 2008 

On 1/1/08, Jordan K. Hubbard <jkh at apple.com> wrote:
>
> Let's ask a different question:  What are you trying to achieve?
>
> - Jordan


Hi Jordan,

You raise a good question, about what I am trying to achieve. My concern is
that, after reading Apple's Mac OS X Server Leopard documentation, it
strikes me that crypt passwords are less secure compared to other options
such as Shadow Passwords, as I quote the Leopard Server OpenDirectory
documentation (PDF):

User accounts not used on computers that require a crypt password should
> have an
> Open Directory password or a shadow password. A crypt password is required
> only for
> logging in to a computer with Mac OS X v10.1 or earlier and on computers
> with some
> types of UNIX.
>
> A crypt password is stored as an encrypted value, or hash, in the user
> account record in
> the directory domain. Because the crypt password can be recovered from the
> directory
> domain, it is subject to offline attack and is less secure than other
> password types.
>

Maybe I am misinterpreting, but it strikes me that Apple is recommending
that, if possible, a crypt password should be last on the list of password
type choices.

Thanks,

T.M.

On Jan 1, 2008, at 2:04 AM, Tabitha McNerney wrote:
>
> > Hello all --
> >
> > I am happily running Leopard Server and installing MacPorts 1.6.0.
> > Some of the ports install users in the local directory domain (with
> > Leopard Apple has officially done away with NetInfo by the way).
> > There is an option using Workgroup Manager -- a GUI tool only
> > bundled by Apple with Mac OS X Server, to change the password type
> > of local directory domain users (for example, the user "ldap"
> > installed by MacPorts as part of the openldap port) from crypt to
> > Shadow Password. Has anyone ever tried this and if so are there any
> > reasons not to switch from crypt to Shadow Password?
> >
> > Thank,
> >
> > -T.M.
> > _______________________________________________
> > macports-users mailing list
> > macports-users at lists.macosforge.org
> > http://lists.macosforge.org/mailman/listinfo/macports-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/macports-users/attachments/20080101/6c286d27/attachment.html

More information about the macports-users mailing list