Ok to switch from Crypt to Shadow Password?

Jordan K. Hubbard jkh at apple.com
Tue Jan 1 17:39:02 PST 2008 

I see your confusion.  The documentation only mentions Crypt passwords  
as and old-style way of leaving passwords around if you need  
interoperability with 10.0 or 10.1 machines.  By default, you're  
already using a shadow password and have been for quite a few releases  
now.

- Jordan

On Jan 1, 2008, at 3:09 PM, Tabitha McNerney wrote:

>
> On 1/1/08, Jordan K. Hubbard <jkh at apple.com> wrote:
> Let's ask a different question:  What are you trying to achieve?
>
> - Jordan
>
> Hi Jordan,
>
> You raise a good question, about what I am trying to achieve. My  
> concern is that, after reading Apple's Mac OS X Server Leopard  
> documentation, it strikes me that crypt passwords are less secure  
> compared to other options such as Shadow Passwords, as I quote the  
> Leopard Server OpenDirectory documentation (PDF):
>
> User accounts not used on computers that require a crypt password  
> should have an
> Open Directory password or a shadow password. A crypt password is  
> required only for
> logging in to a computer with Mac OS X v10.1 or earlier and on  
> computers with some
> types of UNIX.
>
> A crypt password is stored as an encrypted value, or hash, in the  
> user account record in
> the directory domain. Because the crypt password can be recovered  
> from the directory
> domain, it is subject to offline attack and is less secure than  
> other password types.
>
> Maybe I am misinterpreting, but it strikes me that Apple is  
> recommending that, if possible, a crypt password should be last on  
> the list of password type choices.
>
> Thanks,
>
> T.M.
>
> On Jan 1, 2008, at 2:04 AM, Tabitha McNerney wrote:
>
> > Hello all --
> >
> > I am happily running Leopard Server and installing MacPorts 1.6.0.
> > Some of the ports install users in the local directory domain (with
> > Leopard Apple has officially done away with NetInfo by the way).
> > There is an option using Workgroup Manager -- a GUI tool only
> > bundled by Apple with Mac OS X Server, to change the password type
> > of local directory domain users (for example, the user "ldap"
> > installed by MacPorts as part of the openldap port) from crypt to
> > Shadow Password. Has anyone ever tried this and if so are there any
> > reasons not to switch from crypt to Shadow Password?
> >
> > Thank,
> >
> > -T.M.
> > _______________________________________________
> > macports-users mailing list
> > macports-users at lists.macosforge.org
> > http://lists.macosforge.org/mailman/listinfo/macports-users
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/macports-users/attachments/20080101/24e9fa48/attachment.html

More information about the macports-users mailing list