Ok to switch from Crypt to Shadow Password?

Tabitha McNerney tabithamc at gmail.com
Tue Jan 1 20:01:26 PST 2008


On 1/1/08, Jordan K. Hubbard <jkh at apple.com> wrote:
>
> I see your confusion.  The documentation only mentions Crypt passwords as
> and old-style way of leaving passwords around if you need interoperability
> with 10.0 or 10.1 machines.  By default, you're already using a shadow
> password and have been for quite a few releases now.
>

Jordan, appreciate the further clarity. Quick question then (just to make
sure I'm ultra clear) -- even if a MacPort installs a new entry in the local
directory domain with a "Crypt Password" type, what you're saying is that in
reality, under Leopard Server (and the past few versions of Mac OS X Server)
this password is a Shadow Password disguised to the system as a Crypt
Password? I ask because using Workgroup Manager on Leopard Server, I can
select the user that was installed by the MacPort (for example, take the
openldap MacPort which installs a local directory domain entry with the
username "ldap", UID "500" and a User Password Type of "Crypt Password" and
I can select the pop-up menu with the "Crypt Password" selection and change
the type to either "Shadow Password" or "OpenDirectory" because I am also
running an OpenDirectory Master on the same machine).

I appreciate the insight as this is actually quite interesting!

Thanks,

T.M.


- Jordan
>
> On Jan 1, 2008, at 3:09 PM, Tabitha McNerney wrote:
>
>
> On 1/1/08, Jordan K. Hubbard <jkh at apple.com> wrote:
> >
> > Let's ask a different question:  What are you trying to achieve?
> >
> > - Jordan
>
>
> Hi Jordan,
>
> You raise a good question, about what I am trying to achieve. My concern
> is that, after reading Apple's Mac OS X Server Leopard documentation, it
> strikes me that crypt passwords are less secure compared to other options
> such as Shadow Passwords, as I quote the Leopard Server OpenDirectory
> documentation (PDF):
>
> User accounts not used on computers that require a crypt password should
> > have an
> > Open Directory password or a shadow password. A crypt password is
> > required only for
> > logging in to a computer with Mac OS X v10.1 or earlier and on computers
> > with some
> > types of UNIX.
> >
> > A crypt password is stored as an encrypted value, or hash, in the user
> > account record in
> > the directory domain. Because the crypt password can be recovered from
> > the directory
> > domain, it is subject to offline attack and is less secure than other
> > password types.
> >
>
> Maybe I am misinterpreting, but it strikes me that Apple is recommending
> that, if possible, a crypt password should be last on the list of password
> type choices.
>
> Thanks,
>
> T.M.
>
> On Jan 1, 2008, at 2:04 AM, Tabitha McNerney wrote:
> >
> > > Hello all --
> > >
> > > I am happily running Leopard Server and installing MacPorts 1.6.0.
> > > Some of the ports install users in the local directory domain (with
> > > Leopard Apple has officially done away with NetInfo by the way).
> > > There is an option using Workgroup Manager -- a GUI tool only
> > > bundled by Apple with Mac OS X Server, to change the password type
> > > of local directory domain users (for example, the user "ldap"
> > > installed by MacPorts as part of the openldap port) from crypt to
> > > Shadow Password. Has anyone ever tried this and if so are there any
> > > reasons not to switch from crypt to Shadow Password?
> > >
> > > Thank,
> > >
> > > -T.M.
> > > _______________________________________________
> > > macports-users mailing list
> > > macports-users at lists.macosforge.org
> > > http://lists.macosforge.org/mailman/listinfo/macports-users
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/macports-users/attachments/20080101/92df5cd4/attachment-0001.html


More information about the macports-users mailing list