Ok to switch from Crypt to Shadow Password?

Tabitha McNerney tabithamc at gmail.com
Tue Jan 1 20:47:41 PST 2008 

On 1/1/08, Ryan Schmidt <ryandesign at macports.org> wrote:
>
>
> On Jan 1, 2008, at 22:32, Jordan K. Hubbard wrote:
>
> > On Jan 1, 2008, at 8:01 PM, Tabitha McNerney wrote:
> >
> >> Jordan, appreciate the further clarity. Quick question then (just
> >> to make sure I'm ultra clear) -- even if a MacPort installs a new
> >> entry in the local directory domain with a "Crypt Password" type,
> >> what you're saying is that in reality, under Leopard Server (and
> >> the past few versions of Mac OS X Server) this password is a
> >> Shadow Password disguised to the system as a Crypt Password? I ask
> >> because using Workgroup Manager on Leopard Server, I can select
> >> the user that was installed by the MacPort (for example, take the
> >> openldap MacPort which installs a local directory domain entry
> >> with the username "ldap", UID "500" and a User Password Type of
> >> "Crypt Password" and I can select the pop-up menu with the "Crypt
> >> Password" selection and change the type to either "Shadow
> >> Password" or "OpenDirectory" because I am also running an
> >> OpenDirectory Master on the same machine).
> >
> > I'm not sure how MacPorts installs user records on Leopard (I've
> > never looked).  Presumably, it just drops a plist file into /var/db/
> > dslocal/nodes/Default/users since that's all you need to do in
> > Leopard.  The contents of that plist file, however, can specify a
> > number of different password types - "it all depends" is about the
> > best answer I can give you there.  You should look at the
> > authentication_authority array in the user plists you're wondering
> > about and verify that they're doing whatever it is you want them to
> > do (this is an array value, so there are multiple options here).
> > I'd be surprised if MacPorts was using some obsolete password
> > types, but you never know I guess.
>
> It looks like MacPorts uses dscl to create users and groups, on all
> versions of Mac OS X. See src/port1.0/portutil.tcl.
>
> proc adduser {name args} {
>      global os.platform
>      set passwd {*}
>      set uid [nextuid]
>      set gid [existsgroup nogroup]
>      set realname ${name}
>      set home /dev/null
>      set shell /dev/null
>
>      foreach arg $args {
>          if {[regexp {([a-z]*)=(.*)} $arg match key val]} {
>              regsub -all " " ${val} "\\ " val
>              set $key $val
>          }
>      }
>
>      if {[existsuser ${name}] != 0 || [existsuser ${uid}] != 0} {
>          return
>      }
>
>      if {${os.platform} eq "darwin"} {
>          exec dscl . -create /Users/${name} Password ${passwd}


I just checked the man page for dscl on Leopard Server (sorry I don't have a
copy of Leopard (non-Server) but its probably the same). It strikes me that
dscl is just fine (it would be a major hassle to change MacPorts ports) and
it should be left up to the system administrator who takes responsibility
for installing and maintaining MacPorts on a Mac OS X / Mac OS X Server
system to decide what to do with passwords after the installation by
MacPorts:

   passwd
>      Usage: passwd user_path [new_pasword | old_password new_pasword]
>
>      Changes a password for a user. The user must be specified by full
> path, not just a username.  If you are authenticated to the node (either by
> specifying the -u
>      and -P flags or by using the auth command when in interactive node)
> then you can simply specify a new password.  If you are not authenticated
> then the user's old
>      password must be specified.  If passwords are not specified while in
> interactive mode, you will be prompted for them.
>

Thanks for touching on this subject,

T.M.


         exec dscl . -create /Users/${name} UniqueID ${uid}
>          exec dscl . -create /Users/${name} PrimaryGroupID ${gid}
>          exec dscl . -create /Users/${name} RealName ${realname}
>          exec dscl . -create /Users/${name} NFSHomeDirectory ${home}
>          exec dscl . -create /Users/${name} UserShell ${shell}
>      } else {
>          # XXX adduser is only available for darwin, add more support
> here
>          ui_warn "WARNING: adduser is not implemented on $
> {os.platform}."
>          ui_warn "The requested user was not created."
>      }
> }
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/macports-users/attachments/20080101/84f31370/attachment.html

More information about the macports-users mailing list