Ok to switch from Crypt to Shadow Password?
Hello all -- I am happily running Leopard Server and installing MacPorts 1.6.0. Some of the ports install users in the local directory domain (with Leopard Apple has officially done away with NetInfo by the way). There is an option using Workgroup Manager -- a GUI tool only bundled by Apple with Mac OS X Server, to change the password type of local directory domain users (for example, the user "ldap" installed by MacPorts as part of the openldap port) from crypt to Shadow Password. Has anyone ever tried this and if so are there any reasons not to switch from crypt to Shadow Password? Thank, -T.M.
Let's ask a different question: What are you trying to achieve? - Jordan On Jan 1, 2008, at 2:04 AM, Tabitha McNerney wrote:
Hello all --
I am happily running Leopard Server and installing MacPorts 1.6.0. Some of the ports install users in the local directory domain (with Leopard Apple has officially done away with NetInfo by the way). There is an option using Workgroup Manager -- a GUI tool only bundled by Apple with Mac OS X Server, to change the password type of local directory domain users (for example, the user "ldap" installed by MacPorts as part of the openldap port) from crypt to Shadow Password. Has anyone ever tried this and if so are there any reasons not to switch from crypt to Shadow Password?
Thank,
-T.M. _______________________________________________ macports-users mailing list macports-users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo/macports-users
On 1/1/08, Jordan K. Hubbard <jkh@apple.com> wrote:
Let's ask a different question: What are you trying to achieve?
- Jordan
Hi Jordan, You raise a good question, about what I am trying to achieve. My concern is that, after reading Apple's Mac OS X Server Leopard documentation, it strikes me that crypt passwords are less secure compared to other options such as Shadow Passwords, as I quote the Leopard Server OpenDirectory documentation (PDF): User accounts not used on computers that require a crypt password should
have an Open Directory password or a shadow password. A crypt password is required only for logging in to a computer with Mac OS X v10.1 or earlier and on computers with some types of UNIX.
A crypt password is stored as an encrypted value, or hash, in the user account record in the directory domain. Because the crypt password can be recovered from the directory domain, it is subject to offline attack and is less secure than other password types.
Maybe I am misinterpreting, but it strikes me that Apple is recommending that, if possible, a crypt password should be last on the list of password type choices. Thanks, T.M. On Jan 1, 2008, at 2:04 AM, Tabitha McNerney wrote:
Hello all --
I am happily running Leopard Server and installing MacPorts 1.6.0. Some of the ports install users in the local directory domain (with Leopard Apple has officially done away with NetInfo by the way). There is an option using Workgroup Manager -- a GUI tool only bundled by Apple with Mac OS X Server, to change the password type of local directory domain users (for example, the user "ldap" installed by MacPorts as part of the openldap port) from crypt to Shadow Password. Has anyone ever tried this and if so are there any reasons not to switch from crypt to Shadow Password?
Thank,
-T.M. _______________________________________________ macports-users mailing list macports-users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo/macports-users
I see your confusion. The documentation only mentions Crypt passwords as and old-style way of leaving passwords around if you need interoperability with 10.0 or 10.1 machines. By default, you're already using a shadow password and have been for quite a few releases now. - Jordan On Jan 1, 2008, at 3:09 PM, Tabitha McNerney wrote:
On 1/1/08, Jordan K. Hubbard <jkh@apple.com> wrote: Let's ask a different question: What are you trying to achieve?
- Jordan
Hi Jordan,
You raise a good question, about what I am trying to achieve. My concern is that, after reading Apple's Mac OS X Server Leopard documentation, it strikes me that crypt passwords are less secure compared to other options such as Shadow Passwords, as I quote the Leopard Server OpenDirectory documentation (PDF):
User accounts not used on computers that require a crypt password should have an Open Directory password or a shadow password. A crypt password is required only for logging in to a computer with Mac OS X v10.1 or earlier and on computers with some types of UNIX.
A crypt password is stored as an encrypted value, or hash, in the user account record in the directory domain. Because the crypt password can be recovered from the directory domain, it is subject to offline attack and is less secure than other password types.
Maybe I am misinterpreting, but it strikes me that Apple is recommending that, if possible, a crypt password should be last on the list of password type choices.
Thanks,
T.M.
On Jan 1, 2008, at 2:04 AM, Tabitha McNerney wrote:
Hello all --
I am happily running Leopard Server and installing MacPorts 1.6.0. Some of the ports install users in the local directory domain (with Leopard Apple has officially done away with NetInfo by the way). There is an option using Workgroup Manager -- a GUI tool only bundled by Apple with Mac OS X Server, to change the password type of local directory domain users (for example, the user "ldap" installed by MacPorts as part of the openldap port) from crypt to Shadow Password. Has anyone ever tried this and if so are there any reasons not to switch from crypt to Shadow Password?
Thank,
-T.M. _______________________________________________ macports-users mailing list macports-users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo/macports-users
On 1/1/08, Jordan K. Hubbard <jkh@apple.com> wrote:
I see your confusion. The documentation only mentions Crypt passwords as and old-style way of leaving passwords around if you need interoperability with 10.0 or 10.1 machines. By default, you're already using a shadow password and have been for quite a few releases now.
Jordan, appreciate the further clarity. Quick question then (just to make sure I'm ultra clear) -- even if a MacPort installs a new entry in the local directory domain with a "Crypt Password" type, what you're saying is that in reality, under Leopard Server (and the past few versions of Mac OS X Server) this password is a Shadow Password disguised to the system as a Crypt Password? I ask because using Workgroup Manager on Leopard Server, I can select the user that was installed by the MacPort (for example, take the openldap MacPort which installs a local directory domain entry with the username "ldap", UID "500" and a User Password Type of "Crypt Password" and I can select the pop-up menu with the "Crypt Password" selection and change the type to either "Shadow Password" or "OpenDirectory" because I am also running an OpenDirectory Master on the same machine). I appreciate the insight as this is actually quite interesting! Thanks, T.M. - Jordan
On Jan 1, 2008, at 3:09 PM, Tabitha McNerney wrote:
On 1/1/08, Jordan K. Hubbard <jkh@apple.com> wrote:
Let's ask a different question: What are you trying to achieve?
- Jordan
Hi Jordan,
You raise a good question, about what I am trying to achieve. My concern is that, after reading Apple's Mac OS X Server Leopard documentation, it strikes me that crypt passwords are less secure compared to other options such as Shadow Passwords, as I quote the Leopard Server OpenDirectory documentation (PDF):
User accounts not used on computers that require a crypt password should
have an Open Directory password or a shadow password. A crypt password is required only for logging in to a computer with Mac OS X v10.1 or earlier and on computers with some types of UNIX.
A crypt password is stored as an encrypted value, or hash, in the user account record in the directory domain. Because the crypt password can be recovered from the directory domain, it is subject to offline attack and is less secure than other password types.
Maybe I am misinterpreting, but it strikes me that Apple is recommending that, if possible, a crypt password should be last on the list of password type choices.
Thanks,
T.M.
On Jan 1, 2008, at 2:04 AM, Tabitha McNerney wrote:
Hello all --
I am happily running Leopard Server and installing MacPorts 1.6.0. Some of the ports install users in the local directory domain (with Leopard Apple has officially done away with NetInfo by the way). There is an option using Workgroup Manager -- a GUI tool only bundled by Apple with Mac OS X Server, to change the password type of local directory domain users (for example, the user "ldap" installed by MacPorts as part of the openldap port) from crypt to Shadow Password. Has anyone ever tried this and if so are there any reasons not to switch from crypt to Shadow Password?
Thank,
-T.M. _______________________________________________ macports-users mailing list macports-users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo/macports-users
On Jan 1, 2008, at 8:01 PM, Tabitha McNerney wrote:
Jordan, appreciate the further clarity. Quick question then (just to make sure I'm ultra clear) -- even if a MacPort installs a new entry in the local directory domain with a "Crypt Password" type, what you're saying is that in reality, under Leopard Server (and the past few versions of Mac OS X Server) this password is a Shadow Password disguised to the system as a Crypt Password? I ask because using Workgroup Manager on Leopard Server, I can select the user that was installed by the MacPort (for example, take the openldap MacPort which installs a local directory domain entry with the username "ldap", UID "500" and a User Password Type of "Crypt Password" and I can select the pop-up menu with the "Crypt Password" selection and change the type to either "Shadow Password" or "OpenDirectory" because I am also running an OpenDirectory Master on the same machine).
I'm not sure how MacPorts installs user records on Leopard (I've never looked). Presumably, it just drops a plist file into /var/db/dslocal/ nodes/Default/users since that's all you need to do in Leopard. The contents of that plist file, however, can specify a number of different password types - "it all depends" is about the best answer I can give you there. You should look at the authentication_authority array in the user plists you're wondering about and verify that they're doing whatever it is you want them to do (this is an array value, so there are multiple options here). I'd be surprised if MacPorts was using some obsolete password types, but you never know I guess. - Jordan
On Jan 1, 2008, at 22:32, Jordan K. Hubbard wrote:
On Jan 1, 2008, at 8:01 PM, Tabitha McNerney wrote:
Jordan, appreciate the further clarity. Quick question then (just to make sure I'm ultra clear) -- even if a MacPort installs a new entry in the local directory domain with a "Crypt Password" type, what you're saying is that in reality, under Leopard Server (and the past few versions of Mac OS X Server) this password is a Shadow Password disguised to the system as a Crypt Password? I ask because using Workgroup Manager on Leopard Server, I can select the user that was installed by the MacPort (for example, take the openldap MacPort which installs a local directory domain entry with the username "ldap", UID "500" and a User Password Type of "Crypt Password" and I can select the pop-up menu with the "Crypt Password" selection and change the type to either "Shadow Password" or "OpenDirectory" because I am also running an OpenDirectory Master on the same machine).
I'm not sure how MacPorts installs user records on Leopard (I've never looked). Presumably, it just drops a plist file into /var/db/ dslocal/nodes/Default/users since that's all you need to do in Leopard. The contents of that plist file, however, can specify a number of different password types - "it all depends" is about the best answer I can give you there. You should look at the authentication_authority array in the user plists you're wondering about and verify that they're doing whatever it is you want them to do (this is an array value, so there are multiple options here). I'd be surprised if MacPorts was using some obsolete password types, but you never know I guess.
It looks like MacPorts uses dscl to create users and groups, on all versions of Mac OS X. See src/port1.0/portutil.tcl. proc adduser {name args} { global os.platform set passwd {*} set uid [nextuid] set gid [existsgroup nogroup] set realname ${name} set home /dev/null set shell /dev/null foreach arg $args { if {[regexp {([a-z]*)=(.*)} $arg match key val]} { regsub -all " " ${val} "\\ " val set $key $val } } if {[existsuser ${name}] != 0 || [existsuser ${uid}] != 0} { return } if {${os.platform} eq "darwin"} { exec dscl . -create /Users/${name} Password ${passwd} exec dscl . -create /Users/${name} UniqueID ${uid} exec dscl . -create /Users/${name} PrimaryGroupID ${gid} exec dscl . -create /Users/${name} RealName ${realname} exec dscl . -create /Users/${name} NFSHomeDirectory ${home} exec dscl . -create /Users/${name} UserShell ${shell} } else { # XXX adduser is only available for darwin, add more support here ui_warn "WARNING: adduser is not implemented on $ {os.platform}." ui_warn "The requested user was not created." } }
On 1/1/08, Ryan Schmidt <ryandesign@macports.org> wrote:
On Jan 1, 2008, at 22:32, Jordan K. Hubbard wrote:
On Jan 1, 2008, at 8:01 PM, Tabitha McNerney wrote:
Jordan, appreciate the further clarity. Quick question then (just to make sure I'm ultra clear) -- even if a MacPort installs a new entry in the local directory domain with a "Crypt Password" type, what you're saying is that in reality, under Leopard Server (and the past few versions of Mac OS X Server) this password is a Shadow Password disguised to the system as a Crypt Password? I ask because using Workgroup Manager on Leopard Server, I can select the user that was installed by the MacPort (for example, take the openldap MacPort which installs a local directory domain entry with the username "ldap", UID "500" and a User Password Type of "Crypt Password" and I can select the pop-up menu with the "Crypt Password" selection and change the type to either "Shadow Password" or "OpenDirectory" because I am also running an OpenDirectory Master on the same machine).
I'm not sure how MacPorts installs user records on Leopard (I've never looked). Presumably, it just drops a plist file into /var/db/ dslocal/nodes/Default/users since that's all you need to do in Leopard. The contents of that plist file, however, can specify a number of different password types - "it all depends" is about the best answer I can give you there. You should look at the authentication_authority array in the user plists you're wondering about and verify that they're doing whatever it is you want them to do (this is an array value, so there are multiple options here). I'd be surprised if MacPorts was using some obsolete password types, but you never know I guess.
It looks like MacPorts uses dscl to create users and groups, on all versions of Mac OS X. See src/port1.0/portutil.tcl.
proc adduser {name args} { global os.platform set passwd {*} set uid [nextuid] set gid [existsgroup nogroup] set realname ${name} set home /dev/null set shell /dev/null
foreach arg $args { if {[regexp {([a-z]*)=(.*)} $arg match key val]} { regsub -all " " ${val} "\\ " val set $key $val } }
if {[existsuser ${name}] != 0 || [existsuser ${uid}] != 0} { return }
if {${os.platform} eq "darwin"} { exec dscl . -create /Users/${name} Password ${passwd}
I just checked the man page for dscl on Leopard Server (sorry I don't have a copy of Leopard (non-Server) but its probably the same). It strikes me that dscl is just fine (it would be a major hassle to change MacPorts ports) and it should be left up to the system administrator who takes responsibility for installing and maintaining MacPorts on a Mac OS X / Mac OS X Server system to decide what to do with passwords after the installation by MacPorts: passwd
Usage: passwd user_path [new_pasword | old_password new_pasword]
Changes a password for a user. The user must be specified by full path, not just a username. If you are authenticated to the node (either by specifying the -u and -P flags or by using the auth command when in interactive node) then you can simply specify a new password. If you are not authenticated then the user's old password must be specified. If passwords are not specified while in interactive mode, you will be prompted for them.
Thanks for touching on this subject, T.M. exec dscl . -create /Users/${name} UniqueID ${uid}
exec dscl . -create /Users/${name} PrimaryGroupID ${gid} exec dscl . -create /Users/${name} RealName ${realname} exec dscl . -create /Users/${name} NFSHomeDirectory ${home} exec dscl . -create /Users/${name} UserShell ${shell} } else { # XXX adduser is only available for darwin, add more support here ui_warn "WARNING: adduser is not implemented on $ {os.platform}." ui_warn "The requested user was not created." } }
participants (3)
-
Jordan K. Hubbard
-
Ryan Schmidt
-
Tabitha McNerney