beautypg.com

Using a password server – Apple Mac OS X Server (Administrator’s Guide) User Manual

Page 195

background image

Users and Groups

195

Using a Password Server

The Password Server stores passwords, but never allows passwords to be read. Passwords can
only be set and verified. Malicious users must log in over the network to attempt to gain
system access, and invalid password instances, logged by the Password Server, can alert you
to such attempts.

The Password Server is based on a standard known as SASL (Simple Authentication and
Security Layer). This approach helps it support a wide range of network user authentication
protocols that are used by clients of Mac OS X Server services, such as mail and file servers,
that need to authenticate users. Some of the protocols also support clients that require clear
text or unique hashes. Here are a few of the network authentication protocols that the
Password Server supports:

m CRAM-MD5

m MD5

m APOP

m NT and LAN Manager (for SMB)

m SHA-1

m DHX

m AFP 2-Way Random

m WebDAV Digest

The account for a user whose password is validated using the Password Server does not store
the user’s password. Instead, it stores—in its authentication authority attribute—a unique
password ID, assigned by the Password Server when the account was set up to use the
Password Server. To validate a password, directory services passes the password ID to the
Password Server, which it locates using its network address, also stored in the authentication
authority attribute. The Password Server uses the password ID as a key for finding the actual
password and any associated password policy.

For example, the Password Server may locate a user’s password, but discover that it has
expired. If the user is logging in, login window presents the user with a dialog box for
changing the password. After providing a new password, the user can be authenticated.

The Password Server maintains a record for each user that includes

m The password ID, a 128-bit value assigned when the password is created. The value

includes a key for finding a user’s password record.

m The password, stored in recoverable or hashed form. The form depends on the network

authentication protocols enabled for the Password Server (using Open Directory
Assistant). If APOP or 2-way Random is enabled, the Password Server stores a recoverable
(encrypted) password. If neither of these methods is enabled, only hashes of the
passwords are stored.

This manual is related to the following products:
See also other documents in the category Apple Software: