Contrasting password validation options – Apple Mac OS X Server (version 10.2.3 or later) User Manual

Users and Groups

195

Contrasting Password Validation Options

Here are the pros and cons of the options for validating a user’s password:

m Storing a password in the user’s account. This approach, referred to as the “basic”

password validation strategy, is the default strategy. It is the simplest and fastest strategy,
since it does not depend on another infrastructure for password validation. It is the
strategy most compatible with software that needs to access user records directly, such as
legacy UNIX software. It supports login window on Mac OS X computers running version
10.1 and earlier. Basic validation also supports users configured to use Authentication
Manager on Mac OS X Server version 10.1 and later. (See “Using Authentication Manager”
on page 197 for more information.)

For users not authenticated using Authentication Manager, the basic strategy supports
passwords as long as 8 characters; if you use longer passwords, only the first 8 characters
are used for password validation. Authentication Manager supports longer passwords for
some authentication methods, such as 128-character passwords for SMB-NT.

When integrating with existing directory systems, such as LDAP and Active Directory
servers, this strategy offers the greatest opportunity for both Mac OS X Server and the
directory server to use the same record to authenticate a user who wants to use that
server.

This strategy may not support clients that require certain network-secure authentication
methods (such as SMB-NT, APOP, or CRAM-MD5) when transmitting passwords to a
particular service. Also, this strategy can make your server vulnerable to offline attacks,
since readable versions of passwords are used. See “Consequences of Readable
Passwords” on page 199 for more information about offline attacks.

See “Storing Passwords in User Accounts” on page 198 for details about this strategy.

m Using a Password Server. This strategy lets you set up user-specific password policies for

users. You can require a user to change his or her password periodically or use only
passwords having more than a minimum number of characters. Password Server supports
passwords that contain more than 8 characters. Password Server never allows passwords
to be read; they can only be set and verified, making this strategy less vulnerable to offline
password attacks.

The Password Server supports clients that provide clear-text passwords (such as AFP and
login window) as well as network-secure authentication methods that protect the privacy
of a password during transmission. It is the preferred strategy if your network will serve
Windows clients.

Password Server passwords can’t be used by login window on computers running
Mac OS X version 10.1 or earlier. In addition, this strategy relies on the availability of a
Password Server on a Mac OS X Server; if the Password Server goes down, password
validation cannot occur. Also, you must ensure that physical access to the server on which
Password Server resides is controlled.

LL0395.Book Page 195 Wednesday, November 20, 2002 11:44 AM