beautypg.com

Using a password server, Using a password server 200 – Apple Mac OS X Server (version 10.2.3 or later) User Manual

Page 200

background image

200

Chapter 3

A very effective way to thwart password hacking is to use good passwords. A password
should contain letters, numbers, and symbols in combinations that won’t be easily guessed
by unauthorized users. Passwords should not consist of actual words. Good passwords might
include digits and symbols (such as # or $). Or they might consist of the first letter of all the
words in a particular phrase. Use both uppercase and lowercase letters.

Using a Password Server

The Password Server stores passwords, but never allows passwords to be read. Passwords can
only be set and verified. Malicious users must log in over the network to attempt to gain
system access, and invalid password instances, logged by the Password Server, can alert you
to such attempts.

The Password Server is based on a standard known as SASL (Simple Authentication and
Security Layer). This approach helps it support a wide range of network user authentication
protocols that are used by clients of Mac OS X Server services, such as mail and file servers,
that need to authenticate users. Some of the protocols also support clients that require clear
text or unique hashes. Here are a few of the authentication methods that the Password
Server supports:

m CRAM-MD5

m APOP

m SMB-NT and SMB-LAN Manager (required for Windows SMB)

m DHX

m Digest-MD5 (login window and other applications)

The account for a user whose password is validated using the Password Server does not store
the user’s password. Instead, it stores—in its authentication authority attribute—a unique
password ID, assigned by the Password Server when the account was set up to use the
Password Server. To validate a password, directory services passes the password ID to the
Password Server, which it locates using its network address, also stored in the authentication
authority attribute. The Password Server uses the password ID as a key for finding the actual
password and any associated password policy.

For example, the Password Server may locate a user’s password, but discover that it has
expired. If the user is logging in, login window presents the user with a dialog box for
changing the password. After providing a new password, the user can be authenticated.

The Password Server maintains a record for each user that includes

m The password ID, a 128-bit value assigned when the password is created. The value

includes a key for finding a user’s password record.

LL0395.Book Page 200 Wednesday, November 20, 2002 11:44 AM

See also other documents in the category Apple Software: