beautypg.com

Password server authentication methods – Apple Mac OS X Server (version 10.2.3 or later) User Manual

Page 65

background image

Directory Services

65

Password Server Authentication Methods

A Password Server supports many different methods of authenticating users for login and
other network services, including CRAM-MD5, APOP, SMB-NT, SMB-LAN Manager, DHX, and
Digest-MD5. A Password Server is able to support a wide range of authentication methods
because it is based on the Simple Authentication and Security Layer (SASL) standard.

One reason Password Server supports many different authentication methods is that each
service that requires authentication uses some authentication methods but not others. File
service uses one set of authentication methods, Web service uses another set of methods,
mail service uses another set, and so on.

Some authentication methods are more secure than others. The more secure methods use
tougher algorithms to encode the authentication information that they transmit between
client and server. The more secure authentication methods also store passwords in a form
that can’t be recovered from the server.

You can enable or disable some authentication methods individually when you set up a
Password Server. Other authentication methods are always enabled.

The goal of your authentication settings should be to provide maximum convenience to
authorized users while keeping unauthorized users from gaining access to the server.

When deciding which authentication methods to enable, consider the following:

m What balance do I want between ease of access and security?

m What types of hardware and software will the server’s clients use?

m Is my server in a physically secure location?

Choosing the right authentication methods is very important. Choosing the wrong methods
can prevent authorized users from accessing the server, or even allow unauthorized access.
Basic information about each method is provided on the following pages. This information is
not a substitute for a thorough knowledge of authentication methods and how they affect
security and ease of access.

CRAM-MD5 Authentication Method

CRAM-MD5 is used by many email programs and by some LDAP software. It encodes
passwords when they are sent over the network, and stores them in a scrambled form on the
server. It offers good security during network transmission. A malicious user may be able to
obtain passwords by gaining access to the server and decoding the password file, although
doing this would be very difficult. If CRAM-MD5 is disabled, some e-mail programs will
transmit passwords over the network in plain text format, which is a significant security risk.
If you use your server for SMTP or IMAP e-mail, you should probably enable CRAM-MD5.

LL0395.Book Page 65 Wednesday, November 20, 2002 11:44 AM

See also other documents in the category Apple Software: