beautypg.com

Password server database, Password server security – Apple Mac OS X Server (version 10.2.3 or later) User Manual

Page 67

background image

Directory Services

67

m Mac OS 8.1–8.6 client computers that have file server volumes mount automatically

during startup should use AppleShare Client version 3.8.3.

Digest-MD5 Authentication Method

Digest-MD5 is used by the Mac OS X login window, many email programs, and some LDAP
software. This authentication method encodes passwords when they are sent over the
network, and stores them in a scrambled form on the server. It offers good security during
network transmission. Although very difficult, a malicious user may be able to obtain
passwords by gaining access to the server and decoding the password file. Digest-MD5 is
always enabled.

Password Server Database

The Password Server maintains a record for each user that includes the following:

m Password ID, a 128-bit value assigned when the password is created. The value includes a

key for finding a user’s Password Services record.

m The password, stored in recoverable or hashed form. The form depends on the network

authentication methods enabled for the Password Server (using Open Directory
Assistant). If APOP is enabled, the Password Server stores a recoverable (encrypted)
password. If APOP is disabled, only hashes of the passwords are stored.

m The user’s short name, for use in Password Server log messages viewable in Server Status.

m Password policy data.

Password Server Security

The Password Server stores passwords, but never allows passwords to be read. Passwords can
only be set and verified. Malicious users who want to gain access to your server must try to
log in over the network. Invalid password instances, logged by the Password Server, can alert
you to such attempts.

Using a Password Server offers flexible and secure password validation, but you need to make
sure that the server on which a Password Server runs is secure:

m Since the load on a Password Server is not particularly high, you can have several (or even

all) of your Open Directory server domains share a single Password Server.

m Set up IP firewall service so nothing is accepted from unknown ports. Password Server

uses TCP port 106.

m Make sure that the Password Server’s computer is located in a physically secure location,

and don’t connect a keyboard or monitor to it.

m Equip the server with an uninterruptible power supply.

m If possible, set up a Password Server on a server that is not used for any other activity.

This deployment is optimal but not required.

LL0395.Book Page 67 Wednesday, November 20, 2002 11:44 AM

See also other documents in the category Apple Software: