On 1/1/08, Jordan K. Hubbard <[EMAIL PROTECTED]> wrote: > > I see your confusion. The documentation only mentions Crypt passwords as > and old-style way of leaving passwords around if you need interoperability > with 10.0 or 10.1 machines. By default, you're already using a shadow > password and have been for quite a few releases now. >
Jordan, appreciate the further clarity. Quick question then (just to make sure I'm ultra clear) -- even if a MacPort installs a new entry in the local directory domain with a "Crypt Password" type, what you're saying is that in reality, under Leopard Server (and the past few versions of Mac OS X Server) this password is a Shadow Password disguised to the system as a Crypt Password? I ask because using Workgroup Manager on Leopard Server, I can select the user that was installed by the MacPort (for example, take the openldap MacPort which installs a local directory domain entry with the username "ldap", UID "500" and a User Password Type of "Crypt Password" and I can select the pop-up menu with the "Crypt Password" selection and change the type to either "Shadow Password" or "OpenDirectory" because I am also running an OpenDirectory Master on the same machine). I appreciate the insight as this is actually quite interesting! Thanks, T.M. - Jordan > > On Jan 1, 2008, at 3:09 PM, Tabitha McNerney wrote: > > > On 1/1/08, Jordan K. Hubbard <[EMAIL PROTECTED]> wrote: > > > > Let's ask a different question: What are you trying to achieve? > > > > - Jordan > > > Hi Jordan, > > You raise a good question, about what I am trying to achieve. My concern > is that, after reading Apple's Mac OS X Server Leopard documentation, it > strikes me that crypt passwords are less secure compared to other options > such as Shadow Passwords, as I quote the Leopard Server OpenDirectory > documentation (PDF): > > User accounts not used on computers that require a crypt password should > > have an > > Open Directory password or a shadow password. A crypt password is > > required only for > > logging in to a computer with Mac OS X v10.1 or earlier and on computers > > with some > > types of UNIX. > > > > A crypt password is stored as an encrypted value, or hash, in the user > > account record in > > the directory domain. Because the crypt password can be recovered from > > the directory > > domain, it is subject to offline attack and is less secure than other > > password types. > > > > Maybe I am misinterpreting, but it strikes me that Apple is recommending > that, if possible, a crypt password should be last on the list of password > type choices. > > Thanks, > > T.M. > > On Jan 1, 2008, at 2:04 AM, Tabitha McNerney wrote: > > > > > Hello all -- > > > > > > I am happily running Leopard Server and installing MacPorts 1.6.0. > > > Some of the ports install users in the local directory domain (with > > > Leopard Apple has officially done away with NetInfo by the way). > > > There is an option using Workgroup Manager -- a GUI tool only > > > bundled by Apple with Mac OS X Server, to change the password type > > > of local directory domain users (for example, the user "ldap" > > > installed by MacPorts as part of the openldap port) from crypt to > > > Shadow Password. Has anyone ever tried this and if so are there any > > > reasons not to switch from crypt to Shadow Password? > > > > > > Thank, > > > > > > -T.M. > > > _______________________________________________ > > > macports-users mailing list > > > [email protected] > > > http://lists.macosforge.org/mailman/listinfo/macports-users > > > > > >
_______________________________________________ macports-users mailing list [email protected] http://lists.macosforge.org/mailman/listinfo/macports-users
