So You Want to Be a Mac OS X Server Admin? Understanding the Building Blocks of Open Directory and Mac OS X User Management
- Understanding Open Directory
- What About Older Macs Running Mac OS 9?
- Replication: What to Do When One Server Isnt Enough
- Keeping Passwords and Your Infrastructure Safe and Secure
- The Basics of Setting Up an Open Directory Server
- Getting Practical About Open Directory and User Accounts
- Users in Workgroup Manager: The Mac OS X Server Tool for Account Management
Keeping Passwords and Your Infrastructure Safe and Secure
Open Directory supports several methods for storing and transmitting user passwords. The most secure of these is Kerberos, which is a technology that was developed by MIT to promote secure authentication and access to resources over a network. Kerberos achieves this through two methods. The first is by enabling a single sign-on environment. With single sign-on, a user’s password is transmitted across the network only once. Processes that need to verify a user’s identity and credentials thereafter do so through Kerberos rather than by requesting the user to re-enter the password or by requesting any password information from Open Directory. Second, Kerberos enhances security by storing user passwords in a separate database, called a Kerberos realm, outside of the Open Directory domain. The Kerberos realm can be read only by processes initiated by root under Mac OS X Server, whereas much of the information stored in a shared directory domain (be it LDAP or NetInfo) can be accessed by administrators and client operating systems as the information is needed.
The Open Directory Password Server is the next-most-secure password type used by Open Directory. It functions similarly to Kerberos in that it also stores user password information outside the directory domain. As with Kerberos, this promotes an added level of security because the password server database is a separate a nonshared entity. Although password server does not afford the advantage of the single sign-on that Kerberos does, communications between a workstation and password server are encrypted wherever possible. To support encrypted communication with as many services as possible, password server is based on a standard called Simple Authentication Security Layer (SASL), which supports commonly used encrypted and unencrypted authentication methods.
Crypt passwords (sometimes called basic passwords) store a user’s password as part of the user object within a shared directory. This makes them innately less secure than both Kerberos and password server because user account information is not secure in a shared directory. Crypt passwords do encrypt passwords rather than storing them as clear text using the Unix crypt command. Crypt passwords do not support the use of password policies and are limited to eight characters, compounding their inherent lack of security. However, Mac OS X versions 10.1 and earlier support only crypt passwords. If you have users who need to log in from an early Mac OS X workstation, you can specify their account to use crypt passwords. However, a better solution would be to upgrade the older workstation(s) if possible to offer both improved security and an improved user experience. Shadow passwords are not stored within a directory domain, giving them some measure of security over crypt passwords. However, they are stored in files accessible by the root user of a Mac OS X Server, giving them less security than password server or Kerberos. Shadow passwords are also encrypted and are used only for backwards compatibility with some Windows file and print services.
When creating or editing a user account, you have a choice for the password type that will be used by the account: Open Directory or Crypt Password (also referred to as Basic in some Mac OS X Server versions). Open Directory stores the password using both Kerberos and the Open Directory Password Server. Basic or crypt stores the password in crypt form. Needless to say, the ideal solution is to choose Open Directory as the password type.