C H A P T E R 1
Concepts
Local Windows Hash Authentication
The Local Windows Hash authentication type was used on Mac OS X v10.2 in combination with Basic authentication, but its use is superseded by Shadow Hash authentication in this version of Mac OS X. With Local Windows Hash authentication, hashes for NT and LAN Manager authentication are stored in a local file that is readable only by root. The local file is updated to contain the proper hashes when the password changes.
This authentication type only supports the NT and LAN Manager authentication methods. In order to support other authentication methods, the Local Windows Hash authentication type is recommended for use in combination with the Basic authentication type. In this case, when a password is changed, both stored versions are updated.
Use of the Local Windows Hash authentication type only makes sense for
Here are some examples of properly formed authentication authority attribute values for Local Windows Hash authentication:
;LocalWindowsHash;
1.0.0;LocalWindowsHash;
1;LocalWindowsHash;
Shadow Hash Authentication
The Shadow Hash authentication type is the default password method for Mac OS X v10.3 and later. Starting with Mac OS X v10.4, Mac OS X desktop systems do not store NT and LAN Manager hashes by default, while Mac OS X Server systems store certain hashes by default. When storage of hashes is enabled, only a salted
If the value of the authority data field is BetterHashOnly, only the NT hash is used.
Shadow Hash authentication supports cleartext authentication (used, for example, by loginwindow) as well as the NT and LAN Manager authentication methods. Starting with Mac OS X v10.4, ShadowHash authentication also supports the
Here are some examples of properly formed authentication authority attribute values for Shadow Hash authentication:
;ShadowHash;
1.0.0;ShadowHash;
1;ShadowHash;
With Mac OS X v10.4,the authority data field can be customized with a list of hashes that are to be stored. Here is an example:
Other valid hash types are