C H A P T E R 1

Concepts

Local Windows Hash Authentication

The Local Windows Hash authentication type was used on Mac OS X v10.2 in combination with Basic authentication, but its use is superseded by Shadow Hash authentication in this version of Mac OS X. With Local Windows Hash authentication, hashes for NT and LAN Manager authentication are stored in a local file that is readable only by root. The local file is updated to contain the proper hashes when the password changes.

This authentication type only supports the NT and LAN Manager authentication methods. In order to support other authentication methods, the Local Windows Hash authentication type is recommended for use in combination with the Basic authentication type. In this case, when a password is changed, both stored versions are updated.

Use of the Local Windows Hash authentication type only makes sense for non-network visible directories, such as the local NetInfo domain.

Here are some examples of properly formed authentication authority attribute values for Local Windows Hash authentication:

;LocalWindowsHash;

1.0.0;LocalWindowsHash;

1;LocalWindowsHash;

Shadow Hash Authentication

The Shadow Hash authentication type is the default password method for Mac OS X v10.3 and later. Starting with Mac OS X v10.4, Mac OS X desktop systems do not store NT and LAN Manager hashes by default, while Mac OS X Server systems store certain hashes by default. When storage of hashes is enabled, only a salted SHA-1 hash is stored. When a password is changed, all stored versions of the password are updated.

If the value of the authority data field is BetterHashOnly, only the NT hash is used.

Shadow Hash authentication supports cleartext authentication (used, for example, by loginwindow) as well as the NT and LAN Manager authentication methods. Starting with Mac OS X v10.4, ShadowHash authentication also supports the CRAM-MD5, DIGEST-MD5, and APOP authentication methods if the proper hashes are stored.

Here are some examples of properly formed authentication authority attribute values for Shadow Hash authentication:

;ShadowHash;

1.0.0;ShadowHash;

1;ShadowHash;

With Mac OS X v10.4,the authority data field can be customized with a list of hashes that are to be stored. Here is an example:

;ShadowHash;HASHLIST:<SALTED-SHA-1,SMB-NT,SMB-LAN-MANAGER>

Other valid hash types are CRAM-MD5, RECOVERABLE, and SECURE.

18Open Directory Overview

2007-01-08 © 2007 Apple Inc. All Rights Reserved.

Page 18
Image 18
Apple OS X manual Local Windows Hash Authentication