Apple OS X Server User Manual

Open as PDF

of 44

Local Windows Hash Authentication

The Local Windows Hash authentication type was used on Mac OS X v10.2 in combination with Basic

authentication, but its use is superseded by Shadow Hash authentication in this version of Mac OS X. With

Local Windows Hash authentication, hashes for NT and LAN Manager authentication are stored in a local file

that is readable only by root. The local file is updated to contain the proper hashes when the password

changes.

This authentication type only supports the NT and LAN Manager authenticationmethods. In order to support

other authentication methods, the Local Windows Hash authentication type is recommended for use in

combination with the Basic authentication type. In this case, when a password is changed, both stored

versions are updated.

Use of the Local Windows Hash authentication type only makes sense for non-network visible directories,

such as the local NetInfo domain.

Here are some examples of properly formed authentication authority attribute values for Local Windows

Hash authentication:

;LocalWindowsHash;

1.0.0;LocalWindowsHash;

1;LocalWindowsHash;

Shadow Hash Authentication

The Shadow Hash authentication type is the default password method for Mac OS X v10.3 and later. Starting

with Mac OS X v10.4, Mac OS X desktop systems do not store NT and LAN Manager hashes by default, while

Mac OS X Server systems store certain hashes by default. When storage of hashes is enabled, only a salted

SHA-1 hash is stored. When a password is changed, all stored versions of the password are updated.

If the value of the authority data field is BetterHashOnly, only the NT hash is used.

Shadow Hash authentication supports cleartext authentication (used, for example, by loginwindow) as well

as the NT and LAN Manager authentication methods. Starting with Mac OS X v10.4, ShadowHash authentication

also supports the CRAM-MD5, DIGEST-MD5, and APOP authentication methods if the proper hashes are

stored.

Here are some examples of properly formed authentication authority attribute values for Shadow Hash

authentication:

;ShadowHash;

1.0.0;ShadowHash;

1;ShadowHash;

With Mac OS X v10.4,the authority data field can be customized with a list of hashes that are to be stored.

Here is an example:

;ShadowHash;HASHLIST:<SALTED-SHA-1,SMB-NT,SMB-LAN-MANAGER>

Other valid hash types are CRAM-MD5, RECOVERABLE, and SECURE.

Open Directory Overview

CHAPTER 1

Concepts

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Apple OS X Server User Manual