Apple OS X Server User Manual


 
Local Windows Hash Authentication
The Local Windows Hash authentication type was used on Mac OS X v10.2 in combination with Basic
authentication, but its use is superseded by Shadow Hash authentication in this version of Mac OS X. With
Local Windows Hash authentication, hashes for NT and LAN Manager authentication are stored in a local file
that is readable only by root. The local file is updated to contain the proper hashes when the password
changes.
This authentication type only supports the NT and LAN Manager authenticationmethods. In order to support
other authentication methods, the Local Windows Hash authentication type is recommended for use in
combination with the Basic authentication type. In this case, when a password is changed, both stored
versions are updated.
Use of the Local Windows Hash authentication type only makes sense for non-network visible directories,
such as the local NetInfo domain.
Here are some examples of properly formed authentication authority attribute values for Local Windows
Hash authentication:
;LocalWindowsHash;
1.0.0;LocalWindowsHash;
1;LocalWindowsHash;
Shadow Hash Authentication
The Shadow Hash authentication type is the default password method for Mac OS X v10.3 and later. Starting
with Mac OS X v10.4, Mac OS X desktop systems do not store NT and LAN Manager hashes by default, while
Mac OS X Server systems store certain hashes by default. When storage of hashes is enabled, only a salted
SHA-1 hash is stored. When a password is changed, all stored versions of the password are updated.
If the value of the authority data field is BetterHashOnly, only the NT hash is used.
Shadow Hash authentication supports cleartext authentication (used, for example, by loginwindow) as well
as the NT and LAN Manager authentication methods. Starting with Mac OS X v10.4, ShadowHash authentication
also supports the CRAM-MD5, DIGEST-MD5, and APOP authentication methods if the proper hashes are
stored.
Here are some examples of properly formed authentication authority attribute values for Shadow Hash
authentication:
;ShadowHash;
1.0.0;ShadowHash;
1;ShadowHash;
With Mac OS X v10.4,the authority data field can be customized with a list of hashes that are to be stored.
Here is an example:
;ShadowHash;HASHLIST:<SALTED-SHA-1,SMB-NT,SMB-LAN-MANAGER>
Other valid hash types are CRAM-MD5, RECOVERABLE, and SECURE.
18
Open Directory Overview
2007-01-08 | © 2007 Apple Inc. All Rights Reserved.
CHAPTER 1
Concepts