Mac OS X Server 10.2, 10.3: Password authentication options for networked environments

Mac OS X 10.2 and later support a variety of popular standards-based authentication protocols. Here's an overview.
This article has been archived and is no longer updated by Apple.
Note: For information on Mac OS X Server 10.3 or later, please see the "User Authentication With Open Directory" section of the Open Directory pdf available at the Apple Server Documentation page. The remainder of this document describes version 10.2.

"Authentication" verifies a user's identity. It ensures an individual is who she claims to be. Mac OS X 10.2 supports popular standards-based authentication protocols to ensure that only valid, sanctioned users can access the services on your network.

Mac OS X 10.2 provides four distinct password options for network administrators to authenticate network users:
  • Open Directory
  • Password Server
  • Kerberos
  • NetInfo

Review these descriptions of Mac OS X 10.2 password authentication options to assist in making the proper decisions for your networks. Regardless of which method you choose, remember to also consider these other standard security practices.

Open Directory

Open Directory is Apple's open-source, standards-based directory system. It provides the flexibility to work with popular password authentication standards. Mac OS X 10.2 client and server use Open Directory in all user-group and authentication interactions.

Open Directory can work with a wide range of directory systems, and the password management options vary along with the directories configured by the network administrators. For example, if Open Directory is configured to work with an LDAP server, then the password verification and security is dependent on the LDAP server.

Note: Use caution when choosing a non-Apple directory service. Authentication standards and quality may vary according to the capabilities and configuration of the directory system.

Password Server

Password Server is a Simple Authentication and Security Layer (SASL) based password management system. You can give users a single user name and password combination for accessing all authorized resources on the network. Password Server also works with Workgroup Manager to help you set up and manage password policies, such as:
  • Forcing users to change passwords the next time they log in.
  • Expiring user accounts after a certain date.
  • Enforcing minimum password lengths.
  • Disabling inactive accounts after a period of no use.

Client-side Password Server software was added in Mac OS X 10.2. All services in Mac OS X 10.2 Server take complete advantage of it. For added security, Password Server does not transmit the password over the network; it simply indicates whether a given user name and password pair is correct. With the Password Server there is no encrypted hash stored in the user record. Rather, password verification is done via a secure network connection to the Password Server, which is set up and configured by a network administrator. Access to the password hash database is very restricted; it is protected even from remote network administrators. Password Server logs all network activity and provides implementation of "best practices" for password management and security. For a full discussion of the Password Server, see the Mac OS X 10.2 Server Administration Guide.

Kerberos

Kerberos is a popular authentication system that Mac OS X 10.2 can fully support as its primary authentication system. Full implementation of MIT Kerberos client authentication services enables single user sign-on to all authorized systems and network services. Mac OS X 10.2 users can access networks secured by Kerberos v4 and v5 servers and appreciate the benefits of Kerberized applications such as Mail, FTP, Telnet, and the AFP (Apple Filing Protocol) client.

If you have an established Kerberos site, you should consider using Mac OS X 10.2 with Kerberos as a password management alternative. Instructions for configuring Mac OS X 10.2 desktop and server can be found at the AppleCare website (http://www.apple.com/support/) and in Mac OS X 10.2 Server documentation.

NetInfo

Every Mac OS X computer has a local directory domain called NetInfo. Only local applications and system software can access administrative data for this local domain. It is the first domain consulted when a user logs in or performs some other operation that requires data stored in a directory domain.

When the user logs in to a Mac OS X 10.2 computer, Open Directory searches the computer's NetInfo database for the user's record. If NetInfo contains the user's record (and the user typed the correct password), the login process proceeds, giving the user access to the computer. This is the default behavior, but it can be changed by specifying an alternate search path in the Directory Access application.

User records are encrypted in the NetInfo database by using the UNIX crypt() function. Anyone with access to the system can access this encrypted data, so you should beware of potential exploit by experienced individuals. The encrypted data is most commonly viewed using one of four tools. It is advisable to change the permissions on these tools so that they are only executable by root and admin groups. This will limit the security exposure these password storage techniques represent. The four tools are:
  • NetInfo Manager (Applications/Utilities)
  • nidump (/usr/bin/nidump)
  • nicl (/usr/bin/nicl)
  • niutil (/usr/bin/niutil)

Additionally, Mac OS X 10.2 should be configured to prevent users from installing new software. This prevents someone from installing their own copy of these or equivalent tools.

Most importantly, administrators should encourage users to choose secure passwords. Administrators can assign passwords and prevent users from changing them by removing "_writers_password" properties in the NetInfo database.

Note: Local password hash form of password management is the required method for local user accounts and backwards compatibility with Mac OS 10.1

Standard Security Practices

Regardless of which authentication method you use, consider these additional security practices:
  • Keep the server physically secured.
  • Only allow trusted users with an administrator account access to the server.
  • Use Open Firmware Password Security.
  • Choose secure passwords.
  • Remember that any local administrator account on the server can access the root account. Local administrator account and root account access provides opportunity for exploits that, depending on configuration, may not be available to remote users and administrators. This includes the ability to discover encrypted password hash.

Related documents

106290: Mac OS X: About the root User and How to Enable It
106482: Mac OS X 10.1: How to Set Up Open Firmware Password Protection"
106521: Mac OS X: How to Choose Secure Passwords
Published Date: Oct 7, 2016