Re: [netatalk-admins] shared Logins on UNIX/Mac?

Subject: Re: [netatalk-admins] shared Logins on UNIX/Mac?
From: Michael M Han (han@windy.ckm.ucsf.edu)
Date: Tue Aug 11 1998 - 12:10:53 EDT

• Next message: Robert J. Marinchick: "[netatalk-admins] Netatalk on an Ultra10"
• Previous message: Oliver Wrede: "Re: [netatalk-admins] shared Logins on UNIX/Mac?"
• In reply to: Oliver Wrede: "Re: [netatalk-admins] shared Logins on UNIX/Mac?"
• Next in thread: Tony Stuckey: "Re: [netatalk-admins] shared Logins on UNIX/Mac?"
• Reply: Michael M Han: "Re: [netatalk-admins] shared Logins on UNIX/Mac?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Previously...
>MacLogin

*THAT'S* what you were trying to do? ah... Check out Apple Network
Administrator's Toolkit 2.0, too. It's more expensive, but it appears
to be a much more robust approach than MacLogin.

>[snip]
>Especially the hint upon clear-text passwords in MacOS was very new
>to me. I always trusted those MacOS admins who claimed that MacOS
>is much more secure than UNIX systems...

That's a laugh. MacOS more secure than UNIX. Pretty much every UNIX is
minimally C2-classified (US Dept. of Defense rates OS security), as is
NT and Netware. MacOS has never been tested and won't be until OS X
Server at the soonest, because all MacOSes I've ever seen wouldn't
even merit a rating...

But in more technical terms, the MacOS-native encryption for passwords
requires that the server know the *clear-text* form of the password.
This is distinct from Unix or NT which one-way *hash* the password.
When they receive passwords, they first hash them and then compare
them to the stored value. MacOS may not in fact store clear-text
passwords; it may encrypt them. But it would have to be a two-way
encryption, meaning that it would be trivial to decrypt the passwords.
A sufficiently large key and good implementation would thwart such
attempts, but that would bring on questions of US Export laws
regarding encryption. I've never actually seen this stated from an
authoratative source, but this is a conclusion I reach based on
information that's readily available.

>Are there any paket sniffers out there already wich grab the
>AppleShare passwords from the TCP/IP network (or even from the
>DDP layer?)

This can't be done. MacOS *does* encrypt passwords while they're on
the wire. It uses what they call RandNum which involves the exchange
of a random number which is hashed using the password as a key. The
same passwords will hash the randnum identically. I expect that
RandNum would be reasonably hard to compromise, though I've never
really thought very hard about it.
_________
mike (han@library.ucsf.edu)
I will not charge admission to the bathroom
 - The collected wisdom of Bart Simpson

• Next message: Robert J. Marinchick: "[netatalk-admins] Netatalk on an Ultra10"
• Previous message: Oliver Wrede: "Re: [netatalk-admins] shared Logins on UNIX/Mac?"
• In reply to: Oliver Wrede: "Re: [netatalk-admins] shared Logins on UNIX/Mac?"
• Next in thread: Tony Stuckey: "Re: [netatalk-admins] shared Logins on UNIX/Mac?"
• Reply: Michael M Han: "Re: [netatalk-admins] shared Logins on UNIX/Mac?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:33:04 EST