4

I've bought and downloaded the MacOS Server application to host a VPN and to host a Satis repository.

When enabling either the VPN or Websites services, a dialogue appears asking "Do you want to change how your password is stored?", with the advice that "Authenticating to this service requires storing your password in a less secure form."

I can't find any further information on this, not from the Server documentation, nor from searching on Google.

  • What does this actually mean?
  • Why is this necessary?
  • Does it pertain to my MacOS user account credentials? If so, will it only affect the credentials of the account that the Server application is being run from (if this is the case, I will create a separate user account to run the Server app)?

Many thanks for your time and help.

568ml
  • 143

2 Answers2

1

OS X stores your passworded in a "salted hash" one-way encrypted format (See this question which "scrambles" your password (combined with a "salt") in such a way that it can't be decrypted, but produces the same value every time.

Depending on how Apache is configured, it uses different (normally salted) algorithms, including MD5, SHA1 and crypt: see the documentation

These are easier to crack than SHA-512, but also fairly secure (they do use a salt, and are one-way hashes. An attacker would need to get the htpasswd file to crack your password)

The same is true of the VPN server: I'm not sure what hashing algorithm it uses, but it's one with less entropy than the internal user database, which is what the warning means.

It's necessary because each piece of software is written by different maintainers (the web server by Apache, for example) and not by Apple, and because they store your password rather than authenticating you against the OS X user database.

It pertains to whatever users are allowed to authenticate to those services (the VPN and Web services) and not the user account that the Server app is running as.

Josh
  • 8,646
1

Building on @Josh's answer, There are some legacy services that require the use of a hashing algorithm called MS/CHAP. One of the unfortunate properties of the MS/CHAP hash family is that the stored hash is weak enough to allow the password to be retrieved. This is a problem if the file in the server containing the hashes gets stolen by an attacker. The PPTP VPN server is one of the legacy services that use MS/CHAP.

All that said, you do not need to weaken the hash of the server administrator if that person will not be using VPN. Users created after Server.app is installed and set up will have their hashes weakened. You can use the pwpolicy(8) tool to see what hashes are saved for a user. If you have a user created before the VPN was started and you wish to have them use the service, you can go to the users pane and look up that user, you will see a message "the user may not be able to access all the services" with an option to fix. Choose fix.

I think it is always a good idea to have a specific user for server administration tasks. So I encourage you to create a user for running Server.app and subsequently there will be no need to weaken the hashes for that user.

Leland Wallace
  • 685