Dec 042005

Kerberos does not send passwords in the clear or encrypted — in fact, it uses a three-part key-based scheme to authenticate services (mail, sign-on, file services, etc) along with a KDC Server to NEVER SEND THE PASSWORD OVER THE NETWORK. This is done entirely invisible to the user, who is presented with one log-in (the OS X log-in window).

In reality most services these days store passwords– Mail, and other e-mail apps, AFP connections, etc. (Which means mostly people just need to sign-on once anyway.)

Whether or not the service is authenticated using kerberos depends on if the service running on the client and server have been implemented kerberized, or made compatible with the Kerberos authentication methods described here. With regard to Apples products, the client and the server, most of services with OS 10.4 can be used with a KDC server in this environment.

The general implementation is to enable kerberos on the Server (that is, the service running on the server). In many cases you can (and are advised by apple if appropriate) only enable kerberos authentication for a particular service which is safest. Remember that the configuration also requires setting up a KDC Server in a multiuser environment. With few exceptions, for many services there is nothing to configure on the client machine.

Kerberos is designed to be invisible to the user when setup on both the client and servers.

Kerberos is designed for larger workgroups, but at a minimum the advising technologist should keep in mind these needed components: a KDC server and services (Mail, Web, iChat, Quicktime, DNS, DHCP, etc) running on a server. As well, of course, each client user has a Mac OS X computer running Mac OS X Client.

By securely sending only tickets and requests for tickets across the network, you configure the three components to each share eachothers encryption keys, but not evenly.

The client shares a key with the KDC server; The KDC server shares another key with the service thats authenticating. An excellent training video found in Chapter 6 of the CD companation to the book Mac OS X Server Essentials (Regan, Schoun, et al) visualizes the process from here. What is important for a technologist to know is that the password never gets sent over the network– only highly encrypted tickets, which get sent back and forth between the three entities in a trust-me game. When properly setup the client sees none of it and the authentication works. (Remember, to work all this requires a special KDC server, requires that service support Kerberos and Kerberos authentication is enabled, and Kerberos must be implemented in the version of the client.)

Kerberos was first incorporated into the line in Mac OS X Server 10.2. At that operating system, the kerberized services were: Login, mail, FTP, AFP, and SSH.

Kerberos was developed at MIT. Its name comes from greek mythology (alternatively spelled Cerberus) for the three-headed guard dog at the gates of Hades, the underworld.

 Posted by at 6:44 pm
Dec 042005

How does enable/disable File Access Control List on a volume affect whether or not you can “Use Standard POSIX behavior” or “Inherit from parent” when configuring a sharepoint (on that volume) in the AFP protocol configuration.

When ACL is enabled on a volume, the options when configuring a AFP sharepoint on the volume for Use Standard POSIX behavior or Inherit from parent are greyed out, indicating the ACL will be used to determine inheritance.

This does not apply to SMB (Windows sharing), FTP, NFS sharing.

Dec 042005

– Show input menu (shows list of users)

– use VoiceOver at log-in window (will speak everything to you at the login window)

– show password hints (after three attempts, shows the hint for this user).

– show Reset, Sleep, and Shut Down buttons

If a master password is set, after the third log-in attempt it will prompt you for the master password for the system, which will allow you to change this users password.

 Posted by at 1:59 pm
Dec 042005

Parental Controls:
mail – allowed mail to be sent to list

Finder – Some limits, simple finder
– open all sys prefs, modify dock, administer printers, born CDs, allow supporting programs, change password
– set which apps can be opened

ichat – allow user to chat with (list)

Safari – must be logged in with that account to edit the sites list

Dictionary – on/off (when set to on, profanities can be used in dictionary)

 Posted by at 1:49 pm