User Accounts
Revised: 2014-01-27 richard
Class Notes from January 11th, 2008
"Enabling" root user really means giving root user a password. Root user is always there. It can't be removed (and expect the OS to still work).
/etc/passwd
/etc/master.passwd
Directory Access (10.4) or Directory Utility (10.5) to enable BSD directory.
man 5 passwd
NetInfo and dslocal
dscl & NetInfo Manager
--------
What makes an "admin" user admin? The Admin group and these 3 things:
/etc/sudoers
/etc/authorization
General file permissions (80 is the admin group and /Library and /Applications are writable by the admin group)
--------
The default home folder comes from:
/System/Library/User Template/English.lproj
Modify it at will. Keep a backup copy though.
------
Passwords
OFPW
sudo nvram security-mode
sudo nvram security-password
To disable
sudo nvram security-mode=none
To enable
sudo nvram security-mode=command
OFPW Utility (on the installer DVD)
PPC Open Firmware at boot up (hold down option-apple-o-f). Type:
set-env security-mode none
You will need to supply the password.
User passwords
/var/db/shadow/hash
The files are named after the UUID attribute for the user record.
Auto login password is at
/etc/kcpassword
The file that controls autologin is
/Library/Preferences/com.apple.loginwindow.plist
You can quickly change passwords with ARD (Apple Remote Desktop) with the Send Unix Command by replacing the contents of the files in /var/db/shadow/hash. You can change the autologin password by replacing the contents of /etc/kcpassword. You can quickly change the open firmware password by running the command nvram security-password=.....
How? Change the passwords on one machine. Open the file (or run nvram security-password), copy the contents, and run the ARD commands:
nvram security-password=paste encrypted password
echo -n paste encrypted password > /var/db/shadow/hash/the_file_you_want_to_change
The file you want to change above is the UUID that corresponds the the user you want to change.
To set autologin via ARD for a bunch of computers (that have the same user account and password--like an imaged computer), first, login as the user you want to have autologin enabled. Open System Preferences and set up autologin. Then run this command:
cat /etc/kcpassword | perl -ne 'print unpack "H*", $_'
Take that output and replace the "xxx" below with it and replace "mac" and 501 with the username and uid of the user. Then run this on all the computers"
perl -e 'print pack "H*", "hex output from above goes here xxx"' >/etc/kcpassword
chmod 600 /etc/kcpassword
defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser mac
defaults write /Library/Preferences/com.apple.loginwindow autoLoginUserUID 501
defaults write /Library/Preferences/com.apple.loginwindow lastUser Restart
killall loginwindow
That will initiate autologin. To undo, just delete /etc/kcpassword and kill loginwindow again. You could get fancier if you created the /var/db/shadow/hash/ file AND the kcpassword file. You could even back up the old user's password and then login as that user without knowing or changing the password (you have root naturally). This wouldn't work for file vault encrypted accounts though.
You could check out this too: http://www.brock-family.org/gavin/perl/kcpassword.html
-
10.5 has a guest user. The home folder is blown away at login. It requires no password to use. It is disabled by default.
The "Master Password" (not /etc/master.passwd) is a master key that unlocks encrypted home folders (File Vault). The password is stored at:
/Library/Keychains/FileVaultMaster.keychain
The pref for it is at /var/root/Library/Preferences/com.apple.security.plist
User Keychains. The one thing I want to say about this is that if a user doesn't know their keychain password, delete the user's keychain. A new one will be created at the next login. The keychain file is stored in ~/Library/Keychains. If the user actually used the keychain, you might want to just move it somewhere else rather than delete it.
------
Reseting Passwords
Yeah, the Installer DVD has the password reset utility.
Or you can boot to single user mode or a Firewire drive and run (after fsck -fy and mount -uw /):
rm /var/db/.AppleSetupDone
reboot
At startup, it will run the setup assistant and let you create an admin user.
You can also mess with /var/db/shadow/hash. For example, you can backup a file in there, replace the contents with a password you know. Login. Do what you want. Logout. Replace the original file with the backup. You logged in as that user without needing to know their password.
------
Debugging
Try creating a new non-admin user and login as that user. If it doesn't work, maybe the problem is permissions. So create a new admin user and login as that user. If it still doesn't work, the problem is probably with the system.