User Accounts

Class Notes from January 11th, 2008

"Enabling" root user really means giving root user a password.  Root user is always there.  It can't be removed (and expect the OS to still work).

/etc/passwd
/etc/master.passwd

Directory Access (10.4) or Directory Utility (10.5) to enable BSD directory.

man 5 passwd

NetInfo and dslocal

dscl & NetInfo Manager

--------

What makes an "admin" user admin?  The Admin group and these 3 things:

/etc/sudoers
/etc/authorization
General file permissions (80 is the admin group and /Library and /Applications are writable by the admin group)

--------

The default home folder comes from:

/System/Library/User Template/English.lproj

Modify it at will.  Keep a backup copy though.

------

Passwords

OFPW

sudo nvram security-mode
sudo nvram security-password

To disable
sudo nvram security-mode=none

To enable
sudo nvram security-mode=command

OFPW Utility (on the installer DVD)

PPC Open Firmware at boot up (hold down option-apple-o-f).  Type:

set-env security-mode none

You will need to supply the password.

User passwords

/var/db/shadow/hash
The files are named after the UUID attribute for the user record.

Auto login password is at
/etc/kcpassword

The file that controls autologin is
/Library/Preferences/com.apple.loginwindow.plist

You can quickly change passwords with ARD (Apple Remote Desktop) with the Send Unix Command by replacing the contents of the files in /var/db/shadow/hash.  You can change the autologin password by replacing the contents of /etc/kcpassword.  You can quickly change the open firmware password by running the command nvram security-password=.....

How?  Change the passwords on one machine.  Open the file (or run nvram security-password), copy the contents, and run the ARD commands:

nvram security-password=paste encrypted password

echo -n paste encrypted password > /var/db/shadow/hash/the_file_you_want_to_change

The file you want to change above is the UUID that corresponds the the user you want to change.

To set autologin via ARD for a bunch of computers (that have the same user account and password--like an imaged computer), first, login as the user you want to have autologin enabled.  Open System Preferences and set up autologin.  Then run this command:

cat /etc/kcpassword | perl -ne 'print unpack "H*", $_'

Take that output and replace the "xxx" below with it and replace "mac" and 501 with the username and uid of the user.  Then run this on all the computers"

perl -e 'print pack "H*", "hex output from above goes here xxx"' >/etc/kcpassword
chmod 600 /etc/kcpassword
defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser mac
defaults write /Library/Preferences/com.apple.loginwindow autoLoginUserUID 501
defaults write /Library/Preferences/com.apple.loginwindow lastUser Restart
killall loginwindow

That will initiate autologin.  To undo, just delete /etc/kcpassword and kill loginwindow again.  You could get fancier if you created the /var/db/shadow/hash/ file AND the kcpassword file.  You could even back up the old user's password and then login as that user without knowing or changing the password (you have root naturally).  This wouldn't work for file vault encrypted accounts though.

You could check out this too: http://www.brock-family.org/gavin/perl/kcpassword.html

-

10.5 has a guest user.  The home folder is blown away at login.  It requires no password to use.  It is disabled by default.

The "Master Password" (not /etc/master.passwd) is a master key that unlocks encrypted home folders (File Vault).  The password is stored at:

/Library/Keychains/FileVaultMaster.keychain
The pref for it is at /var/root/Library/Preferences/com.apple.security.plist

User Keychains.  The one thing I want to say about this is that if a user doesn't know their keychain password, delete the user's keychain.  A new one will be created at the next login.  The keychain file is stored in ~/Library/Keychains.  If the user actually used the keychain, you might want to just move it somewhere else rather than delete it.

------

Reseting Passwords

Yeah, the Installer DVD has the password reset utility.

Or you can boot to single user mode or a Firewire drive and run (after fsck -fy and mount -uw /):

rm /var/db/.AppleSetupDone
reboot

At startup, it will run the setup assistant and let you create an admin user.

You can also mess with /var/db/shadow/hash.  For example, you can backup a file in there, replace the contents with a password you know.  Login.  Do what you want.  Logout.  Replace the original file with the backup.  You logged in as that user without needing to know their password.

------

Debugging

Try creating a new non-admin user and login as that user.  If it doesn't work, maybe the problem is permissions.  So create a new admin user and login as that user.  If it still doesn't work, the problem is probably with the system.