Log into a switched-out fast user switching account

Dec 13, '04 09:44:00AM

Contributed by: Anonymous

If you open NetInfo Manager (in Applications -> Utilities) and navigate through the columns from / to users to a chosen username, among the properties listed below is passwd. In the early days of OS X, this property contained the password hash, but adoption of shadowed passwords means that now the property only displays ********. Unlike before, it doesn't appear to contain any useful information, but apparently it still does do something.

One observation was that if the passwd value for a user is changed to a single * and the changes saved, the user no longer appears in the login window. The account is not inactivated -- it is fully functional and requires the original password to log in. The result is some reduction of clutter in the login window, without having to go through the hassle of changing uids below 500. The user's name still appears in the "Fast User Switching" (FUS) menu. This modification appears to be stable through reboots.

A second observation was that deleting a user's passwd property altogether allows a user to "Fast User Switch" into that account without supplying a password. It does not matter if that user is logged in or not. This may be useful if a conscientious administrator needs to restart the computer, but wants to save a "switched out" user's open documents. To log in, choose the username from the FUS menu, and without entering a password, hit Return several times in rapid succession. If access is denied, cancel once and try again. Logging in through the "Login window" is not permitted.

Adding back the passwd property in NetInfo Manager (surprisingly?) results in restoration of the original password to the account. Caution: It may be necessary to enter an incorrect password once in the FUS menu before it stops accepting a blank password. One limitation is that this will not allow access to a File Vault protected account if the user is not already logged in.

[robg adds: Although some may feel this is a security hole, I agree with the poster, who also wrote me offline -- it's not, because you have to already be logged in as an Admin to do any of this. And if you're already running as Admin, you can do much worse things than what's shown in this hint. The use of a single asterisk to hide a given user in the login window list seems quite interesting -- the only built-in method of doing this is to use the Accounts pane to disable the list completely. The method above would let you selectively hide just certain users...]

Comments (6)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20041209022854276