Aug 26, '05 08:35:00AM • Contributed by: Anonymous
As of Mac OS X 10.3, there are now different per-user behaviours of this function, based on the AuthenticationAuthority value stored for the queried user in DirectoryServices.
If the queried user is still a legacy crypt password user, or now has an AuthenticationAuthority value containing ";basic;", these routines will behave in their standard BSD fashion. These functions will "shadow" the password file, e.g. allow only certain programs to have access to the encrypted password. If the process which calls them has an effective uid of 0, the encrypted password will be returned, otherwise, the password field of the returned structure will point to the string '*'.
By default in Mac OS X 10.3 and later all users will have an AuthenticationAuthority will contain the value ";ShadowHash;". These users will have a visible password value of "********". These functions will have no access to the encrypted password whatsoever. Setting or changing an user password must be done entirely through the DirectoryService APIs for this default user.
Two workarounds for now are:
- Remove the <Limit GET> / </Limit> lines from /etc/cups/cupsd.conf (it appears this will allow administration without any authentication.)
- Switch back to crypt passwords. This can be done in Netinfo Manager by changing a user's 'AuthenticationAuthority' from ';ShadowHash;' to ';basic;' and using 'openssl passwd' to set the password. The following macosxhints article talks about this: 10.3: Using UW IMAP and SSL
The Radar bug tracking this is : 7F44: Cannot access CUPS web admin after Security Update 2004-04-05
[robg adds: I haven't tested this one, but note that it does not affect 10.4 and newer...]
