Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.6: Unlock screens using any admin password' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.6: Unlock screens using any admin password
Authored by: mvgfr on Nov 04, '10 11:19:24AM

if only there was a way to let admin users masquerade as others through the OD login...

There's actually a pretty slick way of doing this: In OD, the password is stored via one level of indirection; a "pointer" to a password entry.

So:

  • save the value aside, for the account you need to log in as
  • overwrite it with one of your choosing (say, what's used for an admin account)
  • log in as that user to do what you need
  • restore the password with what was saved in the first step
Some enterprising person could code this up pretty quickly, to make it even simpler.

[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: Unsoluble on Nov 04, '10 02:48:28PM

Wait, how do you actually do the saving of the original password, though? As far as I can tell, there's no way to extract the actual password data from an account, especially when using Kerberos... am I missing something?



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: mvgfr on Nov 04, '10 02:56:41PM

Right; you can't read a password, but you CAN read/write the "pointer" to it, and that's all you need.



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: Unsoluble on Nov 04, '10 08:29:16PM

Care to explain how to do this?



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: mvgfr on Nov 08, '10 12:37:28PM

It can be done via "Workgroup Manager" (GUI; does not require Mac OS X Server) or via command-line - look for the "AuthenticationAuthority" attributes.

It's "advanced" (you won't even see that attribute until you enable WorkGroup Manager's "Inspector") and all the standard warnings apply; you can make a mess of things at this level.



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: vengjence on Nov 05, '10 01:11:36AM
Does the difference cause it to not work? Is it that significant? I wonder because I totally dread these kinds of issues :(

[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: afingal on Nov 05, '10 12:14:08PM

Right, with Kerberos, the password information is not even on your machine. Your password is checked against a key server which assigns a Kerberos ticket to your session on the machine and it is only good for that session. You would have to either catch the action of authentication against the key server or crack the key server, itself. Without Kerberos, a password can be cracked with a chosen text attack, which is more or less difficult depending on the strength of the one way hashing algorithm used to encrypt the password and on how strong the user's password is. See my reply to one of the other messages below for more about this.



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: Unsoluble on Nov 05, '10 01:31:05PM

Right, which makes me wonder what mvgfr (above) is talking about.



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: mvgfr on Nov 08, '10 12:43:10PM

You simply replace the *reference* to the password (the text string in the AuthenticationAuthority attribute, if I recall), which tells OD where to find the password.

And then put the old *reference* back when you're done.

No actual passwords are read or changed.



[ Reply to This | # ]
10.6: Unlock screens using any admin password
Authored by: ghwelker on Nov 08, '13 04:42:56AM

I just upgraded to "Mavericks" and have 3 major issues with it:

First and foremost I lost my IMac admin. ID and password.

After trying everything I could, I still can't recover them, including using UNIX, as recommended on these sites:

http://www.hackmac.org/tutorials/decrypt-os-x-user-account-passwords/

http://www.hackmac.org/tutorials/how-to-create-a-new-administrator-account/

http://www.wikihow.com/Reset-a-Lost-Admin-Password-on-Mac-OS-X

http://osxdaily.com/2011/08/24/reset-mac-os-x-10-7-lion-password/

http://osxdaily.com/2010/08/10/forgot-mac-password-how-to-reset-mac-password/

http://support.apple.com/kb/HT4718[/B]

http://www.macworld.com/article/2056561/how-to-make-a-bootable-mavericks-install-drive.html

http://www.macworld.com/article/1167855/installing_mountain_lion_what_you_need_to_know.html

No matter how hard I try, it just doesn't work.

I thought I had when I used "resetpassword", but when I used it again it said: "Please use install disk which doesn't exist now".

Also, Safari 7.0 starts to come up, then quits. Only pace it worked was in "Recovery" mode.

Likewise when I want to print to a PDF file, "Preview" starts, then quits. It seems to run on it's own!

There may be "200" new and better features, but I haven't got to them yet!

I wanted to keep Mountain Lion, but wasn't given that choice on one of my two external drives, because they both were treated like backup drives!!

Any advice is deeply appreciated.

Thanks,

Glenn Welker

ghwelker3@comcast.net



[ Reply to This | # ]