On May 3, 2005, at 2:34 PM, Townsend, Trent W ERDC-ITL-MS wrote: Does anyone know how to set the password in the NI database to a value that will effectively disable the account? I've ready many articles online and in OS X books, and everything that is suggested does not work for me. Per DoD regulations, we are not allowed to have static account passwords on our systems (except the 1 admin user.) Thus we need to disable username/password access and configure CACs to allow access to that account. I would set the allowPasswordLogon value to 0, but then our admin account is of no value if something goes wrong in that case. If anyone has gotten this to work, please let me know how you accomplished it. Thanks. Trent Trent Townsend ERDC Major Shared Resource Center 601.634.4051
Trent,
As noted on pg. 47/48 of the jointly developed "Security Configuration Guide" from NSA's SNAC Team which can be downloaded from [ http://www.nsa.gov/snac/ ], you will see:
(this is in reference to the root account, just use the account of interest in your case)
1. Log into an administrator account and start the NetInfo Manager application found in /Applications/Utilities. 2. Click on the users item located in the second column at the top of the NetInfo Manager panel. This will open the list of users in the third column. 3. Click on the root item in the users column. The root user’s properties and any associated values will appear in the bottom panel of the window (Figure 19). 4. Click on the lock in the lower left corner of the NetInfo Manager window. Type an administrator's short name and password into the authentication dialog that appears and click the OK button. 5. If the property authentication_authority is listed in the bottom list in the window, click on it to highlight that property. 6. Go to the top of the NetInfo Manager window and click the Delete icon to remove that property and value. 7. Double click on the value associated with the passwd property located in that bottom property list, and the value should become highlighted for editing. This value will be a single asterisk if the root password has never been set, and either a string of asterisks or a password hash if a password has been set for root. (Which of these appear as the value for passwd depends upon how the root account was enabled.) 8. Type a single asterisk (“*”), replacing the current value of the passwd property. 9. Click the lock icon in the lower left corner of the NetInfo Manager window to re-lock the window. 10. When the Confirm Modification dialog box appears, select Update this copy. 11. Quit the NetInfo Manager application. Root login is now disabled.
If you are needing more information regarding Smart Card use, that has been provided on this list a few time and the updated Setup & Configuration Guide for Mac OS X 10.4 will be coming out. If you need more info now, let me know.
-Shawn ___________________________________________ Shawn Geddis Security Consulting Engineer Apple Computer - US Federal Government
|