Question: Network user: plain text PWs in client log?!
I was debugging a MBP (10.7.3) that would not allow network users to login, when I've stumbled over a log line on the client:
The last parameter "passwordAsUTF8String" containes the password of the user I've tried to login in plain text. Huh?
I've tried it on another Mac as well, same result: The login of a normal network user writes this log line as his homedir gets mounted.
This poses a security risk. We have some users who are local admins, they could ask another user to login on their Mac and look for the password afterwards. Extration in single user mode would be possible as well.
Is this a "speciality" of our environment or is this a known bug? Can I turn this behavior off?
We are running Lion clients with a SL Server and using OpenDirectory.
Mac OS X Server-OTHER, Mac OS X (10.7.3), Open Directory, Network User