Archive for March, 2008

newsyslog – Automatic rolling of logfiles

After installing Leopard Server and ISC DHCPD, I had an itch- my logfile that I created (/var/log/dhcpd.log) was not getting rolled like the other logs.  I started looking into how Apple does this, and found a nice utility that is new in Leopard, although not new to the UNIX world… newsyslog.

Read on for more…

Read more

Creating a shadow hash file

When creating an image, you typically have user creation as part of the build process. If you're doing this as part of a install and capture (aka the "Old Way") you simply create the user as part of the Setup Assistant, or use SysPrefs after the install to set it up.

Under Leopard, we have the very intriguing possibility of simply creating a series of files in the /var/db/dslocal folder structure that is very friendly for reproducing. This is especially handy for a package based, non-interactive imaging process like our friend InstaDMG. The problem is creating the password. You obviously can't run the passwd(1) command since that will change passwords on the existing machine. You need to create a shadow hash file that contains the password. In leopard and tiger, this file contains possibly quite a few password types, but the standard type is a salted SHA1 digest of the password (the salt is a random 4 byte integer).

Most people in the past have simply created a new account with the associated password, and saved the resuling hash file in the folder. This is nice, but can result in a shadow file that is consistant for all times. Since the hash is salted with a random integer, we can generate a new hash anytime we want, but will still have the same password. This way, over time, even if the passwords are the same, the hashes will be different. This is why if you compare a hash file with the same password, you still may get very different hashes.

I have created a simple PHP script that takes 1 parameter, a string password. It will then output a string that is suitable to be saved as a password hash file to standard output. The resulting string could be redirected to a file whose name is the GUID of the user who's password you wish to save. This hash file is valid for 10.4 and 10.5

In the future, I plan on making a script that automates the creation of this directory structure so it is suitable for packaging/automation with a non-booted volume. Obviously if this was a
booted volume, you'd just use dscl/passwd and be done with it.

Check out the script here

Comments/suggestions welcome.

Read more