Jump to content
Sign in to follow this  
Trium Shockwave

About not being asked for password when screen sharing

Recommended Posts

I remember Adam mentioning being concerned that you're not always asked for your password when sharing another computer's screen. Part of it seemed to be related to .Mac, but there's actually something else going on too.

 

Leopard has changed the system used to authenticate users. They've removed the old NetInfo database, and moved to a local version of Directory Services, similar to what runs on servers. If you're not familiar with the idea, Directory Services (like Microsoft Active Directory, or Open Directory used by OS X Server) are used to store information about users, groups, and computers on a network. It's responsible for logging users into network users accounts, authenticating them to use services like file servers, and managing preferences. All these things are also done on your individual Mac, to log you in and decide what you can access. Now instead of NetInfo, Leopard does this with a system more similar to what's used by OS X Server.

 

Along with the new local directory services comes a more powerful method of actually authenticating users to the system, called Kerberos. Kerberos is able to create a single sign-on system, where you authenticate once and are automatically granted access to everything your account has rights to. When this system is in place, you don't need to put in your password every time you try to access something else. The way this is accomplished is that Kerberos issues you a ticket when you sign into it. As long as this ticket is still valid, you never have to put in a user name or password again for anything under the control of that Kerberos realm. What Leopard has done is actually have Kerberos running even on regular OS X client machines. The Kerberos here can only authenticate you to things on that one machine (rather than a whole network), but the principle is the same. Once you're issued a ticket, you don't need to sign in again until the ticket has expired or been purged (like by a reboot).

 

If you want to see this in action, connect to another computer via screen sharing in Leopard. You should then be able to launch the Kerberos application in /System/Library/Core Services to see a list of your Kerberos tickets.

 

So, rather than being less secure, authenticating to other machines in Leopard is actually more secure, since it's managed by the powerful Kerberos mechanism.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Recently Browsing

    No registered users viewing this page.

  • Who's Online (See full list)

    There are no registered users currently online

×