This document describes how user authentication is handled in the ClearOS directory.
Authentication is tricky to manage - not for technical reasons, but for social ones. On one hand, we want to encourage end users to use a different password for every single login that they encounter on the network. That's a lot of passwords to remember for most people and we all know that very few people follow this practice in the real world.
The default behavior for the ClearOS directory tries to balance security with pragmatism.
A ClearOS user account is created with a primary password and a public/private key pair. These credentials can be used for:
All locally installed software (e.g. Content Filter, Samba)
All locally installed software with key support (e.g. OpenVPN, SSH)
All cloud-based plugins/extensions with key support
Some ClearOS plugins and extensions extend into the cloud. Though passwords are encrypted during the authentication phase, this still won't protect against key-logging attacks. If someone has their credentials stolen while logging into an integrated cloud-based app (for example, Google Apps), we want to minimize the potential damage. This brings us to the final default behavior:
Not all passwords are created equally! In order to support the different flavors of passwords in the wild, the ClearOS directory saves the primary password in a variety of different formats.
|NT Password||clearMicrosoftNTPassword||Microsoft NT password encryption
|LanMan/LM Password||clearMicrosoftLanmanPassword||Microsoft LanMan encryption