Encoding and Decoding OS-X Auto-Login Password (/etc/kcpassword)

On OS-X, there is an option to allow the machine to automatically log a user in on boot. Obviously, this is pretty insecure - not only does it let any new 'owner' of your machine straight in, it also leaves an obfuscated copy of that password in /etc/kcpassword. (It is protected as root, but that is no help if the machine is booted single user or from CD)

Now there are (a very few) reasons you might want to use this feature. In our case, we want to bypass the login screen since we are passing through authentication from another system. To achieve this, we want to write the user's password to /etc/kcpassword, set a few loginwindow settings and restart loginwindow.

As I mentioned, kcpassword is just obfuscated. The format is simple and it only took an evening to decode. The password is XOR'ed with a series of 11 bytes (not sure if they have any hidden meaning). If the password is longer than 11 bytes, the pattern is repeated. Interestingly OS-X writes the file in multiples of 12 bytes. Any excess seems to be random data. I hope this is intentional obfuscation, not accidental reading of unallocated memory!

The following code just encodes the password, but since it is XORed, decoding is the same function. Just remember to strip the garbage after the null in the decoded string. That said, I can't think of any valid reason to decode a kcpassword.

Have fun, and remember "sudo rm -f /etc/kcpassword" ...

Back to Gavin Brock's perl page