> Caching credentials is disabled by default[1]. Even when credential caching is
> enabled, the cache is only ever readable by root, the hashes are
> *never* exposed to the system. FYI, the hash is a salted sha512.

Ah. Much better.

> What leads you to believe the cached credentials can be retrieved?

--- RedHat sssd documentation from [2] ---
Using a single user account. Remote users frequently have two (or even more) 
user accounts, such as one for their local system and one for the 
organizational system. This is necessary to connect to a virtual private 
network (VPN). Because SSSD supports caching and offline authentication, remote 
users can connect to network resources simply by authenticating to their local 
machine and then SSSD maintains their network credentials.
---End RedHat sssd documentation from [2] ---

Presumably VPN does not accept a hash. Even if it does, gaining access to the 
hash gains you admission to the network as someone else.

[2] 
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/SSSD.htm

Bryce




This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to