On Fri, 2014-02-28 at 14:42 +0000, Nordgren, Bryce L -FS wrote:
> > Caching credentials is disabled by default[1]. Even when credential caching 
> > is
> > enabled, the cache is only ever readable by root, the hashes are
> > *never* exposed to the system. FYI, the hash is a salted sha512.
> Ah. Much better.
> > What leads you to believe the cached credentials can be retrieved?
> --- RedHat sssd documentation from [2] ---
> Using a single user account. Remote users frequently have two (or even more) 
> user accounts, such as one for their local system and one for the 
> organizational system. This is necessary to connect to a virtual private 
> network (VPN). Because SSSD supports caching and offline authentication, 
> remote users can connect to network resources simply by authenticating to 
> their local machine and then SSSD maintains their network credentials.
> ---End RedHat sssd documentation from [2] ---
> Presumably VPN does not accept a hash. Even if it does, gaining access to the 
> hash gains you admission to the network as someone else.
> [2] 
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/SSSD.htm

Offline password caching is also optional and a different method.
In this case the actual password is maintained in the kernel keyring in
locked memory until the machine goes online and can acquire a TGT. On
success it is deleted.

however it doesn't really matter from an evil-root scenario, because
evil-root will have already snatched the password from the PAM stack at
authentication time.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to