On Fri, Feb 28, 2014 at 09:56:26AM -0500, Simo Sorce wrote: > On Fri, 2014-02-28 at 14:42 +0000, Nordgren, Bryce L -FS wrote: > > > Caching credentials is disabled by default. Even when credential > > > caching is > > > enabled, the cache is only ever readable by root, the hashes are > > > *never* exposed to the system. FYI, the hash is a salted sha512. > > > > Ah. Much better. > > > > > What leads you to believe the cached credentials can be retrieved? > > > > --- RedHat sssd documentation from  --- > > Using a single user account. Remote users frequently have two (or even > > more) user accounts, such as one for their local system and one for the > > organizational system. This is necessary to connect to a virtual private > > network (VPN). Because SSSD supports caching and offline authentication, > > remote users can connect to network resources simply by authenticating to > > their local machine and then SSSD maintains their network credentials. > > ---End RedHat sssd documentation from  --- > > > > Presumably VPN does not accept a hash. Even if it does, gaining access to > > the hash gains you admission to the network as someone else. > > > >  > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/SSSD.htm > > > Offline password caching is also optional and a different method. > In this case the actual password is maintained in the kernel keyring in > locked memory until the machine goes online and can acquire a TGT. On > success it is deleted. > > however it doesn't really matter from an evil-root scenario, because > evil-root will have already snatched the password from the PAM stack at > authentication time. > > Simo.
Right, just for completeness, the option that Simo describes is called krb5_store_password_if_offline. _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users