On Fri, Feb 28, 2014 at 09:56:26AM -0500, Simo Sorce wrote:
> On Fri, 2014-02-28 at 14:42 +0000, Nordgren, Bryce L -FS wrote:
> > > Caching credentials is disabled by default[1]. Even when credential 
> > > caching is
> > > enabled, the cache is only ever readable by root, the hashes are
> > > *never* exposed to the system. FYI, the hash is a salted sha512.
> > 
> > Ah. Much better.
> > 
> > > What leads you to believe the cached credentials can be retrieved?
> > 
> > --- RedHat sssd documentation from [2] ---
> > Using a single user account. Remote users frequently have two (or even 
> > more) user accounts, such as one for their local system and one for the 
> > organizational system. This is necessary to connect to a virtual private 
> > network (VPN). Because SSSD supports caching and offline authentication, 
> > remote users can connect to network resources simply by authenticating to 
> > their local machine and then SSSD maintains their network credentials.
> > ---End RedHat sssd documentation from [2] ---
> > 
> > Presumably VPN does not accept a hash. Even if it does, gaining access to 
> > the hash gains you admission to the network as someone else.
> > 
> > [2] 
> > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/SSSD.htm
> 
> 
> Offline password caching is also optional and a different method.
> In this case the actual password is maintained in the kernel keyring in
> locked memory until the machine goes online and can acquire a TGT. On
> success it is deleted.
> 
> however it doesn't really matter from an evil-root scenario, because
> evil-root will have already snatched the password from the PAM stack at
> authentication time.
> 
> Simo.

Right, just for completeness, the option that Simo describes is called
krb5_store_password_if_offline.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to