On 02/12/2015 08:20 AM, Dmitri Pal wrote:
> On 02/12/2015 01:25 AM, Michael Lasevich wrote:
>> Ok, after a  few awkward questions from an auditor, I am starting to face the
>> uncomfortable truth that my understanding about how FreeIPA works is a lot
>> fuzzier than I would like.
>>
>> Specifically, the question I could not answer - where are the passwords
>> stored and how are they encrypted? My understanding is that all
>> authentication is handled by Kerberos server, which stores its data in LDAP -
>> but where and how is a bit of a mystery to me. Any way to dump out the
>> password hashes?
> 
> Passwords are stored in LDAP in two different attributes per entry. One with
> LDAP password hash and another is Kerberos password hash allowing
> authentication either with Kerebros or LDAP. Both follow best practices in
> terms of using hash algorithms. The attributes themselves are protected by the
> access control instructions (ACI) so only a super priviledged admin or user
> himself can interact with this attribute. During normal operations it is not
> fetched and read. The core of the DS processes it behind the closed doors so 
> it
> is possible to reset but not to read.
> This is how LDAP works and not different from any modern directory server.

Right. To prove Dmitri's point, see the 2 LDAP searches for all user attributes
containing key material (samba* are used when trusts are enabled).

First search as FreeIPA admin user:

# ldapsearch -Y GSSAPI -b
'uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test' uid userpassword
krbprincipalkey sambalmpassword sambantpassword
SASL/GSSAPI authentication started
SASL username: ad...@mkosek-f21.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: uid userpassword krbprincipalkey sambalmpassword sambantpassword
#

# admin, users, accounts, mkosek-f21.test
dn: uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test
uid: admin

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1


Second search with Directory Manager (god-like LDAP user):

# ldapsearch -D "cn=Directory Manager" -x -w kokos123 -b
'uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test' uid userpassword
krbprincipalkey sambalmpassword sambantpassword
# extended LDIF
#
# LDAPv3
# base <uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: uid userpassword krbprincipalkey sambalmpassword sambantpassword
#

# admin, users, accounts, mkosek-f21.test
dn: uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test
uid: admin
userpassword:: e1NTSEF9dHZEaUZ4ejJTUkRBLzh1NUZSSGVIT2N4WkZMci9OYktQNHNLNWc9PQ=
 =
krbprincipalkey:: MIIBnKADAgEBoQMCAQGiAwIBAaMDAgEBpIIBhDCCAYAwaKAbMBmgAwIBBKES
 BBA/WWlaNF0nOG80QDFaPWhYoUkwR6ADAgESoUAEPiAAxQsFjSPBOpCollrI8ex+lVnTg8GrZV6nl
 baP3pZYoBtGVeQ3cBtYbl3usq9o+RIZfnNX2P8YZNlVmnjXMFigGzAZoAMCAQShEgQQL21HRSB6Pn
 ZdQXpeYl5sQqE5MDegAwIBEaEwBC4QANB2xAVgnL2o3n3u+KkFHaEcije2vOdRcGmtZlhdsRHsCbn
 y4/tydusWjrRxMGCgGzAZoAMCAQShEgQQUkckOF1SayxramRTWnkwUqFBMD+gAwIBEKE4BDYYAEo3
 1vjbSStevF5QcY7WDc1RwFZ6paLp3WTAFATJSej0r+M8fVeNDgKb4CZHRKsNu9cMmdUwWKAbMBmgA
 wIBBKESBBBCU1xDYmpxeHs6PGIkPi8voTkwN6ADAgEXoTAELhAATVwH6hkkO45W/Vmj0phXiDQe8j
 Eq11TRGiRHsYKUFtp/3lh89/gp5OuhIyo=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

# echo 'e1NTSEF9dHZEaUZ4ejJTUkRBLzh1NUZSSGVIT2N4WkZMci9OYktQNHNLNWc9PQ==' |
base64 --decode
{SSHA}tvDiFxz2SRDA/8u5FRHeHOcxZFLr/NbKP4sK5g==

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to