Thank you, this is very helpful. I forgot about 'super admin', which is why
I was not even seeing the values before. :-)

How are the the values encrypted (or hashed?)

It sounds like the password is stored in two fields(I am leaving samba out
for now) - userpassword andkerberos principle key. Is userpassword a hash?
Of so, what kind? KerberosPrincipleKey you mention is encrypted with
Kerberos master key - is the plaintext of password encrypted or is it a
hash that is encrypted? What encryption and or hashing used for that?

Thank you,

-M
On Feb 12, 2015 5:04 AM, "Simo Sorce" <s...@redhat.com> wrote:

> On Thu, 2015-02-12 at 02:20 -0500, Dmitri Pal wrote:
> > On 02/12/2015 01:25 AM, Michael Lasevich wrote:
> > > Ok, after a  few awkward questions from an auditor, I am starting to
> > > face the uncomfortable truth that my understanding about how FreeIPA
> > > works is a lot fuzzier than I would like.
> > >
> > > Specifically, the question I could not answer - where are the
> > > passwords stored and how are they encrypted? My understanding is that
> > > all authentication is handled by Kerberos server, which stores its
> > > data in LDAP - but where and how is a bit of a mystery to me. Any way
> > > to dump out the password hashes?
> >
> > Passwords are stored in LDAP in two different attributes per entry. One
> > with LDAP password hash and another is Kerberos password hash allowing
> > authentication either with Kerebros or LDAP. Both follow best practices
> > in terms of using hash algorithms. The attributes themselves are
> > protected by the access control instructions (ACI) so only a super
> > priviledged admin or user himself can interact with this attribute.
> > During normal operations it is not fetched and read. The core of the DS
> > processes it behind the closed doors so it is possible to reset but not
> > to read.
> > This is how LDAP works and not different from any modern directory
> server.
>
> Keep in mind that the Kerberos keys are additionally encrypted with a
> master password, so reading the attribute alone is useless.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to