Hello K., SSSD implements 2 different caching options, one to allow offline logins, and one to allow to grab a kerberos ticket after offline login, once a KDC is reachable, this second option is krb5 specific.
To allow offline logins, after a successful authentication attempt against a remote server, the user password is hashed with a strong hash and stored in a dedicated database that is accessible only by SSSD. The password is never stored on disk in the clear and is not directly accessible to users, only root can retrieve the hash, which then has to be brute forced. To allow acquiring an online krb5 ticket when authentication happened offline, you can optionally turn on credential caching. In this case the actual user password is stored securely in the kernel keyring. Only SSSD can access it and the password is removed permanently as soon as a ticket is successfully acquired or the server returns an authentication error that indicates the credentials are invalid (may happen if the user changes their password via a second device, while the first is offline). In this case the password is protected by the kernel in memory and is never swapped to disk. HTH, Simo. On Thu, 2018-08-09 at 11:50 +0200, [email protected] wrote: > Hello! > > We are deploying SSSD for authentication with an LDAP backend, and we > are getting pushback from our Security colleagues about using SSSD to > cache user credentials.. > > I would like to have some documentation to show them how this cache is > kept secure...where can I find information to support this? > > Thanks! > > K. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected]/message/3TDNX6UVAB3TT25UHVJPT2NRDOJLO4EM/ _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/RJFRKFQ45SMVSEZXNJICSQEYJXGECYEA/
