On Fri, 2014-02-28 at 14:42 +0000, Nordgren, Bryce L -FS wrote: > > Caching credentials is disabled by default[1]. Even when credential caching > > is > > enabled, the cache is only ever readable by root, the hashes are > > *never* exposed to the system. FYI, the hash is a salted sha512. > > Ah. Much better. > > > What leads you to believe the cached credentials can be retrieved? > > --- RedHat sssd documentation from [2] --- > Using a single user account. Remote users frequently have two (or even more) > user accounts, such as one for their local system and one for the > organizational system. This is necessary to connect to a virtual private > network (VPN). Because SSSD supports caching and offline authentication, > remote users can connect to network resources simply by authenticating to > their local machine and then SSSD maintains their network credentials. > ---End RedHat sssd documentation from [2] --- > > Presumably VPN does not accept a hash. Even if it does, gaining access to the > hash gains you admission to the network as someone else. > > [2] > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/SSSD.htm
Offline password caching is also optional and a different method. In this case the actual password is maintained in the kernel keyring in locked memory until the machine goes online and can acquire a TGT. On success it is deleted. however it doesn't really matter from an evil-root scenario, because evil-root will have already snatched the password from the PAM stack at authentication time. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users