On 02/12/2015 08:38 AM, Michael Lasevich wrote:
Thank you, this is very helpful. I forgot about 'super admin', which
is why I was not even seeing the values before. :-)
How are the the values encrypted (or hashed?)
It sounds like the password is stored in two fields(I am leaving samba
out for now) - userpassword andkerberos principle key. Is userpassword
a hash? Of so, what kind?
Salted SHA 140 by default. You can crank this all the way up to Salted
SHA 512.
KerberosPrincipleKey you mention is encrypted with Kerberos master key
- is the plaintext of password encrypted or is it a hash that is
encrypted? What encryption and or hashing used for that?
Thank you,
-M
On Feb 12, 2015 5:04 AM, "Simo Sorce" <s...@redhat.com
<mailto:s...@redhat.com>> wrote:
On Thu, 2015-02-12 at 02:20 -0500, Dmitri Pal wrote:
> On 02/12/2015 01:25 AM, Michael Lasevich wrote:
> > Ok, after a few awkward questions from an auditor, I am
starting to
> > face the uncomfortable truth that my understanding about how
FreeIPA
> > works is a lot fuzzier than I would like.
> >
> > Specifically, the question I could not answer - where are the
> > passwords stored and how are they encrypted? My understanding
is that
> > all authentication is handled by Kerberos server, which stores its
> > data in LDAP - but where and how is a bit of a mystery to me.
Any way
> > to dump out the password hashes?
>
> Passwords are stored in LDAP in two different attributes per
entry. One
> with LDAP password hash and another is Kerberos password hash
allowing
> authentication either with Kerebros or LDAP. Both follow best
practices
> in terms of using hash algorithms. The attributes themselves are
> protected by the access control instructions (ACI) so only a super
> priviledged admin or user himself can interact with this attribute.
> During normal operations it is not fetched and read. The core of
the DS
> processes it behind the closed doors so it is possible to reset
but not
> to read.
> This is how LDAP works and not different from any modern
directory server.
Keep in mind that the Kerberos keys are additionally encrypted with a
master password, so reading the attribute alone is useless.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
