Re: [Freeipa-users] Where and how are passwords stored?

[Martin Kosek]

On 02/12/2015 08:20 AM, Dmitri Pal wrote:
 On 02/12/2015 01:25 AM, Michael Lasevich wrote:
 Ok, after a  few awkward questions from an auditor, I am starting to face the
 uncomfortable truth that my understanding about how FreeIPA works is a lot
 fuzzier than I would like.

 Specifically, the question I could not answer - where are the passwords
 stored and how are they encrypted? My understanding is that all
 authentication is handled by Kerberos server, which stores its data in LDAP -
 but where and how is a bit of a mystery to me. Any way to dump out the
 password hashes?
 
 Passwords are stored in LDAP in two different attributes per entry. One with
 LDAP password hash and another is Kerberos password hash allowing
 authentication either with Kerebros or LDAP. Both follow best practices in
 terms of using hash algorithms. The attributes themselves are protected by the
 access control instructions (ACI) so only a super priviledged admin or user
 himself can interact with this attribute. During normal operations it is not
 fetched and read. The core of the DS processes it behind the closed doors so 
 it
 is possible to reset but not to read.
 This is how LDAP works and not different from any modern directory server.

Right. To prove Dmitri's point, see the 2 LDAP searches for all user attributes
containing key material (samba* are used when trusts are enabled).

First search as FreeIPA admin user:

# ldapsearch -Y GSSAPI -b
'uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test' uid userpassword
krbprincipalkey sambalmpassword sambantpassword
SASL/GSSAPI authentication started
SASL username: ad...@mkosek-f21.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test with scope subtree
# filter: (objectclass=*)
# requesting: uid userpassword krbprincipalkey sambalmpassword sambantpassword
#

# admin, users, accounts, mkosek-f21.test
dn: uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test
uid: admin

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1


Second search with Directory Manager (god-like LDAP user):

# ldapsearch -D cn=Directory Manager -x -w kokos123 -b
'uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test' uid userpassword
krbprincipalkey sambalmpassword sambantpassword
# extended LDIF
#
# LDAPv3
# base uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test with scope subtree
# filter: (objectclass=*)
# requesting: uid userpassword krbprincipalkey sambalmpassword sambantpassword
#

# admin, users, accounts, mkosek-f21.test
dn: uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test
uid: admin
userpassword:: e1NTSEF9dHZEaUZ4ejJTUkRBLzh1NUZSSGVIT2N4WkZMci9OYktQNHNLNWc9PQ=
 =
krbprincipalkey:: MIIBnKADAgEBoQMCAQGiAwIBAaMDAgEBpIIBhDCCAYAwaKAbMBmgAwIBBKES
 BBA/WWlaNF0nOG80QDFaPWhYoUkwR6ADAgESoUAEPiAAxQsFjSPBOpCollrI8ex+lVnTg8GrZV6nl
 baP3pZYoBtGVeQ3cBtYbl3usq9o+RIZfnNX2P8YZNlVmnjXMFigGzAZoAMCAQShEgQQL21HRSB6Pn
 ZdQXpeYl5sQqE5MDegAwIBEaEwBC4QANB2xAVgnL2o3n3u+KkFHaEcije2vOdRcGmtZlhdsRHsCbn
 y4/tydusWjrRxMGCgGzAZoAMCAQShEgQQUkckOF1SayxramRTWnkwUqFBMD+gAwIBEKE4BDYYAEo3
 1vjbSStevF5QcY7WDc1RwFZ6paLp3WTAFATJSej0r+M8fVeNDgKb4CZHRKsNu9cMmdUwWKAbMBmgA
 wIBBKESBBBCU1xDYmpxeHs6PGIkPi8voTkwN6ADAgEXoTAELhAATVwH6hkkO45W/Vmj0phXiDQe8j
 Eq11TRGiRHsYKUFtp/3lh89/gp5OuhIyo=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

# echo 'e1NTSEF9dHZEaUZ4ejJTUkRBLzh1NUZSSGVIT2N4WkZMci9OYktQNHNLNWc9PQ==' |
base64 --decode
{SSHA}tvDiFxz2SRDA/8u5FRHeHOcxZFLr/NbKP4sK5g==

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Where and how are passwords stored?

[Simo Sorce]

On Thu, 2015-02-12 at 02:20 -0500, Dmitri Pal wrote:
 On 02/12/2015 01:25 AM, Michael Lasevich wrote:
  Ok, after a  few awkward questions from an auditor, I am starting to 
  face the uncomfortable truth that my understanding about how FreeIPA 
  works is a lot fuzzier than I would like.
 
  Specifically, the question I could not answer - where are the 
  passwords stored and how are they encrypted? My understanding is that 
  all authentication is handled by Kerberos server, which stores its 
  data in LDAP - but where and how is a bit of a mystery to me. Any way 
  to dump out the password hashes?
 
 Passwords are stored in LDAP in two different attributes per entry. One 
 with LDAP password hash and another is Kerberos password hash allowing 
 authentication either with Kerebros or LDAP. Both follow best practices 
 in terms of using hash algorithms. The attributes themselves are 
 protected by the access control instructions (ACI) so only a super 
 priviledged admin or user himself can interact with this attribute. 
 During normal operations it is not fetched and read. The core of the DS 
 processes it behind the closed doors so it is possible to reset but not 
 to read.
 This is how LDAP works and not different from any modern directory server.

Keep in mind that the Kerberos keys are additionally encrypted with a
master password, so reading the attribute alone is useless.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Where and how are passwords stored?

[Rich Megginson]

On 02/12/2015 09:05 AM, Brad House wrote:

On 02/12/2015 10:48 AM, Simo Sorce wrote:

On Thu, 2015-02-12 at 07:38 -0800, Michael Lasevich wrote:
Thank you, this is very helpful. I forgot about 'super admin', which 
is why

I was not even seeing the values before. :-)

How are the the values encrypted (or hashed?)

It sounds like the password is stored in two fields(I am leaving 
samba out

for now) - userpassword andkerberos principle key.



  Is userpassword a hash?


Yes.


Of so, what kind?


Configurable, by default salted sha256 IIRC.


Out of curiousity, where is this configurable? 


https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management.html#User_Account_Management-Managing_the_Password_Policy

This is the passwordStorageScheme attribute.

Also, is it using it in
conjunction with something like PBKDF2?


https://fedorahosted.org/389/ticket/397


I'd love to know more info on this
as we might want to increase the defaults ourselves.


Thanks!
-Brad



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Where and how are passwords stored?

[Simo Sorce]

On Thu, 2015-02-12 at 07:38 -0800, Michael Lasevich wrote:
 Thank you, this is very helpful. I forgot about 'super admin', which is why
 I was not even seeing the values before. :-)
 
 How are the the values encrypted (or hashed?)
 
 It sounds like the password is stored in two fields(I am leaving samba out
 for now) - userpassword andkerberos principle key.

  Is userpassword a hash?

Yes.

 Of so, what kind?

Configurable, by default salted sha256 IIRC.

  KerberosPrincipleKey you mention is encrypted with
 Kerberos master key - is the plaintext of password encrypted or is it a
 hash that is encrypted?

All keys are hashes, they are stored into a asn.1 encoded structure that
is then encrypted with the master key.

 What encryption and or hashing used for that?

It depends on the supported keys.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Where and how are passwords stored?

[Janelle]

On 2/12/15 7:48 AM, Rich Megginson wrote:

On 02/12/2015 08:38 AM, Michael Lasevich wrote:


Thank you, this is very helpful. I forgot about 'super admin', which 
is why I was not even seeing the values before. :-)


How are the the values encrypted (or hashed?)

It sounds like the password is stored in two fields(I am leaving 
samba out for now) - userpassword andkerberos principle key. Is 
userpassword a hash? Of so, what kind?




Salted SHA 140 by default.  You can crank this all the way up to 
Salted SHA 512.




Where would you change it to get sha512??

~J
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Where and how are passwords stored?

[Michael Lasevich]

Thank you, this is very helpful. I forgot about 'super admin', which is why
I was not even seeing the values before. :-)

How are the the values encrypted (or hashed?)

It sounds like the password is stored in two fields(I am leaving samba out
for now) - userpassword andkerberos principle key. Is userpassword a hash?
Of so, what kind? KerberosPrincipleKey you mention is encrypted with
Kerberos master key - is the plaintext of password encrypted or is it a
hash that is encrypted? What encryption and or hashing used for that?

Thank you,

-M
On Feb 12, 2015 5:04 AM, Simo Sorce s...@redhat.com wrote:

 On Thu, 2015-02-12 at 02:20 -0500, Dmitri Pal wrote:
  On 02/12/2015 01:25 AM, Michael Lasevich wrote:
   Ok, after a  few awkward questions from an auditor, I am starting to
   face the uncomfortable truth that my understanding about how FreeIPA
   works is a lot fuzzier than I would like.
  
   Specifically, the question I could not answer - where are the
   passwords stored and how are they encrypted? My understanding is that
   all authentication is handled by Kerberos server, which stores its
   data in LDAP - but where and how is a bit of a mystery to me. Any way
   to dump out the password hashes?
 
  Passwords are stored in LDAP in two different attributes per entry. One
  with LDAP password hash and another is Kerberos password hash allowing
  authentication either with Kerebros or LDAP. Both follow best practices
  in terms of using hash algorithms. The attributes themselves are
  protected by the access control instructions (ACI) so only a super
  priviledged admin or user himself can interact with this attribute.
  During normal operations it is not fetched and read. The core of the DS
  processes it behind the closed doors so it is possible to reset but not
  to read.
  This is how LDAP works and not different from any modern directory
 server.

 Keep in mind that the Kerberos keys are additionally encrypted with a
 master password, so reading the attribute alone is useless.

 Simo.

 --
 Simo Sorce * Red Hat, Inc * New York

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Where and how are passwords stored?

[Rich Megginson]

On 02/12/2015 08:38 AM, Michael Lasevich wrote:


Thank you, this is very helpful. I forgot about 'super admin', which 
is why I was not even seeing the values before. :-)


How are the the values encrypted (or hashed?)

It sounds like the password is stored in two fields(I am leaving samba 
out for now) - userpassword andkerberos principle key. Is userpassword 
a hash? Of so, what kind?




Salted SHA 140 by default.  You can crank this all the way up to Salted 
SHA 512.


KerberosPrincipleKey you mention is encrypted with Kerberos master key 
- is the plaintext of password encrypted or is it a hash that is 
encrypted? What encryption and or hashing used for that?


Thank you,

-M

On Feb 12, 2015 5:04 AM, Simo Sorce s...@redhat.com 
mailto:s...@redhat.com wrote:


On Thu, 2015-02-12 at 02:20 -0500, Dmitri Pal wrote:
 On 02/12/2015 01:25 AM, Michael Lasevich wrote:
  Ok, after a  few awkward questions from an auditor, I am
starting to
  face the uncomfortable truth that my understanding about how
FreeIPA
  works is a lot fuzzier than I would like.
 
  Specifically, the question I could not answer - where are the
  passwords stored and how are they encrypted? My understanding
is that
  all authentication is handled by Kerberos server, which stores its
  data in LDAP - but where and how is a bit of a mystery to me.
Any way
  to dump out the password hashes?

 Passwords are stored in LDAP in two different attributes per
entry. One
 with LDAP password hash and another is Kerberos password hash
allowing
 authentication either with Kerebros or LDAP. Both follow best
practices
 in terms of using hash algorithms. The attributes themselves are
 protected by the access control instructions (ACI) so only a super
 priviledged admin or user himself can interact with this attribute.
 During normal operations it is not fetched and read. The core of
the DS
 processes it behind the closed doors so it is possible to reset
but not
 to read.
 This is how LDAP works and not different from any modern
directory server.

Keep in mind that the Kerberos keys are additionally encrypted with a
master password, so reading the attribute alone is useless.

Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Where and how are passwords stored?

[Brad House]

On 02/12/2015 10:48 AM, Simo Sorce wrote:

On Thu, 2015-02-12 at 07:38 -0800, Michael Lasevich wrote:

Thank you, this is very helpful. I forgot about 'super admin', which is why
I was not even seeing the values before. :-)

How are the the values encrypted (or hashed?)

It sounds like the password is stored in two fields(I am leaving samba out
for now) - userpassword andkerberos principle key.



  Is userpassword a hash?


Yes.


Of so, what kind?


Configurable, by default salted sha256 IIRC.


Out of curiousity, where is this configurable?  Also, is it using it in
conjunction with something like PBKDF2?  I'd love to know more info on this
as we might want to increase the defaults ourselves.


Thanks!
-Brad

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Where and how are passwords stored?

[Michael Lasevich]

Ok, after a  few awkward questions from an auditor, I am starting to face
the uncomfortable truth that my understanding about how FreeIPA works is a
lot fuzzier than I would like.

Specifically, the question I could not answer - where are the passwords
stored and how are they encrypted? My understanding is that all
authentication is handled by Kerberos server, which stores its data in LDAP
- but where and how is a bit of a mystery to me. Any way to dump out the
password hashes?

Thanks,

-M
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Where and how are passwords stored?

[Dmitri Pal]

On 02/12/2015 01:25 AM, Michael Lasevich wrote:
Ok, after a  few awkward questions from an auditor, I am starting to 
face the uncomfortable truth that my understanding about how FreeIPA 
works is a lot fuzzier than I would like.


Specifically, the question I could not answer - where are the 
passwords stored and how are they encrypted? My understanding is that 
all authentication is handled by Kerberos server, which stores its 
data in LDAP - but where and how is a bit of a mystery to me. Any way 
to dump out the password hashes?


Passwords are stored in LDAP in two different attributes per entry. One 
with LDAP password hash and another is Kerberos password hash allowing 
authentication either with Kerebros or LDAP. Both follow best practices 
in terms of using hash algorithms. The attributes themselves are 
protected by the access control instructions (ACI) so only a super 
priviledged admin or user himself can interact with this attribute. 
During normal operations it is not fetched and read. The core of the DS 
processes it behind the closed doors so it is possible to reset but not 
to read.

This is how LDAP works and not different from any modern directory server.




Thanks,

-M





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project