On 02/12/2015 08:20 AM, Dmitri Pal wrote: > On 02/12/2015 01:25 AM, Michael Lasevich wrote: >> Ok, after a few awkward questions from an auditor, I am starting to face the >> uncomfortable truth that my understanding about how FreeIPA works is a lot >> fuzzier than I would like. >> >> Specifically, the question I could not answer - where are the passwords >> stored and how are they encrypted? My understanding is that all >> authentication is handled by Kerberos server, which stores its data in LDAP - >> but where and how is a bit of a mystery to me. Any way to dump out the >> password hashes? > > Passwords are stored in LDAP in two different attributes per entry. One with > LDAP password hash and another is Kerberos password hash allowing > authentication either with Kerebros or LDAP. Both follow best practices in > terms of using hash algorithms. The attributes themselves are protected by the > access control instructions (ACI) so only a super priviledged admin or user > himself can interact with this attribute. During normal operations it is not > fetched and read. The core of the DS processes it behind the closed doors so > it > is possible to reset but not to read. > This is how LDAP works and not different from any modern directory server.
Right. To prove Dmitri's point, see the 2 LDAP searches for all user attributes containing key material (samba* are used when trusts are enabled). First search as FreeIPA admin user: # ldapsearch -Y GSSAPI -b 'uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test' uid userpassword krbprincipalkey sambalmpassword sambantpassword SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test> with scope subtree # filter: (objectclass=*) # requesting: uid userpassword krbprincipalkey sambalmpassword sambantpassword # # admin, users, accounts, mkosek-f21.test dn: uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test uid: admin # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 Second search with Directory Manager (god-like LDAP user): # ldapsearch -D "cn=Directory Manager" -x -w kokos123 -b 'uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test' uid userpassword krbprincipalkey sambalmpassword sambantpassword # extended LDIF # # LDAPv3 # base <uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test> with scope subtree # filter: (objectclass=*) # requesting: uid userpassword krbprincipalkey sambalmpassword sambantpassword # # admin, users, accounts, mkosek-f21.test dn: uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test uid: admin userpassword:: e1NTSEF9dHZEaUZ4ejJTUkRBLzh1NUZSSGVIT2N4WkZMci9OYktQNHNLNWc9PQ= = krbprincipalkey:: MIIBnKADAgEBoQMCAQGiAwIBAaMDAgEBpIIBhDCCAYAwaKAbMBmgAwIBBKES BBA/WWlaNF0nOG80QDFaPWhYoUkwR6ADAgESoUAEPiAAxQsFjSPBOpCollrI8ex+lVnTg8GrZV6nl baP3pZYoBtGVeQ3cBtYbl3usq9o+RIZfnNX2P8YZNlVmnjXMFigGzAZoAMCAQShEgQQL21HRSB6Pn ZdQXpeYl5sQqE5MDegAwIBEaEwBC4QANB2xAVgnL2o3n3u+KkFHaEcije2vOdRcGmtZlhdsRHsCbn y4/tydusWjrRxMGCgGzAZoAMCAQShEgQQUkckOF1SayxramRTWnkwUqFBMD+gAwIBEKE4BDYYAEo3 1vjbSStevF5QcY7WDc1RwFZ6paLp3WTAFATJSej0r+M8fVeNDgKb4CZHRKsNu9cMmdUwWKAbMBmgA wIBBKESBBBCU1xDYmpxeHs6PGIkPi8voTkwN6ADAgEXoTAELhAATVwH6hkkO45W/Vmj0phXiDQe8j Eq11TRGiRHsYKUFtp/3lh89/gp5OuhIyo= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 # echo 'e1NTSEF9dHZEaUZ4ejJTUkRBLzh1NUZSSGVIT2N4WkZMci9OYktQNHNLNWc9PQ==' | base64 --decode {SSHA}tvDiFxz2SRDA/8u5FRHeHOcxZFLr/NbKP4sK5g== Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
