Thank you, this is very helpful. I forgot about 'super admin', which is why I was not even seeing the values before. :-)
How are the the values encrypted (or hashed?) It sounds like the password is stored in two fields(I am leaving samba out for now) - userpassword andkerberos principle key. Is userpassword a hash? Of so, what kind? KerberosPrincipleKey you mention is encrypted with Kerberos master key - is the plaintext of password encrypted or is it a hash that is encrypted? What encryption and or hashing used for that? Thank you, -M On Feb 12, 2015 5:04 AM, "Simo Sorce" <[email protected]> wrote: > On Thu, 2015-02-12 at 02:20 -0500, Dmitri Pal wrote: > > On 02/12/2015 01:25 AM, Michael Lasevich wrote: > > > Ok, after a few awkward questions from an auditor, I am starting to > > > face the uncomfortable truth that my understanding about how FreeIPA > > > works is a lot fuzzier than I would like. > > > > > > Specifically, the question I could not answer - where are the > > > passwords stored and how are they encrypted? My understanding is that > > > all authentication is handled by Kerberos server, which stores its > > > data in LDAP - but where and how is a bit of a mystery to me. Any way > > > to dump out the password hashes? > > > > Passwords are stored in LDAP in two different attributes per entry. One > > with LDAP password hash and another is Kerberos password hash allowing > > authentication either with Kerebros or LDAP. Both follow best practices > > in terms of using hash algorithms. The attributes themselves are > > protected by the access control instructions (ACI) so only a super > > priviledged admin or user himself can interact with this attribute. > > During normal operations it is not fetched and read. The core of the DS > > processes it behind the closed doors so it is possible to reset but not > > to read. > > This is how LDAP works and not different from any modern directory > server. > > Keep in mind that the Kerberos keys are additionally encrypted with a > master password, so reading the attribute alone is useless. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
