<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/12/2015 08:38 AM, Michael
Lasevich wrote:<br>
</div>
<blockquote
cite="mid:CAAFs98WCjjwowEkAoPVyfKJRnqMG8auz7A_Mc-VD8s_GAfNVBw@mail.gmail.com"
type="cite">
<p dir="ltr">Thank you, this is very helpful. I forgot about
'super admin', which is why I was not even seeing the values
before. :-)</p>
<p dir="ltr">How are the the values encrypted (or hashed?)</p>
<p dir="ltr">It sounds like the password is stored in two fields(I
am leaving samba out for now) - userpassword andkerberos
principle key. Is userpassword a hash? Of so, what kind? </p>
</blockquote>
<br>
Salted SHA 140 by default. You can crank this all the way up to
Salted SHA 512.<br>
<br>
<blockquote
cite="mid:CAAFs98WCjjwowEkAoPVyfKJRnqMG8auz7A_Mc-VD8s_GAfNVBw@mail.gmail.com"
type="cite">
<p dir="ltr">KerberosPrincipleKey you mention is encrypted with
Kerberos master key - is the plaintext of password encrypted or
is it a hash that is encrypted? What encryption and or hashing
used for that?</p>
<p dir="ltr">Thank you,</p>
<p dir="ltr">-M</p>
<div class="gmail_quote">On Feb 12, 2015 5:04 AM, "Simo Sorce"
<<a moz-do-not-send="true" href="mailto:simo@redhat.com">simo@redhat.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu,
2015-02-12 at 02:20 -0500, Dmitri Pal wrote:<br>
> On 02/12/2015 01:25 AM, Michael Lasevich wrote:<br>
> > Ok, after a few awkward questions from an auditor,
I am starting to<br>
> > face the uncomfortable truth that my understanding
about how FreeIPA<br>
> > works is a lot fuzzier than I would like.<br>
> ><br>
> > Specifically, the question I could not answer -
where are the<br>
> > passwords stored and how are they encrypted? My
understanding is that<br>
> > all authentication is handled by Kerberos server,
which stores its<br>
> > data in LDAP - but where and how is a bit of a
mystery to me. Any way<br>
> > to dump out the password hashes?<br>
><br>
> Passwords are stored in LDAP in two different attributes
per entry. One<br>
> with LDAP password hash and another is Kerberos password
hash allowing<br>
> authentication either with Kerebros or LDAP. Both follow
best practices<br>
> in terms of using hash algorithms. The attributes
themselves are<br>
> protected by the access control instructions (ACI) so
only a super<br>
> priviledged admin or user himself can interact with this
attribute.<br>
> During normal operations it is not fetched and read. The
core of the DS<br>
> processes it behind the closed doors so it is possible to
reset but not<br>
> to read.<br>
> This is how LDAP works and not different from any modern
directory server.<br>
<br>
Keep in mind that the Kerberos keys are additionally encrypted
with a<br>
master password, so reading the attribute alone is useless.<br>
<br>
Simo.<br>
<br>
--<br>
Simo Sorce * Red Hat, Inc * New York<br>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true" href="http://freeipa.org"
target="_blank">http://freeipa.org</a> for more info on the
project<br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>