[Freeipa-users] local root can su to any IPA user

[Nordgren, Bryce L -FS]

> Caching credentials is disabled by default[1]. Even when credential caching is
> enabled, the cache is only ever readable by root, the hashes are
> *never* exposed to the system. FYI, the hash is a salted sha512.

Ah. Much better.

> What leads you to believe the cached credentials can be retrieved?

--- RedHat sssd documentation from [2] ---
Using a single user account. Remote users frequently have two (or even more) user accounts, such as one for their local system and one for the organizational system. This is necessary to connect to a virtual private network (VPN). Because SSSD supports caching and offline authentication, remote users can connect to network resources simply by authenticating to their local machine and then SSSD maintains their network credentials.
---End RedHat sssd documentation from [2] ---

Presumably VPN does not accept a hash. Even if it does, gaining access to the hash gains you admission to the network as someone else.

[2] https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/SSSD.htm

Bryce




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.