[Freeipa-users] local root can su to any IPA user

[Simo Sorce]

On Fri, 2014-02-28 at 14:42 +0000, Nordgren, Bryce L -FS wrote:
> > Caching credentials is disabled by default[1]. Even when credential caching is
> > enabled, the cache is only ever readable by root, the hashes are
> > *never* exposed to the system. FYI, the hash is a salted sha512.
> 
> Ah. Much better.
> 
> > What leads you to believe the cached credentials can be retrieved?
> 
> --- RedHat sssd documentation from [2] ---
> Using a single user account. Remote users frequently have two (or even more) user accounts, such as one for their local system and one for the organizational system. This is necessary to connect to a virtual private network (VPN). Because SSSD supports caching and offline authentication, remote users can connect to network resources simply by authenticating to their local machine and then SSSD maintains their network credentials.
> ---End RedHat sssd documentation from [2] ---
> 
> Presumably VPN does not accept a hash. Even if it does, gaining access to the hash gains you admission to the network as someone else.
> 
> [2] https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/SSSD.htm


Offline password caching is also optional and a different method.
In this case the actual password is maintained in the kernel keyring in
locked memory until the machine goes online and can acquire a TGT. On
success it is deleted.

however it doesn't really matter from an evil-root scenario, because
evil-root will have already snatched the password from the PAM stack at
authentication time.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York