[Freeipa-users] Where and how are passwords stored?
Martin Kosek
mkosek at redhat.com
Thu Feb 12 08:10:51 UTC 2015
On 02/12/2015 08:20 AM, Dmitri Pal wrote:
> On 02/12/2015 01:25 AM, Michael Lasevich wrote:
>> Ok, after a few awkward questions from an auditor, I am starting to face the
>> uncomfortable truth that my understanding about how FreeIPA works is a lot
>> fuzzier than I would like.
>>
>> Specifically, the question I could not answer - where are the passwords
>> stored and how are they encrypted? My understanding is that all
>> authentication is handled by Kerberos server, which stores its data in LDAP -
>> but where and how is a bit of a mystery to me. Any way to dump out the
>> password hashes?
>
> Passwords are stored in LDAP in two different attributes per entry. One with
> LDAP password hash and another is Kerberos password hash allowing
> authentication either with Kerebros or LDAP. Both follow best practices in
> terms of using hash algorithms. The attributes themselves are protected by the
> access control instructions (ACI) so only a super priviledged admin or user
> himself can interact with this attribute. During normal operations it is not
> fetched and read. The core of the DS processes it behind the closed doors so it
> is possible to reset but not to read.
> This is how LDAP works and not different from any modern directory server.
Right. To prove Dmitri's point, see the 2 LDAP searches for all user attributes
containing key material (samba* are used when trusts are enabled).
First search as FreeIPA admin user:
# ldapsearch -Y GSSAPI -b
'uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test' uid userpassword
krbprincipalkey sambalmpassword sambantpassword
SASL/GSSAPI authentication started
SASL username: admin at MKOSEK-F21.TEST
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: uid userpassword krbprincipalkey sambalmpassword sambantpassword
#
# admin, users, accounts, mkosek-f21.test
dn: uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test
uid: admin
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
Second search with Directory Manager (god-like LDAP user):
# ldapsearch -D "cn=Directory Manager" -x -w kokos123 -b
'uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test' uid userpassword
krbprincipalkey sambalmpassword sambantpassword
# extended LDIF
#
# LDAPv3
# base <uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: uid userpassword krbprincipalkey sambalmpassword sambantpassword
#
# admin, users, accounts, mkosek-f21.test
dn: uid=admin,cn=users,cn=accounts,dc=mkosek-f21,dc=test
uid: admin
userpassword:: e1NTSEF9dHZEaUZ4ejJTUkRBLzh1NUZSSGVIT2N4WkZMci9OYktQNHNLNWc9PQ=
=
krbprincipalkey:: MIIBnKADAgEBoQMCAQGiAwIBAaMDAgEBpIIBhDCCAYAwaKAbMBmgAwIBBKES
BBA/WWlaNF0nOG80QDFaPWhYoUkwR6ADAgESoUAEPiAAxQsFjSPBOpCollrI8ex+lVnTg8GrZV6nl
baP3pZYoBtGVeQ3cBtYbl3usq9o+RIZfnNX2P8YZNlVmnjXMFigGzAZoAMCAQShEgQQL21HRSB6Pn
ZdQXpeYl5sQqE5MDegAwIBEaEwBC4QANB2xAVgnL2o3n3u+KkFHaEcije2vOdRcGmtZlhdsRHsCbn
y4/tydusWjrRxMGCgGzAZoAMCAQShEgQQUkckOF1SayxramRTWnkwUqFBMD+gAwIBEKE4BDYYAEo3
1vjbSStevF5QcY7WDc1RwFZ6paLp3WTAFATJSej0r+M8fVeNDgKb4CZHRKsNu9cMmdUwWKAbMBmgA
wIBBKESBBBCU1xDYmpxeHs6PGIkPi8voTkwN6ADAgEXoTAELhAATVwH6hkkO45W/Vmj0phXiDQe8j
Eq11TRGiRHsYKUFtp/3lh89/gp5OuhIyo=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
# echo 'e1NTSEF9dHZEaUZ4ejJTUkRBLzh1NUZSSGVIT2N4WkZMci9OYktQNHNLNWc9PQ==' |
base64 --decode
{SSHA}tvDiFxz2SRDA/8u5FRHeHOcxZFLr/NbKP4sK5g==
Martin
More information about the Freeipa-users
mailing list