[Freeipa-users] Where and how are passwords stored?

[Simo Sorce]

On Thu, 2015-02-12 at 02:20 -0500, Dmitri Pal wrote:
> On 02/12/2015 01:25 AM, Michael Lasevich wrote:
> > Ok, after a  few awkward questions from an auditor, I am starting to 
> > face the uncomfortable truth that my understanding about how FreeIPA 
> > works is a lot fuzzier than I would like.
> >
> > Specifically, the question I could not answer - where are the 
> > passwords stored and how are they encrypted? My understanding is that 
> > all authentication is handled by Kerberos server, which stores its 
> > data in LDAP - but where and how is a bit of a mystery to me. Any way 
> > to dump out the password hashes?
> 
> Passwords are stored in LDAP in two different attributes per entry. One 
> with LDAP password hash and another is Kerberos password hash allowing 
> authentication either with Kerebros or LDAP. Both follow best practices 
> in terms of using hash algorithms. The attributes themselves are 
> protected by the access control instructions (ACI) so only a super 
> priviledged admin or user himself can interact with this attribute. 
> During normal operations it is not fetched and read. The core of the DS 
> processes it behind the closed doors so it is possible to reset but not 
> to read.
> This is how LDAP works and not different from any modern directory server.

Keep in mind that the Kerberos keys are additionally encrypted with a
master password, so reading the attribute alone is useless.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York