[Freeipa-users] Where and how are passwords stored?

Rich Megginson rmeggins at redhat.com
Thu Feb 12 15:48:07 UTC 2015 

On 02/12/2015 08:38 AM, Michael Lasevich wrote:
>
> Thank you, this is very helpful. I forgot about 'super admin', which 
> is why I was not even seeing the values before. :-)
>
> How are the the values encrypted (or hashed?)
>
> It sounds like the password is stored in two fields(I am leaving samba 
> out for now) - userpassword andkerberos principle key. Is userpassword 
> a hash? Of so, what kind?
>

Salted SHA 140 by default.  You can crank this all the way up to Salted 
SHA 512.

> KerberosPrincipleKey you mention is encrypted with Kerberos master key 
> - is the plaintext of password encrypted or is it a hash that is 
> encrypted? What encryption and or hashing used for that?
>
> Thank you,
>
> -M
>
> On Feb 12, 2015 5:04 AM, "Simo Sorce" <simo at redhat.com 
> <mailto:simo at redhat.com>> wrote:
>
>     On Thu, 2015-02-12 at 02:20 -0500, Dmitri Pal wrote:
>     > On 02/12/2015 01:25 AM, Michael Lasevich wrote:
>     > > Ok, after a  few awkward questions from an auditor, I am
>     starting to
>     > > face the uncomfortable truth that my understanding about how
>     FreeIPA
>     > > works is a lot fuzzier than I would like.
>     > >
>     > > Specifically, the question I could not answer - where are the
>     > > passwords stored and how are they encrypted? My understanding
>     is that
>     > > all authentication is handled by Kerberos server, which stores its
>     > > data in LDAP - but where and how is a bit of a mystery to me.
>     Any way
>     > > to dump out the password hashes?
>     >
>     > Passwords are stored in LDAP in two different attributes per
>     entry. One
>     > with LDAP password hash and another is Kerberos password hash
>     allowing
>     > authentication either with Kerebros or LDAP. Both follow best
>     practices
>     > in terms of using hash algorithms. The attributes themselves are
>     > protected by the access control instructions (ACI) so only a super
>     > priviledged admin or user himself can interact with this attribute.
>     > During normal operations it is not fetched and read. The core of
>     the DS
>     > processes it behind the closed doors so it is possible to reset
>     but not
>     > to read.
>     > This is how LDAP works and not different from any modern
>     directory server.
>
>     Keep in mind that the Kerberos keys are additionally encrypted with a
>     master password, so reading the attribute alone is useless.
>
>     Simo.
>
>     --
>     Simo Sorce * Red Hat, Inc * New York
>
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go To http://freeipa.org for more info on the project
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150212/5cfebbda/attachment.htm>

More information about the Freeipa-users mailing list