Storing only a salted, hashed password for offline creds

Andrew Bartlett abartlet at samba.org
Sun Aug 20 01:57:50 GMT 2006


On Sat, 2006-08-19 at 14:51 -0700, Jeremy Allison wrote:
> On Sun, Aug 20, 2006 at 07:46:47AM +1000, Andrew Bartlett wrote:
> > 
> > That's correct, and an entrypoint I support in the Samba4
> > NTLMSSP/credentials code.
> 
> Likewise in Samba3 now :-).
> 
> > Also, for plaintext:  do you store the plaintext or a hash for the
> > offline credentials?  You should store a salted hash.
> 
> Can't be done that way when using MIT krb5, without
> modification of the internal krb5 libs. So we have to
> store plaintext for this case.

I should have been more clear.  For the *offline* credentials cache
(where we want a user to log in to a disconnected laptop) we
could/should store only a salted hash, much like would be used
in /etc/shadow, as the user must present cleartext to login (which we
can then use for the puroposes of this patch and krb5 refresh).

This should prevent an attack in the 'stolen laptop' scenario.

We could use the hash format we use for the LDAP password history, or
perhaps a *variation* on the format used for AES krb5 (but it must be a
variation, to avoid it being a plaintext-equivalent).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060820/1bf5b4d8/attachment.bin


More information about the samba-technical mailing list